EP1290531A2 - Network agent password storage and retrieval scheme - Google Patents

Network agent password storage and retrieval scheme

Info

Publication number
EP1290531A2
EP1290531A2 EP01941359A EP01941359A EP1290531A2 EP 1290531 A2 EP1290531 A2 EP 1290531A2 EP 01941359 A EP01941359 A EP 01941359A EP 01941359 A EP01941359 A EP 01941359A EP 1290531 A2 EP1290531 A2 EP 1290531A2
Authority
EP
European Patent Office
Prior art keywords
password
encryption key
network agent
recited
decryptor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01941359A
Other languages
German (de)
French (fr)
Inventor
Stéphane DESROCHERS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP1290531A2 publication Critical patent/EP1290531A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress

Definitions

  • the present invention relates to a network agent password storage and retrieval scheme. More specifically, the present invention is concerned with a password storage and retrieval system and method, for network agents.
  • ⁇ assword(s) Such as with human users, network agents need to use ⁇ assword(s) to be authorised to perform certain routines with other devices or components.
  • a standard procedure is to use a password that is memorised and stored in a password database in the network.
  • a system or device for which the user requires to use his/her password also uses the password database. The procedure begins with a user giving his password to the system or device, which will then compare the password with the corresponding password stored in the password database. If a match occurs, then the user is authorised.
  • network agents requiring performing of routines with other network components are requested to provide their identification and password to the authenticating device.
  • the network agent therefore needs to store its password (also referred to herewith as an agent-authenticating password) in a memory location of some sort.
  • One possible memory location implementation is to use a central database that is accessible to all agents, components or devices in the network. This solution is not very practical since any agent, component, or device, whether it is hostile or not, has access to all the network agent passwords. Indeed, a component needing access to the database to obtain a password must be able to obtain it without having to provide its own password. Additionally, the passwords cannot be encrypted since this involves the use of a password for decryption and the network agent does not have one prior to accessing the central database.
  • Another solution consists in hard-coding the password within the network agent's code. Unfortunately, this solution renders the network agent very inflexible because its password cannot be changed easily. In addition, if the agent's code is stolen, it can be decompiled and the password extrapolated from the decompiled code.
  • Yet another proposition consists of storing the password in a file located "close" to the network agent to which it belongs.
  • the file can be placed in a special directory such that it is only accessible to the network agent.
  • this prior art proposition stores the password as clear text in the file. Hence, the file can easily be stolen and clear password obtained from it.
  • An object of the present invention is therefore to overcome the problems of the prior art and, more specifically, to securely provide password storage and retrieval for a network agent.
  • a password storage and retrieval system for a network agent.
  • the password storage and retrieval system has a memory unit in which an encrypted password related to the network agent is stored, an encryption key related to the network agent and a decryptor for decrypting the encrypted password into a decrypted password for the network agent.
  • the decryptor has access to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
  • the password storage and retrieval system further comprises an encryptor for encrypting an agent password into the encrypted password.
  • the encryptor has access to the encryption key and includes a password-encrypting algorithm compatible with the encryption key.
  • the encryptor encrypts, in relation to the encryption key, the agent password into the encrypted password stored in the memory unit using the password-encrypting algorithm.
  • a network agent capable of being authenticated by an authenticating device, and to which is associated an encrypted password stored in a memory unit.
  • the network agent comprises an encryption key related to the network agent, and a decryptor of the encrypted password into a decrypted password authenticating the network agent.
  • the decryptor is connected to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
  • the present invention is concerned with a method for password storage and retrieval for a network agent, the method comprising steps for storing an encryption key related to the network agent, storing an encrypted password related to the network agent in a memory unit, retrieving, from the memory unit, the encrypted password, reading the encryption key, and decrypting, in relation to the encryption key, the encrypted password into a decrypted password for the network agent.
  • the password storage and retrieval method further comprises encrypting an agent-authenticating password into the encrypted password in relation to the encryption key, and storing the encrypted password in the memory unit.
  • An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key and the encrypted password.
  • Figure 1 is a schematic block diagram of a partial view of a multi-component network including a network agent password storage and retrieval system according to an embodiment of the present invention
  • Figure 2 is a flow chart illustrating operation of the password storage and retrieval system of Figure 1;
  • Figure 3 is a flow chart illustrating a method for changing the password in the password storage and retrieval system of Figure 1.
  • FIG. 1 of the appended drawings illustrates a preferred embodiment of the network agent password storage and retrieval system 8 according to the present invention.
  • a password storage and retrieval system 8 is shown in interaction with a network agent 10.
  • the network agent may consist, without being limited thereto, of a node of a network, of a module of a node of the network, of a procedure or function of one of the modules of the node of the network.
  • the network agent 10 is a network agent performing a predetermined function in the network.
  • the predetermined function may include, in particular but not exclusively, at least one of the following functions: a management function, a control function, a verification function, a signalling function, a monitoring function, etc. Therefore, the network agent 10 includes additional circuitry, or network agent logic 6 for carrying out its function(s) in the network.
  • the network agent 10 is shown to be in interaction with an authenticating device 34, which typically requires a password from the network agent 10 to authenticate the network agent.
  • the network agent 10 could alternatively be in interaction in any node requiring a password from the network agent 10, other then the authenticating device 34.
  • the block diagram of Figure 1 may form part of a more elaborate network comprising many other network agents or devices (not shown).
  • the password storage and retrieval system 8 includes within the network agent 10 itself, a decryptor 12, an encryptor 14 and an encryption key 16.
  • the password storage and retrieval system 8 also includes a memory unit 18 in which is stored an encrypted password 7 associated with the network agent 10.
  • the decryptor 12 and encryptor 14 use a symmetrical encrypting mechanism, as well known to those skilled in the art.
  • the decryptor 12 and the encryptor 14 have access to the encryption key 16 through a link 20, so that the encryption key 16 related to the network agent 10 is accessible to both the decryptor 12 and the encryptor 14.
  • the encryption key 16 is accessible only by the network agent 10 or by its intricate components.
  • the encryption key 16 is preferably hard-coded, or intertwined within the code of the network agent 10. h an alternate manner, it is also within the scope of the present invention to use any type of memory circuit and/or data memory support suitable for storing the encryption key 16, which will ensure that the encryption key 16 is accessible only by the network agent 10. For example, in another preferred embodiment, the encryption key 16 is stored in a read-only memory (ROM) (not shown).
  • ROM read-only memory
  • the memory unit 18 may store the encrypted password for only one network agent, or alternatively, encrypted passwords associated with two or more network agents (not shown) similar to network agent 10 could be stored in memory unit 18. Although being shown on Figure 1 as being independent from the network agent 10, the memory unit 18 could alternatively form part of the network agent 10, be hosted by one or several other network components or nodes (not shown) with which the network agent 10 communicates. Alternatively, a dedicated directory or software file accessible only by the network agent 10 may constitute memory unit 18. Again, it is within the scope of the present invention to use any other type of memory circuit and/or persistent data memory support suitable for storing the encrypted password. However, in a preferred embodiment of the invention, the memory unit 18 is a software file that stores the encrypted password, along with a network agent- identifying portion (e.g., identification numbers, letters, code, etc.) for the network agent 10.
  • a network agent- identifying portion e.g., identification numbers, letters, code, etc.
  • an authentication device 34 is shown.
  • the authentication device 34 is connected to the network agent 10 through bi-directional link 28.
  • the principal functions of the authentication device 34 are to receive authenticating password from the network agent 10 and to compare the obtained response to data with an expected result.
  • a password is encrypted and stored in the memory unit 18.
  • the password storage and retrieval system 8 is used. Its decryptor 12 accesses the memory unit 18 to obtain the encrypted password 7, obtains the encryption key 16 through the link 20, and applies the encryption key 16 to its encryption software (not shown), to decrypt the encrypted password 7 into an unencrypted password that can be used by the network agent.
  • the first operation consists of choosing a password 36 and supplying it to the network agent 10, or alternatively to the password storage and retrieval system 8 of the network agent 10.
  • the network agent 10 includes circuits (not shown) to transmit the new password to the encryptor 14.
  • the encryptor 14 includes an algorithm compatible with the encryption key 16. As previously indicated, the algorithm is a symmetrical algorithm. Symmetrical algorithms are well known to those of ordinary skill in the art and, accordingly, will not be further described in the present specification.
  • the encryptor 14 accesses the encryption key 16 through link 20 to encrypt the chosen password 36 in relation to the encryption key 16.
  • this encrypted password is transmitted from the encryptor 14 to the memory unit 18 through circuits (not shown) of the network agent 10 , where it is stored in memory unit 18 for later use.
  • the network agent 10 proceeds to retrieve its password (step 204).
  • the decryptor 12 obtains the encrypted password 7 related to the network agent 10 from the memory unit 18 through a link 24 (step 204).
  • the decryptor 12 then decrypts the encrypted password in relation to the encryption key 16 using the algorithm (a symmetrical algorithm in the preferred embodiment) previously used by the encryptor 14 to encrypt the password (step 206).
  • the decryptor 12 forwards the decrypted password to the authenticating device 34 through the circuits (not shown) of the network agent 10 and the link 28 and continues its regular operation.
  • the authenticating device 34 compares the password received from the decryptor 12 with an expected result stored therein. When a match exists between the password and the expected result, the network agent 10 is authenticated and permission(s) granted. If no match exists, the network agent is not authenticated.
  • step 302 the network agent 10 receives the new password 36.
  • the new password 36 is transmitted to the network agent using a secure mechanism like Kerberos so that the password storage and retrieval system 8 may verify that the new password 36 being submitted is from an authorized party. If the party requesting a password change is authorized (step 306) then new password 36 is encrypted with encryptor 14 using the encryption key 16 (step 307). This new encrypted password then replaces the currently encrypted password stored in memory unit 18 (step 310).
  • Step 312 may be performed by the user, the agent 10 or a tool of the agent (not shown).
  • a particular advantage of the present invention is that, in order to break through the system, one needs to obtain at least two pieces of information: the encryption key 16, and the encrypted password 7 from memory unit 18.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A password storage and retrieval system (8) for secure authentication and management of network agents (10). The password storage and retrieval system (8) includes a memory unit (18) and, in a network agent (10), a decryptor (12), an encryptor (14), and an encryption key (16). The decryptor (12) uses a symmetrical algorithm and an encryption key (16) to decrypt an encrypted password related to the network agent (10) to thereby obtain a decrypted password. The same symmetrical algorithm was previously used to encrypt the password with the key and store the encrypted password. In a preferred embodiment of the invention, the encryption key (16) is hard-coded in the network agent (10), and the memory unit (18) for the encrypted password is a designated directory easily accessible to the network agent (10). An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key (16) and the encrypted password.

Description

Network Agent Password Storage and Retrieval Scheme
FIELD OF THE INVENTION
The present invention relates to a network agent password storage and retrieval scheme. More specifically, the present invention is concerned with a password storage and retrieval system and method, for network agents.
BACKGROUND OF THE INVENTION
Such as with human users, network agents need to use ρassword(s) to be authorised to perform certain routines with other devices or components. For human users, a standard procedure is to use a password that is memorised and stored in a password database in the network. A system or device for which the user requires to use his/her password also uses the password database. The procedure begins with a user giving his password to the system or device, which will then compare the password with the corresponding password stored in the password database. If a match occurs, then the user is authorised.
In a similar manner, in a multi-component network, network agents requiring performing of routines with other network components (also referred to herewith sometimes as authenticating devices) are requested to provide their identification and password to the authenticating device. The network agent therefore needs to store its password (also referred to herewith as an agent-authenticating password) in a memory location of some sort.
One possible memory location implementation is to use a central database that is accessible to all agents, components or devices in the network. This solution is not very practical since any agent, component, or device, whether it is hostile or not, has access to all the network agent passwords. Indeed, a component needing access to the database to obtain a password must be able to obtain it without having to provide its own password. Additionally, the passwords cannot be encrypted since this involves the use of a password for decryption and the network agent does not have one prior to accessing the central database.
Another solution consists in hard-coding the password within the network agent's code. Unfortunately, this solution renders the network agent very inflexible because its password cannot be changed easily. In addition, if the agent's code is stolen, it can be decompiled and the password extrapolated from the decompiled code.
Yet another proposition consists of storing the password in a file located "close" to the network agent to which it belongs. The file can be placed in a special directory such that it is only accessible to the network agent. However, this prior art proposition stores the password as clear text in the file. Hence, the file can easily be stolen and clear password obtained from it.
OBJECTS OF THE INVENTION
An object of the present invention is therefore to overcome the problems of the prior art and, more specifically, to securely provide password storage and retrieval for a network agent.
SUMMARY OF THE INVENTION
More specifically, in accordance with a first aspect of the present invention, there is provided a password storage and retrieval system for a network agent. The password storage and retrieval system has a memory unit in which an encrypted password related to the network agent is stored, an encryption key related to the network agent and a decryptor for decrypting the encrypted password into a decrypted password for the network agent. The decryptor has access to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
Advantageously, the password storage and retrieval system further comprises an encryptor for encrypting an agent password into the encrypted password. The encryptor has access to the encryption key and includes a password-encrypting algorithm compatible with the encryption key. The encryptor encrypts, in relation to the encryption key, the agent password into the encrypted password stored in the memory unit using the password-encrypting algorithm.
In accordance with a third aspect of the invention, there is provided a network agent capable of being authenticated by an authenticating device, and to which is associated an encrypted password stored in a memory unit. The network agent comprises an encryption key related to the network agent, and a decryptor of the encrypted password into a decrypted password authenticating the network agent. The decryptor is connected to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
Finally, the present invention is concerned with a method for password storage and retrieval for a network agent, the method comprising steps for storing an encryption key related to the network agent, storing an encrypted password related to the network agent in a memory unit, retrieving, from the memory unit, the encrypted password, reading the encryption key, and decrypting, in relation to the encryption key, the encrypted password into a decrypted password for the network agent.
Advantageously, the password storage and retrieval method further comprises encrypting an agent-authenticating password into the encrypted password in relation to the encryption key, and storing the encrypted password in the memory unit.
An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key and the encrypted password.
Other objects, advantages and features of the present invention will become more apparent upon reading of the following non-restrictive description of a preferred embodiment thereof, given by way of example only with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
The invention will be better understood and its numerous objects and advantages will become more apparent to those skilled in the art by reference to the following drawings, in conjunction with the accompanying specification, in which, like numerals denote like parts:
Figure 1 is a schematic block diagram of a partial view of a multi-component network including a network agent password storage and retrieval system according to an embodiment of the present invention;
Figure 2 is a flow chart illustrating operation of the password storage and retrieval system of Figure 1; and
Figure 3 is a flow chart illustrating a method for changing the password in the password storage and retrieval system of Figure 1.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Figure 1 of the appended drawings illustrates a preferred embodiment of the network agent password storage and retrieval system 8 according to the present invention.
Referring to Figure 1, a password storage and retrieval system 8 is shown in interaction with a network agent 10. The network agent may consist, without being limited thereto, of a node of a network, of a module of a node of the network, of a procedure or function of one of the modules of the node of the network. As a non- limitative example, the network agent 10 is a network agent performing a predetermined function in the network. The predetermined function may include, in particular but not exclusively, at least one of the following functions: a management function, a control function, a verification function, a signalling function, a monitoring function, etc. Therefore, the network agent 10 includes additional circuitry, or network agent logic 6 for carrying out its function(s) in the network.
Furthermore, for exemplary purposes only, the network agent 10 is shown to be in interaction with an authenticating device 34, which typically requires a password from the network agent 10 to authenticate the network agent. However, the network agent 10 could alternatively be in interaction in any node requiring a password from the network agent 10, other then the authenticating device 34. Also, those of ordinary skill in the art will understand that the block diagram of Figure 1 may form part of a more elaborate network comprising many other network agents or devices (not shown).
The password storage and retrieval system 8 includes within the network agent 10 itself, a decryptor 12, an encryptor 14 and an encryption key 16. The password storage and retrieval system 8 also includes a memory unit 18 in which is stored an encrypted password 7 associated with the network agent 10.
The decryptor 12 and encryptor 14 use a symmetrical encrypting mechanism, as well known to those skilled in the art. The decryptor 12 and the encryptor 14 have access to the encryption key 16 through a link 20, so that the encryption key 16 related to the network agent 10 is accessible to both the decryptor 12 and the encryptor 14. Preferably, the encryption key 16 is accessible only by the network agent 10 or by its intricate components.
The encryption key 16 is preferably hard-coded, or intertwined within the code of the network agent 10. h an alternate manner, it is also within the scope of the present invention to use any type of memory circuit and/or data memory support suitable for storing the encryption key 16, which will ensure that the encryption key 16 is accessible only by the network agent 10. For example, in another preferred embodiment, the encryption key 16 is stored in a read-only memory (ROM) (not shown).
The memory unit 18 may store the encrypted password for only one network agent, or alternatively, encrypted passwords associated with two or more network agents (not shown) similar to network agent 10 could be stored in memory unit 18. Although being shown on Figure 1 as being independent from the network agent 10, the memory unit 18 could alternatively form part of the network agent 10, be hosted by one or several other network components or nodes (not shown) with which the network agent 10 communicates. Alternatively, a dedicated directory or software file accessible only by the network agent 10 may constitute memory unit 18. Again, it is within the scope of the present invention to use any other type of memory circuit and/or persistent data memory support suitable for storing the encrypted password. However, in a preferred embodiment of the invention, the memory unit 18 is a software file that stores the encrypted password, along with a network agent- identifying portion (e.g., identification numbers, letters, code, etc.) for the network agent 10.
Still referring to Figure 1 , and as previously indicated, for exemplary purposes only, an authentication device 34 is shown. The authentication device 34 is connected to the network agent 10 through bi-directional link 28. The principal functions of the authentication device 34 are to receive authenticating password from the network agent 10 and to compare the obtained response to data with an expected result.
Thus, in accordance with the present invention, a password is encrypted and stored in the memory unit 18. When the network agent 10 performs tasks that require its password, the password storage and retrieval system 8 is used. Its decryptor 12 accesses the memory unit 18 to obtain the encrypted password 7, obtains the encryption key 16 through the link 20, and applies the encryption key 16 to its encryption software (not shown), to decrypt the encrypted password 7 into an unencrypted password that can be used by the network agent.
More precisely, for storing an encrypted password in the memory unit 18 of the network agent 10, the first operation consists of choosing a password 36 and supplying it to the network agent 10, or alternatively to the password storage and retrieval system 8 of the network agent 10. The network agent 10 includes circuits (not shown) to transmit the new password to the encryptor 14. The encryptor 14 includes an algorithm compatible with the encryption key 16. As previously indicated, the algorithm is a symmetrical algorithm. Symmetrical algorithms are well known to those of ordinary skill in the art and, accordingly, will not be further described in the present specification. The encryptor 14 accesses the encryption key 16 through link 20 to encrypt the chosen password 36 in relation to the encryption key 16. Following encryption of the chosen password 36, this encrypted password is transmitted from the encryptor 14 to the memory unit 18 through circuits (not shown) of the network agent 10 , where it is stored in memory unit 18 for later use. Referring to Figures 1 and 2, when the network agent wishes to authenticate itself to the authenticating device 34 (step 202) or any other device in order to obtain the permission to perform a certain operation, which requires from the network agent 10 its password, the network agent 10 proceeds to retrieve its password (step 204). For doing so, the decryptor 12 obtains the encrypted password 7 related to the network agent 10 from the memory unit 18 through a link 24 (step 204). The decryptor 12then decrypts the encrypted password in relation to the encryption key 16 using the algorithm (a symmetrical algorithm in the preferred embodiment) previously used by the encryptor 14 to encrypt the password (step 206).
Finally, in steps 208 and 210, the decryptor 12 forwards the decrypted password to the authenticating device 34 through the circuits (not shown) of the network agent 10 and the link 28 and continues its regular operation. As known to those skilled in the art, the authenticating device 34 then compares the password received from the decryptor 12 with an expected result stored therein. When a match exists between the password and the expected result, the network agent 10 is authenticated and permission(s) granted. If no match exists, the network agent is not authenticated.
Referring to Figures 1 and 3, there is shown a method for changing the current encrypted password 7 of the password storage and retrieval system 8. In step 302, the network agent 10 receives the new password 36. The new password 36 is transmitted to the network agent using a secure mechanism like Kerberos so that the password storage and retrieval system 8 may verify that the new password 36 being submitted is from an authorized party. If the party requesting a password change is authorized (step 306) then new password 36 is encrypted with encryptor 14 using the encryption key 16 (step 307). This new encrypted password then replaces the currently encrypted password stored in memory unit 18 (step 310). Of course, those of knowledge in the art will understand that upon password change, the nodes of the network, such as the authentication device 34, will have to be notified of the password change so that it may update its expected result for the network agent 10 with the new password (step 312). Step 312 may be performed by the user, the agent 10 or a tool of the agent (not shown).
Those skilled in the art will appreciate that a particular advantage of the present invention is that, in order to break through the system, one needs to obtain at least two pieces of information: the encryption key 16, and the encrypted password 7 from memory unit 18.
Although the present invention has been described hereinabove by way of a preferred embodiment thereof, this embodiment can be modified at will, within the scope of the appended claims, without departing from the spirit and nature of the subject invention.

Claims

WHAT IS CLAIMED IS:
1. A password storage and retrieval system for a network agent comprising: a) a memory unit in which an encrypted password related to the network agent is stored; b) an encryption key related to the network agent; and c) a decryptor for retrieving the encrypted password into a decrypted password for the network agent, said decryptor having access to the encryption key and the memory unit, and including a password-decrypting algorithm compatible with the encryption key, wherein said decryptor decrypts, in relation to said encryption key, the encrypted password using said password decrypting algorithm.
2. A password storage and retrieval system as recited in claim 1, wherein the memory unit is connected to the decryptor through the network agent.
3. A password storage and retrieval system as recited in claim 1, wherein said encryption key and said decryptor are located in said network agent.
4. A password storage and retrieval system as recited in claim 1, wherein said network agent comprises hard-code incorporating said encryption key.
5. A password storage and retrieval system as recited in claim 1, wherein said network agent comprises a read-only memory incorporating said encryption key.
6. A password storage and retrieval system as recited in claim 1, further comprising an encryptor, said encryptor having access to the encryption key and including a password-encrypting algorithm compatible with said encryption key, wherein said encryptor encrypts, in relation to the encryption key, an unencrypted password into the encrypted password stored in the memory unit using said password- encrypting algorithm.
7. A password storage and retrieval system as recited in claim 6, wherein said decryptor and encryptor have access to the encryption key through exclusive dedicated connections thereby restricting access to said encryption key to said decryptor and said encryptor.
8. A password storage and retrieval system as defined in claim 6, wherein the password-encrypting algorithm is a symmetrical algorithm.
9. A password storage and retrieval system as recited in claim 1, wherein the password-decrypting algorithm is a symmetrical algorithm.
10. A password storage and retrieval system as recited in claim 1, wherein a network agent-identifying portion is further stored in said memory unit.
11. A network agent capable of being authenticated by a network authentication device and to which is associated an encrypted password stored in a memory unit, said network agent comprising: a) means for performing a predetermined function on the network; b) an encryption key related to the network agent; and c) a decryptor of the encrypted password into a decrypted password authenticating the network agent, said decryptor having access to the encryption key and the memory unit, and including a password-decrypting algorithm compatible with the encryption key, wherein said decryptor decrypts, in relation to said encryption key, the encrypted password using said password-decrypting algorithm.
12. A network agent as recited in claim 11 , wherein the memory unit is connected to the decryptor through the network agent.
13. A network agent as recited in claim 11 , wherein said encryption key and said decryptor are located in said network agent.
14. A network agent as recited in claim 13, wherein said network agent comprises hard-code incorporating said encryption key.
15. A network agent as recited in claim 11, connected to said network agent authenticating device responsive to the decrypted password.
16. A network agent as recited in claim 11 , further comprising a read-only memory incorporating said encryption key.
17. A network agent as recited in claim 11 , further comprising an encryptor of an agent-authenticating password into the encrypted password, said encryptor having access to the encryption key and including a password-encrypting algorithm compatible with said encryption key, wherein said encryptor encrypts, in relation to the encryption key, encrypts the agent-authenticating password into the encrypted password stored in the memory unit using said password-encrypting algorithm.
18. A network agent as recited in claim 11, wherein said decryptor and encryptor have access to the encryption key through exclusive dedicated connections thereby restricting access to said encryption key to said decryptor and said encryptor.
19. A network agent as defined in claim 17, wherein the password-encrypting algorithm is a symmetrical algorithm.
20. A network agent as recited in claim 11, wherein the password-decrypting algorithm is a symmetrical algorithm.
21. A network agent as recited in claim 11, wherein a network agent-identifying portion is further stored in said memory unit.
22. A method for storing and retrieving a password for a network agent, the method comprising steps of: a) storing an encryption key related to the network agent; b) storing an encrypted password related to the network agent in a memory unit; c) retrieving, from the memory unit, the encrypted password; and d) decrypting, in relation to the encryption key, the encrypted password into a decrypted password for the network agent.
23. A method as recited in claim 22, wherein said network agent comprises hard- code, said encryption key storing comprising storing the encryption key in the hard- code, and the encryption key retrieving comprising retrieving, from said hard-code, said encryption key.
24. A method as recited in claim 23, wherein said encryption key is used exclusively for said decrypting.
25. A method as recited in claim 22, further comprising encrypting an password into the encrypted password in relation to the encryption key, and storing the encrypted password in the memory unit.
26. A method as recited in claim 25, wherein the password encrypting comprises using a symmetrical algorithm.
27. A method as recited in claim 22, wherein the password decrypting comprises using a symmetrical algorithm.
EP01941359A 2000-06-07 2001-06-07 Network agent password storage and retrieval scheme Withdrawn EP1290531A2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US58828500A 2000-06-07 2000-06-07
US588285 2000-06-07
PCT/SE2001/001285 WO2001095072A2 (en) 2000-06-07 2001-06-07 Network agent password storage and retrieval scheme

Publications (1)

Publication Number Publication Date
EP1290531A2 true EP1290531A2 (en) 2003-03-12

Family

ID=24353242

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01941359A Withdrawn EP1290531A2 (en) 2000-06-07 2001-06-07 Network agent password storage and retrieval scheme

Country Status (3)

Country Link
EP (1) EP1290531A2 (en)
AU (1) AU2001274719A1 (en)
WO (1) WO2001095072A2 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU742639B3 (en) * 2001-02-15 2002-01-10 Ewise Systems Pty Limited Secure network access
US7571239B2 (en) * 2002-01-08 2009-08-04 Avaya Inc. Credential management and network querying
FR2862827B1 (en) * 2003-11-21 2006-03-03 Enatel METHOD FOR MANAGING SECURITY DATA
JP2005173197A (en) * 2003-12-11 2005-06-30 Buffalo Inc Encryption /decryption processing system and encryption/decryption processing apparatus
EP1770584B1 (en) * 2005-09-27 2019-03-06 Omron Corporation Programmable controller system and aid device for control program development therefor

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6108420A (en) * 1997-04-10 2000-08-22 Channelware Inc. Method and system for networked installation of uniquely customized, authenticable, and traceable software application
US6240184B1 (en) * 1997-09-05 2001-05-29 Rsa Security Inc. Password synchronization
US7085931B1 (en) * 1999-09-03 2006-08-01 Secure Computing Corporation Virtual smart card system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0195072A3 *

Also Published As

Publication number Publication date
AU2001274719A1 (en) 2001-12-17
WO2001095072A2 (en) 2001-12-13
WO2001095072A3 (en) 2002-04-25

Similar Documents

Publication Publication Date Title
US8972743B2 (en) Computer security system and method
RU2284569C2 (en) Method for unblocking and blocking software signs
US5548721A (en) Method of conducting secure operations on an uncontrolled network
JP4866863B2 (en) Security code generation method and user device
US7155616B1 (en) Computer network comprising network authentication facilities implemented in a disk drive
US6075860A (en) Apparatus and method for authentication and encryption of a remote terminal over a wireless link
US6230272B1 (en) System and method for protecting a multipurpose data string used for both decrypting data and for authenticating a user
US8543764B2 (en) Storage device with accessible partitions
US20070240226A1 (en) Method and apparatus for user centric private data management
US20040157584A1 (en) Method for establishing and managing a trust model between a chip card and a radio terminal
US20180324158A1 (en) Assuring external accessibility for devices on a network
JP4876169B2 (en) Method, system, and computer program for securely storing data
EP3694142A1 (en) Management and distribution of keys in distributed environments (ie cloud)
US6018583A (en) Secure computer network
JPS63205687A (en) Method and apparatus for protecting secret element in network of cryptograph by handing open key
KR101701304B1 (en) Method and system for managing medical data using attribute-based encryption in cloud environment
JPH05333775A (en) User authentication system
EP1501238A1 (en) Method and system for key distribution comprising a step of authentication and a step of key distribution using a KEK (key encryption key)
CN112257121A (en) Encryption method, decryption method, electronic device, and storage medium
CA2251193A1 (en) Method and apparatus for encoding and recovering keys
US8750522B2 (en) Method and security system for the secure and unequivocal encoding of a security module
CN106845264A (en) Using encryption method, device and application access method, device
WO2001095072A2 (en) Network agent password storage and retrieval scheme
JP2004013560A (en) Authentication system, communication terminal, and server
JPH063905B2 (en) Authentication method between the center and the user

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021102

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20040323

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20040803