GB2408358A - Access and password management for network resources - Google Patents
Access and password management for network resources Download PDFInfo
- Publication number
- GB2408358A GB2408358A GB0326881A GB0326881A GB2408358A GB 2408358 A GB2408358 A GB 2408358A GB 0326881 A GB0326881 A GB 0326881A GB 0326881 A GB0326881 A GB 0326881A GB 2408358 A GB2408358 A GB 2408358A
- Authority
- GB
- United Kingdom
- Prior art keywords
- password
- access
- computer
- management unit
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 claims abstract description 33
- 238000004891 communication Methods 0.000 claims abstract description 26
- 238000013475 authorization Methods 0.000 claims description 9
- 230000032683 aging Effects 0.000 claims description 5
- 230000003993 interaction Effects 0.000 claims description 2
- 230000004075 alteration Effects 0.000 description 6
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F1/00—Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
A method of managing passwords to network resources (102 - 110) in a computer or communication network (100) comprising the steps of generating (204), by an access and password management unit (112), a new password to at least one network resource from a group of network resources (102 - 110) registered with the access and password management unit (112); establishing (206) a secure connection between the access and password management unit (112) and the one network resource; replacing (208) an old password to the network resource with the new password using the secure connection; storing (210) the new password in a password repository in the access and password management unit.(Fig 2). Independent claims to network resource access management by the access and password management unit (112) are also included. The user of a computer (114) is verified and authorised and then provided access (320) to registered network resources (102-110). (Fig 3). Another independent claim defines the access and password management unit's structure. (Fig. 4).
Description
METHOD AND APPARATUS FOR ACCESS AND PASSWORD MANAGEMENT
FOR NETWORK RESOURCES IN A COMPUTER OR COMMUNICATION
NETWORK
Field of the Invention
The present invention relates to network security, in general, and in particular, to a method, a network and an apparatus for access and password management for network resources in a computer or communication network.
Background of the Invention
In a network environment, especially in a computer network, a user must access many network resources like database systems, operating systems or the like. In most situations, information stored on these resources or the resources themselves are vital assets and access to these resources is limited and controlled. One, known in the art, method of controlling access to such network resources is a login procedure. In this procedure a user who attempts to access a resource is authenticated by means of user ID and a password. As the number of databases and other services available via a computer network is growing the number of passwords to remember is growing too. Administrators of computer networks are in even more complicated situation. They are responsible for hundreds resources connected in a network and coping with password in such big system is a big challenge.
There are known in the art solutions that allow for synchronizing passwords to a number of resources.
However they solve only a small fraction of the problem.
One of the security measures used in a network environment is periodic alteration of a password. Again, in the case of average user of network resources it is a task which can be done without any serious effort. The same task for a administrator of a network is extremely difficult (especially if there is a password creation policy to be observed). The password creation policy may define rules of creating passwords which for example set up a minimum number of characters, require the presence of special, non-alphanumeric characters in the password, forbid using common words, etc. This makes it difficult to alter large numbers of passwords manually.
Summary of the Invention
There is a need for a method of access and password management for network resources in a computer and/or communication network, which alleviate or overcome the
disadvantages of the prior art.
According to a first aspect of the present invention there is provided a method of managing passwords to network resources in a computer and/or communication network as claimed in claim 1.
According to a second aspect of the present invention there is provided a method of managing access to network resources in a computer and/or communication network as claimed in claim 6.
According to a third aspect of the present invention there is provided a computer and/or communication network for access and password management for network resources as claimed in claim 10.
According to a fourth aspect of the present invention there is provided an access and password management unit as claimed in claim 14.
The present invention beneficially allows, especially those involved in administration of huge network systems, for quick access to network resources without a burden of remembering passwords to all of the devices. Additionally the process of altering these passwords can also be improved by automatic generation of passwords and changing them on the network resources.
Additionally different access rights (to different sets of network resources) can be given to various users of computers attempting to connect to the network resources.
Brief description of the drawings
The present invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the drawings in which: FIG. 1 is a schematic illustration of a computer and/or communication network operating in accordance with one embodiment of the present invention, FIG. 2 is a flow chart illustrating a method of managing passwords to network resources in a computer and/or communication network in one embodiment of the present invention, FIG. 3 is a flow chart illustrating a method of managing access to network resources in a computer and/or communication network in one embodiment of the present invention, FIG. 4 is a block diagram of an access and password management unit in one embodiment of the present invention.
Description of an embodiment of the invention
The present invention is especially beneficial for administrators of computer or communication networks where access to a variety of network resources (both hardware and software) protected by means of unique passwords and altering these passwords are inevitable parts of everyday operation. However embodiments described below may also be applied in smaller systems.
Therefore the term "computer" herein below refers equally to a regular computer in a network as well as to an computer used by an administrator of the network and the term "user of a computer" can equally be a user of a regular computer and an administrator of the network.
With reference to Fig. 1 and Fig. 2 an embodiment of a method of managing passwords to network resources 102 - 110 in a computer or communication network 100 is shown. In computer or communication networks passwords to network resources can be altered on request of a user who has an authorization to alter the password (e.g. admin of a network or a resource) or it can be enforced by a password ageing policy. In one embodiment, where the alteration of passwords is enforced by the password ageing policy 202 a new password to at least one network resource, from a group of network resources 102 - 110 registered with an access and password management unit 112, is generated 204. Said password is generated 204 by said access and password management unit 112. In the process of generating the new password a predefined password creation rules are applied. Next, said access and password management unit establishes 206 a secure connection between the one of the network resources 102 - 110 and said access and password management unit 112.
There are known in the art methods of establishing secure connections between different instances in a computer or communication networks and these methods can be applied in this case. Examples of such connections are: secure telnet, SSL, secure ftp, etc. It is within contemplation of the present invention that also other types of secure connections can be applied.
In the next step, using the secure connection, a special script replaces an old password to the network resource with the new password generated by the access and password management unit 112.
The script is a text file containing a series of commands that form a simple computer program that the computer executes by interpreting the text file.
Finally the new password to the network resource is stored 210 in a password repository in the access and password management unit 112.
In this embodiment the alteration of the passwords is performed without any interaction with users or administrators of the network.
In another embodiment the alteration of passwords can be initiated on request of a user who has an authorization to alter the password 202 and all remaining steps are the same as in situation when alteration of passwords is forced by the password ageing policy.
When a user of a computer 114, in a computer or communication network 100, is attempting to access one of the resources, the user, in most situations, must undergo an authentication procedure. It means that a specialized unit of the resource determines whether he or she is the person he or she pretends to be. For this purpose a unique ID and password is used. Access to the resource is granted only in situation when the ID is accompanied by a correct password. With reference to Fig. 1 and Fig. 3 an embodiment of a method of managing access to network resources 102 110 in a computer or communication network 100 is shown. In one embodiment of the present invention a computer 114 connects to an access and password management unit 112. After connection the user of the connected computer 114 is authenticated 304, 306 by the access and password management unit 112. Then authorizations of the user of the computer 114 are verified 308 and based on results of this verification a list of network resources available for the user is created 310. The user of the computer can choose from the list the resource, which he or she wants to access, and request 312 a connection with this resource.
It is within contemplation of the present invention that the list of network resources available for the user of the computer can be presented in a form of graphical user interface which provides not only names of the available resources but also additional information that can be useful for the user.
Next, the access and password management unit 112 establishes 314 a secure connection between said access and password management unit and one of the available resources, which was requested 312 by the user of the computer. To access the network resource the access and password management unit 112 transmits 316 to the network resource an ID of the user of the computer 114 and a password to the network resource. The password is obtained from a password repository within the access and password management unit 112. The network resource authenticates 318 the user of the computer 114 based on the ID and password received from the access and password management unit 112 and verifies its authorizations. If the user of the computer is authenticated and authorized to access the network resource the access and password management unit 112 transfers 320 the connection to the computer 114. From this moment there is a regular connection between the computer 114 and one of the resources 102 - 110.
As the access and password management unit 112 contains very important data, in one embodiment, the authentication process can involve authentication based on biometric data to increase safety of the data stored therein and in consequence safety of the network resources registered with the access and password management unit 112.
Referring to Fig. 1 an embodiment of a computer and/or communication network 100 is shown. The network 100 comprises at least one computer 114 and a plurality of network resources 102 to 110. The network 100 comprises also an access and password management unit 112, which is adapted to authenticate and verify authorization of an user of the computer 114. The access and password management unit 112 is also adapted to provide access to the network resources registered with the password management unit 112.
The access and password management unit 112 performs two basic functions in the network 100.
Providing access to network resources and changing passwords to those resources. The access and password management unit 112 facilitates connections between the computer 114 and the network resources 102 - 110. To perform this function it is adapted to transmit to the network resource, on request from the user of the computer 114, an ID of the user of the computer 114 and a password obtained from a password repository. If the access has been granted a direct connection between the access and password management unit 112 and the network resource is established. Then the access and password management unit 112 transfers the connection to the computer 114. The access and password management unit 112 maintains a list of passwords to the network resources 102 to 110, which are registered with the access and password management unit 112. The access and password management unit 112 is also adapted to establish a secure connection with any of the network resources 102 - 110 registered with the access and password management unit 112 and to alter a password to the network resource during the secure connection.
With reference to Fig. 4 an embodiment of an access and password management unit 112 is shown. The access and password management unit 112 comprises an authentication section 402, which is responsible for performing authentication of a user of a computer connected to the access and password management unit 112. Said authentication section 402 is connected to a controller 404, which is connected to a password repository 406. A password generator 408 is connected to the controller 404 and to the password repository 406.
In operation, the password generator 408 generates new passwords to network resources 102 - 110 registered with the access and password management unit 112 when prompted by the controller 404. The controller, in turn, initiates generation of new passwords when this was requested by the user of the connected computer 114 or when alteration of passwords was enforced by password ageing policy. The controller 404 is adapted to establish a secure connection with the network resources 102 - 110 and to alter the passwords to the network resources 102 - 110 during the secure connection.
Another function of the access and password management unit 112 is establishing a secure connection between the computer 114 and at least one of the network resources, which was requested by a user of the computer 114. In the process of establishing this connection the access and password management unit 112 uses an ID of the user of the computer 114 and password obtained from the password repository 406. Initially the connection is established between the access and password management unit 112 and the network resource but when the user of the computer 114 is authenticated and its authorization is verified the access and password management unit 112 transfers the connection to the computer 114.
In one embodiment, the access and password management unit 112 is implemented in software executable on one of the network elements (e.g. a router). A software implementation is relatively low cost and allows easy reconfiguration. However hardware implementation is also possible. Nevertheless, it will be appreciated that the present invention may be implemented hardware or software and may be used in computer and/or communication networks.
It is within contemplation of the present invention that in a communication network the function of the computer can be performed by a wireless communication device (e.g. a mobile phone) as modern communication networks allows transmission of both voice and data and access to many different resources.
Claims (20)
- Claims 1. A method of managing passwords to network resources (102 - 110)in a computer or communication network (100), the method being characterized by the steps of generating (204), by an access and password management unit (112), a new password to at least one network resource from a group of network resources (102 - 110) registered with the access and password management unit (112); establishing (206) a secure connection between the access and password management unit (112) and the one network resource; replacing (208) an old password to the network resource with the new password using the secure connection; storing (210) the new password in a password repository in the access and password management unit.
- 2. The method according to claim 1, wherein the new passwords to the network resources are generated using predefined password creation rules.
- 3. The method according to claim 1, wherein the passwords are altered periodically according to a predefined password ageing policy and without any interaction with a network administrator.
- 4. The method according to claim 1, wherein the passwords are altered at the network administrator's request.
- 5. The method according to claim 1, wherein the passwords are altered at the network resources as a result of execution of a computer readable script program provided by the access and password management unit.
- 6. A method of managing access to network resources (102-110) in a computer or communication network (100), the method being characterized by the steps of authenticating (304, 306) a user of a computer (114) after connection (302) of the computer (114) to an access and password management unit (112); verifying (308) authorizations of the user of the computer (114); creating (310) a list of network resources available for the user of the computer; establishing (314) a secure connection between said access and password management unit and one of the available resources, which was requested (312) by the user of the computer (114)i transferring (320) the connection to the computer (114).
- 7. The method according to claim 6, wherein to establish the secure connection to the requested network resource said access and password management unit transmits to the requested network resource an ID of the user of the computer and a password obtained from the password repository.
- 8. The method according to claim 7, wherein the requested network resource performs authentication of the user of the computer and verifies its authorization based on data received from the access and password management unit.
- 9. The method according to any one of claims 6 to claim 8, wherein the user of the computer is authenticated (304, 306) at the access and password management unit using a biometric data.
- 10. A computer and/or communication network (100) comprising at least one computer (114) and network resources (102 to 110), the network (100) characterized in that it further comprises an access and password management unit (112) adapted to authenticate and verify authorization of an user of the computer (114) and to provide access to the network resources registered with the password management unit (112).
- 11. The network according to claim 10, wherein the access and password management unit is adapted to establish a secure connection with any of the network resources registered with the access and password management unit and to alter a password to the network resource during the secure connection.
- 12. The network according to claim 10, wherein the access and password management unit is adapted to transmit, on request from the user of the computer, an ID of the user of the computer and a password from a password repository to the network resource and, if the access has been granted, to establish a direct connection between the computer and the network resource.
- 13. The network according to claim 11, wherein the access and password management unit is adapted to automatically generate a new password to any of the network resources using a predefined password creation rules.
- 14. An access and password management unit (112) comprising an authentication section (402) connected to a controller (404), which is connected to a password repository (406) as well as a password generator (408) connected to the controller (404) and to the password repository (406).
- 15. The access and password management unit according to claim 14, wherein the controller is adapted to initialize generation of new passwords and to establish a secure connection with network resources and to alter the passwords to the network resources during the secure connection.
- 16. The access and password management unit according to claim 15, wherein the controller is further adapted to establish a secure connection between the computer and at least one of the network resources, which was requested by a user of the computer, using an ID of the user of the computer and password obtained from the password repository.
- 17. A method of access management to network resources in a computer or communication network substantially as hereinbefore described with reference to FIG. 2 of the accompanying drawings.
- 18. A method of password management for network resources in a computer or communication network substantially as hereinbefore described with reference to FIG. 3 of the accompanying drawings.
- 19. A system for access and password management for network resources substantially as hereinbefore described with reference to FIG. 1 of the accompanying drawings.
- 20. An access and password management unit substantially as hereinbefore described with reference to FIG. 4 of the accompanying drawings.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0326881A GB2408358B (en) | 2003-11-19 | 2003-11-19 | Method and apparatus for access and password management for network resources in a computer or communication network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB0326881A GB2408358B (en) | 2003-11-19 | 2003-11-19 | Method and apparatus for access and password management for network resources in a computer or communication network |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| GB0326881D0 GB0326881D0 (en) | 2003-12-24 |
| GB2408358A true GB2408358A (en) | 2005-05-25 |
| GB2408358B GB2408358B (en) | 2006-12-27 |
Family
ID=29764039
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB0326881A Expired - Fee Related GB2408358B (en) | 2003-11-19 | 2003-11-19 | Method and apparatus for access and password management for network resources in a computer or communication network |
Country Status (1)
| Country | Link |
|---|---|
| GB (1) | GB2408358B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008025277A1 (en) | 2006-08-24 | 2008-03-06 | Huawei Technologies Co., Ltd. | Method, system and password management server for managing user password of network device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0752636A2 (en) * | 1995-07-05 | 1997-01-08 | Sun Microsystems, Inc. | NIS+ password update protocol |
| EP0929025A1 (en) * | 1998-01-13 | 1999-07-14 | Nec Corporation | Password updating apparatus and recording medium used therefor |
| WO2003034656A1 (en) * | 2001-09-21 | 2003-04-24 | Docent, Inc. | Method and system to securely change a password in a distributed computing system |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2000242658A (en) * | 1999-02-22 | 2000-09-08 | Fuji Xerox Co Ltd | Individual information managing device, and customizing device |
| GB9904791D0 (en) * | 1999-03-02 | 1999-04-28 | Smartport Limited | An internet interface system |
| US6859878B1 (en) * | 1999-10-28 | 2005-02-22 | International Business Machines Corporation | Universal userid and password management for internet connected devices |
| EP1211860A1 (en) * | 2000-12-01 | 2002-06-05 | BRITISH TELECOMMUNICATIONS public limited company | Provision of secure access for telecommunications system |
| US7076797B2 (en) * | 2001-10-05 | 2006-07-11 | Microsoft Corporation | Granular authorization for network user sessions |
-
2003
- 2003-11-19 GB GB0326881A patent/GB2408358B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0752636A2 (en) * | 1995-07-05 | 1997-01-08 | Sun Microsystems, Inc. | NIS+ password update protocol |
| EP0929025A1 (en) * | 1998-01-13 | 1999-07-14 | Nec Corporation | Password updating apparatus and recording medium used therefor |
| WO2003034656A1 (en) * | 2001-09-21 | 2003-04-24 | Docent, Inc. | Method and system to securely change a password in a distributed computing system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008025277A1 (en) | 2006-08-24 | 2008-03-06 | Huawei Technologies Co., Ltd. | Method, system and password management server for managing user password of network device |
| EP2061179A1 (en) * | 2006-08-24 | 2009-05-20 | Huawei Technologies Co Ltd | Method, system and password management server for managing user password of network device |
| EP2061179A4 (en) * | 2006-08-24 | 2010-03-31 | Huawei Tech Co Ltd | Method, system and password management server for managing user password of network device |
Also Published As
| Publication number | Publication date |
|---|---|
| GB2408358B (en) | 2006-12-27 |
| GB0326881D0 (en) | 2003-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1914658B1 (en) | Identity controlled data center | |
| CA2868896C (en) | Secure mobile framework | |
| EP2014067B1 (en) | Provisioned configuration for automatic wireless connection | |
| US7392375B2 (en) | Peer-to-peer authentication for real-time collaboration | |
| EP2021938B1 (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| EP2337296B1 (en) | Session migration between network policy servers | |
| US20140109179A1 (en) | Multiple server access management | |
| US20090235345A1 (en) | Authentication system, authentication server apparatus, user apparatus and application server apparatus | |
| US9848001B2 (en) | Secure access to mobile applications | |
| US20080028453A1 (en) | Identity and access management framework | |
| US20020112186A1 (en) | Authentication and authorization for access to remote production devices | |
| US11368449B2 (en) | Asserting a mobile identity to users and devices in an enterprise authentication system | |
| US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
| CN110069916B (en) | Password security management system and method | |
| US7428748B2 (en) | Method and system for authentication in a business intelligence system | |
| US11991164B2 (en) | Access to federated identities on a shared kiosk computing device | |
| US20220278981A1 (en) | Authentication System for Computer Accessing a Remote Server | |
| Kadlec et al. | Implementation of an Advanced Authentication Method within Microsoft Active Directory Network Services | |
| CN114374529A (en) | Resource access method, device, system, electronic device, medium, and program | |
| GB2408358A (en) | Access and password management for network resources | |
| EP4446912A1 (en) | Controlling authorization through licensing and policy enforcement of attributes | |
| US20220247578A1 (en) | Attestation of device management within authentication flow | |
| CN118041651A (en) | Data security exchange and sharing method and system based on real world data platform | |
| CN118713917A (en) | Login authentication method, system and platform | |
| Hoelzle | Simplifying SAP on i5/OS with Single Sign-on |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 20211119 |