EP1290531A2 - Memorisation du mot de passe agent reseau et schema de recuperation - Google Patents

Memorisation du mot de passe agent reseau et schema de recuperation

Info

Publication number
EP1290531A2
EP1290531A2 EP01941359A EP01941359A EP1290531A2 EP 1290531 A2 EP1290531 A2 EP 1290531A2 EP 01941359 A EP01941359 A EP 01941359A EP 01941359 A EP01941359 A EP 01941359A EP 1290531 A2 EP1290531 A2 EP 1290531A2
Authority
EP
European Patent Office
Prior art keywords
password
encryption key
network agent
recited
decryptor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP01941359A
Other languages
German (de)
English (en)
Inventor
Stéphane DESROCHERS
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonaktiebolaget LM Ericsson AB
Original Assignee
Telefonaktiebolaget LM Ericsson AB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget LM Ericsson AB filed Critical Telefonaktiebolaget LM Ericsson AB
Publication of EP1290531A2 publication Critical patent/EP1290531A2/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/007Encryption, En-/decode, En-/decipher, En-/decypher, Scramble, (De-)compress

Definitions

  • the present invention relates to a network agent password storage and retrieval scheme. More specifically, the present invention is concerned with a password storage and retrieval system and method, for network agents.
  • ⁇ assword(s) Such as with human users, network agents need to use ⁇ assword(s) to be authorised to perform certain routines with other devices or components.
  • a standard procedure is to use a password that is memorised and stored in a password database in the network.
  • a system or device for which the user requires to use his/her password also uses the password database. The procedure begins with a user giving his password to the system or device, which will then compare the password with the corresponding password stored in the password database. If a match occurs, then the user is authorised.
  • network agents requiring performing of routines with other network components are requested to provide their identification and password to the authenticating device.
  • the network agent therefore needs to store its password (also referred to herewith as an agent-authenticating password) in a memory location of some sort.
  • One possible memory location implementation is to use a central database that is accessible to all agents, components or devices in the network. This solution is not very practical since any agent, component, or device, whether it is hostile or not, has access to all the network agent passwords. Indeed, a component needing access to the database to obtain a password must be able to obtain it without having to provide its own password. Additionally, the passwords cannot be encrypted since this involves the use of a password for decryption and the network agent does not have one prior to accessing the central database.
  • Another solution consists in hard-coding the password within the network agent's code. Unfortunately, this solution renders the network agent very inflexible because its password cannot be changed easily. In addition, if the agent's code is stolen, it can be decompiled and the password extrapolated from the decompiled code.
  • Yet another proposition consists of storing the password in a file located "close" to the network agent to which it belongs.
  • the file can be placed in a special directory such that it is only accessible to the network agent.
  • this prior art proposition stores the password as clear text in the file. Hence, the file can easily be stolen and clear password obtained from it.
  • An object of the present invention is therefore to overcome the problems of the prior art and, more specifically, to securely provide password storage and retrieval for a network agent.
  • a password storage and retrieval system for a network agent.
  • the password storage and retrieval system has a memory unit in which an encrypted password related to the network agent is stored, an encryption key related to the network agent and a decryptor for decrypting the encrypted password into a decrypted password for the network agent.
  • the decryptor has access to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
  • the password storage and retrieval system further comprises an encryptor for encrypting an agent password into the encrypted password.
  • the encryptor has access to the encryption key and includes a password-encrypting algorithm compatible with the encryption key.
  • the encryptor encrypts, in relation to the encryption key, the agent password into the encrypted password stored in the memory unit using the password-encrypting algorithm.
  • a network agent capable of being authenticated by an authenticating device, and to which is associated an encrypted password stored in a memory unit.
  • the network agent comprises an encryption key related to the network agent, and a decryptor of the encrypted password into a decrypted password authenticating the network agent.
  • the decryptor is connected to the encryption key and the memory unit, and includes a password-decrypting algorithm compatible with the encryption key. The decryptor decrypts, in relation to the encryption key, the encrypted password using the password- decrypting algorithm.
  • the present invention is concerned with a method for password storage and retrieval for a network agent, the method comprising steps for storing an encryption key related to the network agent, storing an encrypted password related to the network agent in a memory unit, retrieving, from the memory unit, the encrypted password, reading the encryption key, and decrypting, in relation to the encryption key, the encrypted password into a decrypted password for the network agent.
  • the password storage and retrieval method further comprises encrypting an agent-authenticating password into the encrypted password in relation to the encryption key, and storing the encrypted password in the memory unit.
  • An obvious advantage of this invention is that in order to break through the system, a person would need to obtain at least two pieces of information; that is, the encryption key and the encrypted password.
  • Figure 1 is a schematic block diagram of a partial view of a multi-component network including a network agent password storage and retrieval system according to an embodiment of the present invention
  • Figure 2 is a flow chart illustrating operation of the password storage and retrieval system of Figure 1;
  • Figure 3 is a flow chart illustrating a method for changing the password in the password storage and retrieval system of Figure 1.
  • FIG. 1 of the appended drawings illustrates a preferred embodiment of the network agent password storage and retrieval system 8 according to the present invention.
  • a password storage and retrieval system 8 is shown in interaction with a network agent 10.
  • the network agent may consist, without being limited thereto, of a node of a network, of a module of a node of the network, of a procedure or function of one of the modules of the node of the network.
  • the network agent 10 is a network agent performing a predetermined function in the network.
  • the predetermined function may include, in particular but not exclusively, at least one of the following functions: a management function, a control function, a verification function, a signalling function, a monitoring function, etc. Therefore, the network agent 10 includes additional circuitry, or network agent logic 6 for carrying out its function(s) in the network.
  • the network agent 10 is shown to be in interaction with an authenticating device 34, which typically requires a password from the network agent 10 to authenticate the network agent.
  • the network agent 10 could alternatively be in interaction in any node requiring a password from the network agent 10, other then the authenticating device 34.
  • the block diagram of Figure 1 may form part of a more elaborate network comprising many other network agents or devices (not shown).
  • the password storage and retrieval system 8 includes within the network agent 10 itself, a decryptor 12, an encryptor 14 and an encryption key 16.
  • the password storage and retrieval system 8 also includes a memory unit 18 in which is stored an encrypted password 7 associated with the network agent 10.
  • the decryptor 12 and encryptor 14 use a symmetrical encrypting mechanism, as well known to those skilled in the art.
  • the decryptor 12 and the encryptor 14 have access to the encryption key 16 through a link 20, so that the encryption key 16 related to the network agent 10 is accessible to both the decryptor 12 and the encryptor 14.
  • the encryption key 16 is accessible only by the network agent 10 or by its intricate components.
  • the encryption key 16 is preferably hard-coded, or intertwined within the code of the network agent 10. h an alternate manner, it is also within the scope of the present invention to use any type of memory circuit and/or data memory support suitable for storing the encryption key 16, which will ensure that the encryption key 16 is accessible only by the network agent 10. For example, in another preferred embodiment, the encryption key 16 is stored in a read-only memory (ROM) (not shown).
  • ROM read-only memory
  • the memory unit 18 may store the encrypted password for only one network agent, or alternatively, encrypted passwords associated with two or more network agents (not shown) similar to network agent 10 could be stored in memory unit 18. Although being shown on Figure 1 as being independent from the network agent 10, the memory unit 18 could alternatively form part of the network agent 10, be hosted by one or several other network components or nodes (not shown) with which the network agent 10 communicates. Alternatively, a dedicated directory or software file accessible only by the network agent 10 may constitute memory unit 18. Again, it is within the scope of the present invention to use any other type of memory circuit and/or persistent data memory support suitable for storing the encrypted password. However, in a preferred embodiment of the invention, the memory unit 18 is a software file that stores the encrypted password, along with a network agent- identifying portion (e.g., identification numbers, letters, code, etc.) for the network agent 10.
  • a network agent- identifying portion e.g., identification numbers, letters, code, etc.
  • an authentication device 34 is shown.
  • the authentication device 34 is connected to the network agent 10 through bi-directional link 28.
  • the principal functions of the authentication device 34 are to receive authenticating password from the network agent 10 and to compare the obtained response to data with an expected result.
  • a password is encrypted and stored in the memory unit 18.
  • the password storage and retrieval system 8 is used. Its decryptor 12 accesses the memory unit 18 to obtain the encrypted password 7, obtains the encryption key 16 through the link 20, and applies the encryption key 16 to its encryption software (not shown), to decrypt the encrypted password 7 into an unencrypted password that can be used by the network agent.
  • the first operation consists of choosing a password 36 and supplying it to the network agent 10, or alternatively to the password storage and retrieval system 8 of the network agent 10.
  • the network agent 10 includes circuits (not shown) to transmit the new password to the encryptor 14.
  • the encryptor 14 includes an algorithm compatible with the encryption key 16. As previously indicated, the algorithm is a symmetrical algorithm. Symmetrical algorithms are well known to those of ordinary skill in the art and, accordingly, will not be further described in the present specification.
  • the encryptor 14 accesses the encryption key 16 through link 20 to encrypt the chosen password 36 in relation to the encryption key 16.
  • this encrypted password is transmitted from the encryptor 14 to the memory unit 18 through circuits (not shown) of the network agent 10 , where it is stored in memory unit 18 for later use.
  • the network agent 10 proceeds to retrieve its password (step 204).
  • the decryptor 12 obtains the encrypted password 7 related to the network agent 10 from the memory unit 18 through a link 24 (step 204).
  • the decryptor 12 then decrypts the encrypted password in relation to the encryption key 16 using the algorithm (a symmetrical algorithm in the preferred embodiment) previously used by the encryptor 14 to encrypt the password (step 206).
  • the decryptor 12 forwards the decrypted password to the authenticating device 34 through the circuits (not shown) of the network agent 10 and the link 28 and continues its regular operation.
  • the authenticating device 34 compares the password received from the decryptor 12 with an expected result stored therein. When a match exists between the password and the expected result, the network agent 10 is authenticated and permission(s) granted. If no match exists, the network agent is not authenticated.
  • step 302 the network agent 10 receives the new password 36.
  • the new password 36 is transmitted to the network agent using a secure mechanism like Kerberos so that the password storage and retrieval system 8 may verify that the new password 36 being submitted is from an authorized party. If the party requesting a password change is authorized (step 306) then new password 36 is encrypted with encryptor 14 using the encryption key 16 (step 307). This new encrypted password then replaces the currently encrypted password stored in memory unit 18 (step 310).
  • Step 312 may be performed by the user, the agent 10 or a tool of the agent (not shown).
  • a particular advantage of the present invention is that, in order to break through the system, one needs to obtain at least two pieces of information: the encryption key 16, and the encrypted password 7 from memory unit 18.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système de mémorisation et de récupération de mot de passe (8) destiné à l'authentification sûre et à la gestion d'agents réseau (10). Le système de mémorisation et de récupération de mot de passe (8) comprend une unité mémoire (18) et, dans un agent réseau (10), un dispositif à déchiffrer (12), un dispositif à chiffrer (14) et une clé de chiffrement (16). Le dispositif de déchiffrement (12) utilise un algorithme symétrique et une clé de chiffrement (16) pour déchiffrer un mot de passe chiffré relatif à l'agent de réseau (10) pour ainsi obtenir un mot de passe déchiffré. Le même algorithme symétrique a été précédemment utilisé pour chiffrer le mot de passe avec la clé et mémoriser ce mot de passe chiffré. Dans un mode de réalisation préféré de l'invention, la clé de chiffrement (16) est incorporée au programme dans l'agent de réseau (10) et l'unité mémoire (18) du mot de passe chiffré est un annuaire désigné facilement accessible à l'agent de réseau (10). L'invention offre l'avantage évident que, pour rentrer dans le système, une personne a besoin d'au moins deux données, notamment la clé de chiffrement (16) et le mot de passe chiffré.
EP01941359A 2000-06-07 2001-06-07 Memorisation du mot de passe agent reseau et schema de recuperation Withdrawn EP1290531A2 (fr)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US58828500A 2000-06-07 2000-06-07
US588285 2000-06-07
PCT/SE2001/001285 WO2001095072A2 (fr) 2000-06-07 2001-06-07 Memorisation du mot de passe agent reseau et schema de recuperation

Publications (1)

Publication Number Publication Date
EP1290531A2 true EP1290531A2 (fr) 2003-03-12

Family

ID=24353242

Family Applications (1)

Application Number Title Priority Date Filing Date
EP01941359A Withdrawn EP1290531A2 (fr) 2000-06-07 2001-06-07 Memorisation du mot de passe agent reseau et schema de recuperation

Country Status (3)

Country Link
EP (1) EP1290531A2 (fr)
AU (1) AU2001274719A1 (fr)
WO (1) WO2001095072A2 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU742639B3 (en) * 2001-02-15 2002-01-10 Ewise Systems Pty Limited Secure network access
US7571239B2 (en) * 2002-01-08 2009-08-04 Avaya Inc. Credential management and network querying
FR2862827B1 (fr) * 2003-11-21 2006-03-03 Enatel Procede de gestion de donnees de securite
JP2005173197A (ja) * 2003-12-11 2005-06-30 Buffalo Inc 暗号復号処理システム及び暗号復号処理装置
EP1770584B1 (fr) * 2005-09-27 2019-03-06 Omron Corporation Système de contrôle programmable et dispositif correspondant de soutient de développement d'un programme de commande

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6108420A (en) * 1997-04-10 2000-08-22 Channelware Inc. Method and system for networked installation of uniquely customized, authenticable, and traceable software application
US6240184B1 (en) * 1997-09-05 2001-05-29 Rsa Security Inc. Password synchronization
US7085931B1 (en) * 1999-09-03 2006-08-01 Secure Computing Corporation Virtual smart card system and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO0195072A3 *

Also Published As

Publication number Publication date
AU2001274719A1 (en) 2001-12-17
WO2001095072A2 (fr) 2001-12-13
WO2001095072A3 (fr) 2002-04-25

Similar Documents

Publication Publication Date Title
US8972743B2 (en) Computer security system and method
RU2284569C2 (ru) Разблокирование и блокирование признаков программного обеспечения
US5548721A (en) Method of conducting secure operations on an uncontrolled network
JP4866863B2 (ja) セキュリティコード生成方法及びユーザ装置
US7155616B1 (en) Computer network comprising network authentication facilities implemented in a disk drive
US6075860A (en) Apparatus and method for authentication and encryption of a remote terminal over a wireless link
US6230272B1 (en) System and method for protecting a multipurpose data string used for both decrypting data and for authenticating a user
US8543764B2 (en) Storage device with accessible partitions
US20070240226A1 (en) Method and apparatus for user centric private data management
US20040157584A1 (en) Method for establishing and managing a trust model between a chip card and a radio terminal
US20180324158A1 (en) Assuring external accessibility for devices on a network
JP4876169B2 (ja) データを安全に記憶するための方法、システム、およびコンピュータ・プログラム
EP3694142A1 (fr) Procédé de gestion et de distribution de touches dans des environnements distribués
US6018583A (en) Secure computer network
JPS63205687A (ja) 開放キーの取扱いによって暗号装置のネットワークにおける秘密素子を保護する方法および装置
KR101701304B1 (ko) 클라우드 환경에서 속성기반 암호를 이용한 의료 데이터 관리 방법 및 시스템
JPH05333775A (ja) ユーザ認証システム
EP1501238A1 (fr) Méthode et système de distribution de clé comprenant une étape d'authentification et une de distribution de clé à l'aide de KEK (key encryption key)
CN112257121A (zh) 加密方法、解密方法、电子设备和存储介质
CA2251193A1 (fr) Methode et appareil de codage et de recouvrement de cles
US8750522B2 (en) Method and security system for the secure and unequivocal encoding of a security module
CN106845264A (zh) 应用加密方法、装置和应用访问方法、装置
WO2001095072A2 (fr) Memorisation du mot de passe agent reseau et schema de recuperation
JP2004013560A (ja) 認証システム、通信端末及びサーバ
JPH063905B2 (ja) センタと利用者間の相手認証方法

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20021102

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE TR

AX Request for extension of the european patent

Extension state: AL LT LV MK RO SI

17Q First examination report despatched

Effective date: 20040323

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: TELEFONAKTIEBOLAGET LM ERICSSON (PUBL)

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20040803