GB2408358A - Access and password management for network resources - Google Patents

Access and password management for network resources Download PDF

Info

Publication number
GB2408358A
GB2408358A GB0326881A GB0326881A GB2408358A GB 2408358 A GB2408358 A GB 2408358A GB 0326881 A GB0326881 A GB 0326881A GB 0326881 A GB0326881 A GB 0326881A GB 2408358 A GB2408358 A GB 2408358A
Authority
GB
United Kingdom
Prior art keywords
password
access
computer
management unit
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0326881A
Other versions
GB2408358B (en
GB0326881D0 (en
Inventor
Steen Petersen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Motorola Solutions Inc
Original Assignee
Motorola Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Motorola Inc filed Critical Motorola Inc
Priority to GB0326881A priority Critical patent/GB2408358B/en
Publication of GB0326881D0 publication Critical patent/GB0326881D0/en
Publication of GB2408358A publication Critical patent/GB2408358A/en
Application granted granted Critical
Publication of GB2408358B publication Critical patent/GB2408358B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

A method of managing passwords to network resources (102 - 110) in a computer or communication network (100) comprising the steps of generating (204), by an access and password management unit (112), a new password to at least one network resource from a group of network resources (102 - 110) registered with the access and password management unit (112); establishing (206) a secure connection between the access and password management unit (112) and the one network resource; replacing (208) an old password to the network resource with the new password using the secure connection; storing (210) the new password in a password repository in the access and password management unit.(Fig 2). Independent claims to network resource access management by the access and password management unit (112) are also included. The user of a computer (114) is verified and authorised and then provided access (320) to registered network resources (102-110). (Fig 3). Another independent claim defines the access and password management unit's structure. (Fig. 4).

Description

METHOD AND APPARATUS FOR ACCESS AND PASSWORD MANAGEMENT
FOR NETWORK RESOURCES IN A COMPUTER OR COMMUNICATION
NETWORK
Field of the Invention
The present invention relates to network security, in general, and in particular, to a method, a network and an apparatus for access and password management for network resources in a computer or communication network.
Background of the Invention
In a network environment, especially in a computer network, a user must access many network resources like database systems, operating systems or the like. In most situations, information stored on these resources or the resources themselves are vital assets and access to these resources is limited and controlled. One, known in the art, method of controlling access to such network resources is a login procedure. In this procedure a user who attempts to access a resource is authenticated by means of user ID and a password. As the number of databases and other services available via a computer network is growing the number of passwords to remember is growing too. Administrators of computer networks are in even more complicated situation. They are responsible for hundreds resources connected in a network and coping with password in such big system is a big challenge.
There are known in the art solutions that allow for synchronizing passwords to a number of resources.
However they solve only a small fraction of the problem.
One of the security measures used in a network environment is periodic alteration of a password. Again, in the case of average user of network resources it is a task which can be done without any serious effort. The same task for a administrator of a network is extremely difficult (especially if there is a password creation policy to be observed). The password creation policy may define rules of creating passwords which for example set up a minimum number of characters, require the presence of special, non-alphanumeric characters in the password, forbid using common words, etc. This makes it difficult to alter large numbers of passwords manually.
Summary of the Invention
There is a need for a method of access and password management for network resources in a computer and/or communication network, which alleviate or overcome the
disadvantages of the prior art.
According to a first aspect of the present invention there is provided a method of managing passwords to network resources in a computer and/or communication network as claimed in claim 1.
According to a second aspect of the present invention there is provided a method of managing access to network resources in a computer and/or communication network as claimed in claim 6.
According to a third aspect of the present invention there is provided a computer and/or communication network for access and password management for network resources as claimed in claim 10.
According to a fourth aspect of the present invention there is provided an access and password management unit as claimed in claim 14.
The present invention beneficially allows, especially those involved in administration of huge network systems, for quick access to network resources without a burden of remembering passwords to all of the devices. Additionally the process of altering these passwords can also be improved by automatic generation of passwords and changing them on the network resources.
Additionally different access rights (to different sets of network resources) can be given to various users of computers attempting to connect to the network resources.
Brief description of the drawings
The present invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the drawings in which: FIG. 1 is a schematic illustration of a computer and/or communication network operating in accordance with one embodiment of the present invention, FIG. 2 is a flow chart illustrating a method of managing passwords to network resources in a computer and/or communication network in one embodiment of the present invention, FIG. 3 is a flow chart illustrating a method of managing access to network resources in a computer and/or communication network in one embodiment of the present invention, FIG. 4 is a block diagram of an access and password management unit in one embodiment of the present invention.
Description of an embodiment of the invention
The present invention is especially beneficial for administrators of computer or communication networks where access to a variety of network resources (both hardware and software) protected by means of unique passwords and altering these passwords are inevitable parts of everyday operation. However embodiments described below may also be applied in smaller systems.
Therefore the term "computer" herein below refers equally to a regular computer in a network as well as to an computer used by an administrator of the network and the term "user of a computer" can equally be a user of a regular computer and an administrator of the network.
With reference to Fig. 1 and Fig. 2 an embodiment of a method of managing passwords to network resources 102 - 110 in a computer or communication network 100 is shown. In computer or communication networks passwords to network resources can be altered on request of a user who has an authorization to alter the password (e.g. admin of a network or a resource) or it can be enforced by a password ageing policy. In one embodiment, where the alteration of passwords is enforced by the password ageing policy 202 a new password to at least one network resource, from a group of network resources 102 - 110 registered with an access and password management unit 112, is generated 204. Said password is generated 204 by said access and password management unit 112. In the process of generating the new password a predefined password creation rules are applied. Next, said access and password management unit establishes 206 a secure connection between the one of the network resources 102 - 110 and said access and password management unit 112.
There are known in the art methods of establishing secure connections between different instances in a computer or communication networks and these methods can be applied in this case. Examples of such connections are: secure telnet, SSL, secure ftp, etc. It is within contemplation of the present invention that also other types of secure connections can be applied.
In the next step, using the secure connection, a special script replaces an old password to the network resource with the new password generated by the access and password management unit 112.
The script is a text file containing a series of commands that form a simple computer program that the computer executes by interpreting the text file.
Finally the new password to the network resource is stored 210 in a password repository in the access and password management unit 112.
In this embodiment the alteration of the passwords is performed without any interaction with users or administrators of the network.
In another embodiment the alteration of passwords can be initiated on request of a user who has an authorization to alter the password 202 and all remaining steps are the same as in situation when alteration of passwords is forced by the password ageing policy.
When a user of a computer 114, in a computer or communication network 100, is attempting to access one of the resources, the user, in most situations, must undergo an authentication procedure. It means that a specialized unit of the resource determines whether he or she is the person he or she pretends to be. For this purpose a unique ID and password is used. Access to the resource is granted only in situation when the ID is accompanied by a correct password. With reference to Fig. 1 and Fig. 3 an embodiment of a method of managing access to network resources 102 110 in a computer or communication network 100 is shown. In one embodiment of the present invention a computer 114 connects to an access and password management unit 112. After connection the user of the connected computer 114 is authenticated 304, 306 by the access and password management unit 112. Then authorizations of the user of the computer 114 are verified 308 and based on results of this verification a list of network resources available for the user is created 310. The user of the computer can choose from the list the resource, which he or she wants to access, and request 312 a connection with this resource.
It is within contemplation of the present invention that the list of network resources available for the user of the computer can be presented in a form of graphical user interface which provides not only names of the available resources but also additional information that can be useful for the user.
Next, the access and password management unit 112 establishes 314 a secure connection between said access and password management unit and one of the available resources, which was requested 312 by the user of the computer. To access the network resource the access and password management unit 112 transmits 316 to the network resource an ID of the user of the computer 114 and a password to the network resource. The password is obtained from a password repository within the access and password management unit 112. The network resource authenticates 318 the user of the computer 114 based on the ID and password received from the access and password management unit 112 and verifies its authorizations. If the user of the computer is authenticated and authorized to access the network resource the access and password management unit 112 transfers 320 the connection to the computer 114. From this moment there is a regular connection between the computer 114 and one of the resources 102 - 110.
As the access and password management unit 112 contains very important data, in one embodiment, the authentication process can involve authentication based on biometric data to increase safety of the data stored therein and in consequence safety of the network resources registered with the access and password management unit 112.
Referring to Fig. 1 an embodiment of a computer and/or communication network 100 is shown. The network 100 comprises at least one computer 114 and a plurality of network resources 102 to 110. The network 100 comprises also an access and password management unit 112, which is adapted to authenticate and verify authorization of an user of the computer 114. The access and password management unit 112 is also adapted to provide access to the network resources registered with the password management unit 112.
The access and password management unit 112 performs two basic functions in the network 100.
Providing access to network resources and changing passwords to those resources. The access and password management unit 112 facilitates connections between the computer 114 and the network resources 102 - 110. To perform this function it is adapted to transmit to the network resource, on request from the user of the computer 114, an ID of the user of the computer 114 and a password obtained from a password repository. If the access has been granted a direct connection between the access and password management unit 112 and the network resource is established. Then the access and password management unit 112 transfers the connection to the computer 114. The access and password management unit 112 maintains a list of passwords to the network resources 102 to 110, which are registered with the access and password management unit 112. The access and password management unit 112 is also adapted to establish a secure connection with any of the network resources 102 - 110 registered with the access and password management unit 112 and to alter a password to the network resource during the secure connection.
With reference to Fig. 4 an embodiment of an access and password management unit 112 is shown. The access and password management unit 112 comprises an authentication section 402, which is responsible for performing authentication of a user of a computer connected to the access and password management unit 112. Said authentication section 402 is connected to a controller 404, which is connected to a password repository 406. A password generator 408 is connected to the controller 404 and to the password repository 406.
In operation, the password generator 408 generates new passwords to network resources 102 - 110 registered with the access and password management unit 112 when prompted by the controller 404. The controller, in turn, initiates generation of new passwords when this was requested by the user of the connected computer 114 or when alteration of passwords was enforced by password ageing policy. The controller 404 is adapted to establish a secure connection with the network resources 102 - 110 and to alter the passwords to the network resources 102 - 110 during the secure connection.
Another function of the access and password management unit 112 is establishing a secure connection between the computer 114 and at least one of the network resources, which was requested by a user of the computer 114. In the process of establishing this connection the access and password management unit 112 uses an ID of the user of the computer 114 and password obtained from the password repository 406. Initially the connection is established between the access and password management unit 112 and the network resource but when the user of the computer 114 is authenticated and its authorization is verified the access and password management unit 112 transfers the connection to the computer 114.
In one embodiment, the access and password management unit 112 is implemented in software executable on one of the network elements (e.g. a router). A software implementation is relatively low cost and allows easy reconfiguration. However hardware implementation is also possible. Nevertheless, it will be appreciated that the present invention may be implemented hardware or software and may be used in computer and/or communication networks.
It is within contemplation of the present invention that in a communication network the function of the computer can be performed by a wireless communication device (e.g. a mobile phone) as modern communication networks allows transmission of both voice and data and access to many different resources.

Claims (20)

  1. Claims 1. A method of managing passwords to network resources (102 - 110)
    in a computer or communication network (100), the method being characterized by the steps of generating (204), by an access and password management unit (112), a new password to at least one network resource from a group of network resources (102 - 110) registered with the access and password management unit (112); establishing (206) a secure connection between the access and password management unit (112) and the one network resource; replacing (208) an old password to the network resource with the new password using the secure connection; storing (210) the new password in a password repository in the access and password management unit.
  2. 2. The method according to claim 1, wherein the new passwords to the network resources are generated using predefined password creation rules.
  3. 3. The method according to claim 1, wherein the passwords are altered periodically according to a predefined password ageing policy and without any interaction with a network administrator.
  4. 4. The method according to claim 1, wherein the passwords are altered at the network administrator's request.
  5. 5. The method according to claim 1, wherein the passwords are altered at the network resources as a result of execution of a computer readable script program provided by the access and password management unit.
  6. 6. A method of managing access to network resources (102-110) in a computer or communication network (100), the method being characterized by the steps of authenticating (304, 306) a user of a computer (114) after connection (302) of the computer (114) to an access and password management unit (112); verifying (308) authorizations of the user of the computer (114); creating (310) a list of network resources available for the user of the computer; establishing (314) a secure connection between said access and password management unit and one of the available resources, which was requested (312) by the user of the computer (114)i transferring (320) the connection to the computer (114).
  7. 7. The method according to claim 6, wherein to establish the secure connection to the requested network resource said access and password management unit transmits to the requested network resource an ID of the user of the computer and a password obtained from the password repository.
  8. 8. The method according to claim 7, wherein the requested network resource performs authentication of the user of the computer and verifies its authorization based on data received from the access and password management unit.
  9. 9. The method according to any one of claims 6 to claim 8, wherein the user of the computer is authenticated (304, 306) at the access and password management unit using a biometric data.
  10. 10. A computer and/or communication network (100) comprising at least one computer (114) and network resources (102 to 110), the network (100) characterized in that it further comprises an access and password management unit (112) adapted to authenticate and verify authorization of an user of the computer (114) and to provide access to the network resources registered with the password management unit (112).
  11. 11. The network according to claim 10, wherein the access and password management unit is adapted to establish a secure connection with any of the network resources registered with the access and password management unit and to alter a password to the network resource during the secure connection.
  12. 12. The network according to claim 10, wherein the access and password management unit is adapted to transmit, on request from the user of the computer, an ID of the user of the computer and a password from a password repository to the network resource and, if the access has been granted, to establish a direct connection between the computer and the network resource.
  13. 13. The network according to claim 11, wherein the access and password management unit is adapted to automatically generate a new password to any of the network resources using a predefined password creation rules.
  14. 14. An access and password management unit (112) comprising an authentication section (402) connected to a controller (404), which is connected to a password repository (406) as well as a password generator (408) connected to the controller (404) and to the password repository (406).
  15. 15. The access and password management unit according to claim 14, wherein the controller is adapted to initialize generation of new passwords and to establish a secure connection with network resources and to alter the passwords to the network resources during the secure connection.
  16. 16. The access and password management unit according to claim 15, wherein the controller is further adapted to establish a secure connection between the computer and at least one of the network resources, which was requested by a user of the computer, using an ID of the user of the computer and password obtained from the password repository.
  17. 17. A method of access management to network resources in a computer or communication network substantially as hereinbefore described with reference to FIG. 2 of the accompanying drawings.
  18. 18. A method of password management for network resources in a computer or communication network substantially as hereinbefore described with reference to FIG. 3 of the accompanying drawings.
  19. 19. A system for access and password management for network resources substantially as hereinbefore described with reference to FIG. 1 of the accompanying drawings.
  20. 20. An access and password management unit substantially as hereinbefore described with reference to FIG. 4 of the accompanying drawings.
GB0326881A 2003-11-19 2003-11-19 Method and apparatus for access and password management for network resources in a computer or communication network Expired - Fee Related GB2408358B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0326881A GB2408358B (en) 2003-11-19 2003-11-19 Method and apparatus for access and password management for network resources in a computer or communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0326881A GB2408358B (en) 2003-11-19 2003-11-19 Method and apparatus for access and password management for network resources in a computer or communication network

Publications (3)

Publication Number Publication Date
GB0326881D0 GB0326881D0 (en) 2003-12-24
GB2408358A true GB2408358A (en) 2005-05-25
GB2408358B GB2408358B (en) 2006-12-27

Family

ID=29764039

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0326881A Expired - Fee Related GB2408358B (en) 2003-11-19 2003-11-19 Method and apparatus for access and password management for network resources in a computer or communication network

Country Status (1)

Country Link
GB (1) GB2408358B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008025277A1 (en) 2006-08-24 2008-03-06 Huawei Technologies Co., Ltd. Method, system and password management server for managing user password of network device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0752636A2 (en) * 1995-07-05 1997-01-08 Sun Microsystems, Inc. NIS+ password update protocol
EP0929025A1 (en) * 1998-01-13 1999-07-14 Nec Corporation Password updating apparatus and recording medium used therefor
WO2003034656A1 (en) * 2001-09-21 2003-04-24 Docent, Inc. Method and system to securely change a password in a distributed computing system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000242658A (en) * 1999-02-22 2000-09-08 Fuji Xerox Co Ltd Individual information managing device, and customizing device
GB9904791D0 (en) * 1999-03-02 1999-04-28 Smartport Limited An internet interface system
US6859878B1 (en) * 1999-10-28 2005-02-22 International Business Machines Corporation Universal userid and password management for internet connected devices
EP1211860A1 (en) * 2000-12-01 2002-06-05 BRITISH TELECOMMUNICATIONS public limited company Provision of secure access for telecommunications system
US7076797B2 (en) * 2001-10-05 2006-07-11 Microsoft Corporation Granular authorization for network user sessions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0752636A2 (en) * 1995-07-05 1997-01-08 Sun Microsystems, Inc. NIS+ password update protocol
EP0929025A1 (en) * 1998-01-13 1999-07-14 Nec Corporation Password updating apparatus and recording medium used therefor
WO2003034656A1 (en) * 2001-09-21 2003-04-24 Docent, Inc. Method and system to securely change a password in a distributed computing system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008025277A1 (en) 2006-08-24 2008-03-06 Huawei Technologies Co., Ltd. Method, system and password management server for managing user password of network device
EP2061179A1 (en) * 2006-08-24 2009-05-20 Huawei Technologies Co Ltd Method, system and password management server for managing user password of network device
EP2061179A4 (en) * 2006-08-24 2010-03-31 Huawei Tech Co Ltd Method, system and password management server for managing user password of network device

Also Published As

Publication number Publication date
GB2408358B (en) 2006-12-27
GB0326881D0 (en) 2003-12-24

Similar Documents

Publication Publication Date Title
EP1914658B1 (en) Identity controlled data center
CA2868896C (en) Secure mobile framework
EP2014067B1 (en) Provisioned configuration for automatic wireless connection
US7392375B2 (en) Peer-to-peer authentication for real-time collaboration
EP2021938B1 (en) Policy driven, credential delegation for single sign on and secure access to network resources
EP2337296B1 (en) Session migration between network policy servers
US20140109179A1 (en) Multiple server access management
US20090235345A1 (en) Authentication system, authentication server apparatus, user apparatus and application server apparatus
US9848001B2 (en) Secure access to mobile applications
US20080028453A1 (en) Identity and access management framework
US20020112186A1 (en) Authentication and authorization for access to remote production devices
US11368449B2 (en) Asserting a mobile identity to users and devices in an enterprise authentication system
US9081982B2 (en) Authorized data access based on the rights of a user and a location
CN110069916B (en) Password security management system and method
US7428748B2 (en) Method and system for authentication in a business intelligence system
US11991164B2 (en) Access to federated identities on a shared kiosk computing device
US20220278981A1 (en) Authentication System for Computer Accessing a Remote Server
Kadlec et al. Implementation of an Advanced Authentication Method within Microsoft Active Directory Network Services
CN114374529A (en) Resource access method, device, system, electronic device, medium, and program
GB2408358A (en) Access and password management for network resources
EP4446912A1 (en) Controlling authorization through licensing and policy enforcement of attributes
US20220247578A1 (en) Attestation of device management within authentication flow
CN118041651A (en) Data security exchange and sharing method and system based on real world data platform
CN118713917A (en) Login authentication method, system and platform
Hoelzle Simplifying SAP on i5/OS with Single Sign-on

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20211119