WO1998051029A1 - Appareil et procede d'authentification personnalisee d'acces secondaires - Google Patents

Appareil et procede d'authentification personnalisee d'acces secondaires Download PDF

Info

Publication number
WO1998051029A1
WO1998051029A1 PCT/US1998/009206 US9809206W WO9851029A1 WO 1998051029 A1 WO1998051029 A1 WO 1998051029A1 US 9809206 W US9809206 W US 9809206W WO 9851029 A1 WO9851029 A1 WO 9851029A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authorization code
access
application
inte
Prior art date
Application number
PCT/US1998/009206
Other languages
English (en)
Inventor
Larry T. Jost
Original Assignee
Southwestern Bell Telephone Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwestern Bell Telephone Company filed Critical Southwestern Bell Telephone Company
Publication of WO1998051029A1 publication Critical patent/WO1998051029A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention generally relates to the field of computer access authentication.
  • the present invention relates to secondary-level access authentication performed by application software to authenticate a user who has already been authenticated at an operating system-level and granted primary-level access to a computer installation or host system.
  • API Application Programming Interface
  • AC Authentication Code
  • IP Internet Protocol
  • FTP File Transfer Protocol
  • GUI Graphical User Interface
  • LAN Local Area Network
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • WAN Wide Area Network
  • a user logs onto a computer installation or host system
  • the user enters a user identification and a password.
  • the entered user identification and password are compared by the computer installation or host operating system against a password list, password file or database table to determine if the user entered a valid user identification/password combination.
  • a user profile previously defined or established by a system administrator determines the user's privileges on the computer installation or host system.
  • the user profile generally includes the user's permissions (e.g., read, write and execute permissions) at various predefined levels within the directory or folder structure of the computer.
  • permissions e.g., read, write and execute permissions
  • UNIX operating systems define an other level, a group level, and a owner level.
  • other level permissions apply to all users within the computer installation.
  • users and system administrators who desire to permit universal user access to particular files and directories/folders may do so by setting the appropriate other level permissions.
  • Group level permissions apply only to users who are members of a predefined group. The group level permissions do not apply to users who are not members of the group.
  • group level permissions By using group level permissions, a predefined subset of all users may be granted access to read, write and execute files and to traverse directories/folders. Owner level permissions are specific to a particular user, and apply only to the particular user. Generally a user is granted read, write and execute permissions to his or her own files and directories. However, in some circumstances a user may wish to prevent accidental updates of a file by setting the file or directory/folder to read-only (i.e., no write access) at the owner level.
  • a system administrator may define levels of access that range from almost universal system access (e.g., a development manager requiring access to many folders/directories) to access limited to specific directories/folders and/or files (e.g., a programmer working on specific program modules).
  • secondary access authentication mechanisms and techniques operate much like primary access authentication, and generally require a user to enter a user identification and application password when accessing an application.
  • a disadvantage of this type of secondary access authentication is that the user is prompted for his or her user identification and application password each time the user accesses the application, which may be several times throughout a day.
  • Another technique for performing secondary access authentication is to use scripts to capture fields containing the user identification and application password via a batch-type script. Scripting has a disadvantage in that the user identification and application password may be exposed for viewing by other users on the system, creating a security risk.
  • a system administration maintains a separate access list of user identifications, application passwords, and possibly expiration data for each particular application running on the system in order to secure access and also to ensure proper aging (i.e., determining when an application password should expire) of the current password.
  • Password aging requires additional software coding and tracking to ensure that the user's application-level access and/or application password expires at the appropriate time and date (as primary password aging is performed at the operating system level).
  • Password aging is a particular problem for temporary or transient users who are intended or designated to use an application for only a short period of time.
  • present techniques of secondary access authentication do not prevent users who have been granted primary access from attempting to gain access to the application by, for example, entering multiple user identification and application passwords in an attempt to gain unauthorized access to the application to view and manipulate sensitive data.
  • present techniques of secondary access do not provide the capability to quickly and easily include additional user or system information with the user identification and application password to enhance security and limit access to applications.
  • prior techniques may have adequately provided secondary access authentication capabilities for smaller installations or installations having relatively few users or special access control needs, prior techniques have not addressed secondary access authentication for larger installations having a large number of users and situations for secure gatch scripting of authentications.
  • prior techniques have not effectively provided secondary access authentication for a limited period of time without the need for additional software coding to perform password aging to handle different access scenarios, for example, when a user from site
  • Prior systems have also not provided a mechanism by which a user can securely embed his or her user identification and application password within a script without the user identification and application password being accessible to others on the system. Further, prior secondary access authorization techniques have not effectively prevented authorized system users from attempting to gain access to restricted applications by repeatedly entering user identification/application password combinations in attempt to gain unauthorized access to an application. In addition, prior secondary access authorization techniques have not provided a flexible mechanism to include additional user and system information with the user identification and application password.
  • Such features would be highly desirable to system administrators and users who desire a secure secondary access authentication mechanism for application software residing and executed on a computer installation. Such features would also be desirable to system administrators and users of computer installations having transient users who desire to have application passwords and/or access to automatically expire without the need for additional data and coding.
  • a general object of the present invention is to provide an apparatus and method for secure secondary access authentication to users of computer-based systems and installations.
  • an object of the invention is to provide an apparatus and method that provide secondary access authentication for a limited period of time without the need for additional data retention to perform aging.
  • Another object of the invention is to provided a mechanism by which a user can securely embed his or her user identification and application password within a script without the user identification and application password being accessible to others on the system.
  • an aspect of the present invention is directed to a system for facilitating secondary access authentication to applications of a computer installation or host system.
  • the disclosed system provides user information and an application password to an access system which grants a user access to an application where the user has been previously authenticated by a primary-level access authentication system.
  • the system comprising an authorization code generator which creates an authentication code which may contain the user and system expiration information, and an authorization code interpreter which reads the authentication code and provides the user information and the other desired information and application password to the access system.
  • the authentication code is partially validated by the authorization code interpreter in accordance with the user information, system information and expiration information prior to the authorization code interpreter providing the user information and the application password to the access system.
  • the user information comprises at least one of a user identification, a system identification, a current date, a starting date, a starting time, and a valid duration period.
  • the authorization code interpreter determines that the authorization code is not valid, the user information and the application password is not provided to the access system, and if the authorization code interpreter determines that the authorization code is valid, the user information and the application password is provided to the access system.
  • the user is prompted to re-enter the authorization code or enter a new application password if the authorization code is not valid.
  • the authorization code interpreter comprises the access system and performs the secondary access authentication by comparing the user identification and the application password to a list of valid user identifications and application passwords.
  • the authentication code is encrypted by the authentication code generator.
  • the authentication code may be encrypted by public key encryption methods, bit shuffling, byte or nibble swapping or other methods.
  • the authorization code interpreter decrypts the authentication code.
  • the system provides the user information and the application password to a remote computer system.
  • a method of facilitating secondary access in a secondary access authentication system in which the secondary access authentication system provides user information and an application password to an access system which grants a user access to an application.
  • the method of secondary access authentication assumes that the user has been previously authenticated by a primary-level access authentication system.
  • the method of facilitating secondary access comprises generating an authorization code, the authentication code containing the user information and an application password; reading the authentication code; interpreting the authorization code; validating the authorization code in accordance with the user information; and providing the user information and the application password to the access system.
  • the user information comprises at least one of a user identification, a system identification, a current date, a starting date, a starting time, and a valid duration period.
  • the step of validating further comprises denying access to the application by not providing the user information and the application password to the access system if the authorization code is not valid.
  • the step of validating further comprises prompting the user re-enter the authorization code or enter a new application password if the authorization code is not valid.
  • the method further comprises comparing the user identification and the application password to a list of valid user identifications and application passwords to grant the user access to the application.
  • the step of generating further comprises encrypting the authorization code.
  • the step of interpreting the authentication code further comprises decrypting the authorization code.
  • Fig. 1 illustrates an exemplary system architecture in which the present invention may be implemented
  • FIG. 2 illustrates, in block diagram form, an exemplary system architecture in which the present invention may be implemented
  • Fig. 3 is an exemplary flow chart of the processes and operations of the Authentication Code Generator of the present invention
  • Fig. 4 is an exemplary flow chart of the processes and operations of the Authentication
  • the present invention provides an apparatus and method of secondary access authentication which is secure while providing users with the ability to publicly disclose an authentication code (AC) which is used to authenticate the user and gain access to an application.
  • AC authentication code
  • embedded within the AC may be restrictions as to specific host systems, dates and times of access, expiration information, and a key to ensure that changes are made at specified intervals (e.g., by prompting the user for a new application password). Further information may be embedded into the AC as such information is deemed necessary.
  • a repository of application level password information is not necessary to track the expiration date and time of an application level password and/or application access (i.e., to perform aging).
  • the AC may be used in conjunction with operating-system level authenticated user identification/password applications (i.e., those applications not requiring secondary access to run) without exposing the AC information.
  • a local computer installation 1 may include a network server 10 and one or more personal computers (PCs) or workstations 20 that are connected as clients to the server via a network infrastructure 35.
  • PCs personal computers
  • workstations 20 that are connected as clients to the server via a network infrastructure 35.
  • the network server 10 may comprise, for example, a UNIX-based or Windows NT-based computer platform having a single microprocessor or multiple processors (e.g., Intel Pentium Pro processor or Digital Equipment Company Alpha P SC processor), long-term storage (e.g., a RAID disk array having 10 Gb of storage), random access memory (FLAM) (e.g., 128 Mb RAM), communication peripherals (e.g., network interface card, modem, and/or terminal adapter), and application programs (e.g., spreadsheet, wordprocessor and/or database related software applications) which may be distributed to clients residing on the network.
  • processors e.g., Intel Pentium Pro processor or Digital Equipment Company Alpha P SC processor
  • long-term storage e.g., a RAID disk array having 10 Gb of storage
  • FLAM random access memory
  • communication peripherals e.g., network interface card, modem, and/or terminal adapter
  • application programs e.g., spreadsheet, wordprocessor and/or database
  • the client PCs 20 may comprise Windows95-based personal computers having an Intel Pentium processor, long-term storage (e.g, a IDE or SCSI hard disk having 2 Gb of storage), random access memory (RAM) (e.g., 32 Mb RAM), communication peripherals (e.g., network interface card, modem, and/or terminal adapter), and application programs (e.g., spreadsheet, wordprocessor and/or database related software applications).
  • the workstations 20 may comprise UNIX-based IBM RS/6000 or SUN SPARCSTATION workstations.
  • the workstations 20 may have local hard-disks or may be configured as diskless clients to enhance network security.
  • the network infrastructure 35 may comprise an Ethernet Local Area Network (LAN), a Transmission Control Protocol/Internet Protocol (TCP/IP) network, or Token Ring network. Also, one or more printers 15 (e.g., laser printers or plotters) may be connected to the network infrastructure 35 to provide for hard copy output.
  • LAN Local Area Network
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • printers 15 e.g., laser printers or plotters
  • One or more remote systems may be connected to the network infrastructure 35 via a network gateway (not shown) and communications links 40.
  • the remote systems may comprise a remote network server 25 (e.g., a network server similar to network server 10) or remote mainframe system 30 (e.g., an IBM AS/400) that are connected to the network infrastructure 35 by communications links 40.
  • the communication links 40 to the remote systems are shown as direct connections, the communications links 40 may comprise a wireless network, satellite links, a Wide Area Network (WAN), dedicated lines, and a TCP/IP network.
  • Users may access the remote server 25 or remote mainframe 30 using various protocols and client applications such as File Transfer Protocol (FTP), Telnet or UNIX rlogin.
  • FTP File Transfer Protocol
  • Telnet Telnet
  • UNIX rlogin UNIX rlogin
  • Users may be authorized for primary access to the network infrastructure 35 by entering a user identification (user_id) and password at the one of the PCs or workstations 20.
  • the user d/password combination may be sent via the network infrastructure 35 to the host operating system residing at, for example, the network server 10 where it is compared to an access list, password file or database table, stored on, for example, the network server 10. If a valid user_id/password combination is entered, the user is granted access privileges by the host operating system in accordance with the user's predetermined user profile, which may also be stored on the network server 10.
  • the user may be afforded a predetermined number of retries to enter a valid user id/password combination, after which the PC or workstation 20 may be locked out from accessing the computer installation 1 via the network infrastructure 35.
  • the user may be presented with a graphical user interface (e.g., X-window interface) or a command prompt from which the user may launch and execute applications, perform file maintenance operations, interact with the remote systems, and communicate with other users (e.g., via E-mail).
  • a graphical user interface e.g., X-window interface
  • command prompt from which the user may launch and execute applications, perform file maintenance operations, interact with the remote systems, and communicate with other users (e.g., via E-mail).
  • secondary access authentication techniques in accordance with the present invention may be utilized to authenticate users who are accessing particular applications.
  • the present invention is directed to a secondary access authentication mechanism by which the user's identity may be authenticated by the application or remote system by passing an authentication code (AC) to the application or system performing the secondary access authentication.
  • An exemplary implementation of the present invention is illustrated in Fig. 2.
  • the present invention may comprise a customized secondary access authentication system 45.
  • the customized secondary access authentication system 45 may comprise an Authentication Code (AC) Generator 50 and an Authentication Code (AC) Interpreter 60.
  • a user who desires access to an application or system requiring secondary access authentication first generates an authentication code (AC) using the AC Generator 50.
  • the AC may contain information used by the application or system to authenticate a user's identity. Additional information may be contained within the AC as deemed necessary. Further, the AC may be encrypted to enhance security.
  • the generated AC may be passed (via a file or user entry) as a character string to the AC Interpreter 60 in order to gain access to applications requiring secondary access authentication.
  • the AC Interpreter 60 may verify the information contained with the AC and provide, for example, a user identification and application password to an access system 70 via an application programming interface (API) call.
  • API application programming interface
  • the access system 70 may be part of the application or system requiring secondary access authentication, or a stand-alone program, and determine if the user is authorized for access to the application or system.
  • the inputs to the AC Generator 50 may include the user's user identification (user_id) and application password, a system identification (system_id), and a current date (current_date).
  • the application password may be entered by the user, whereas the user_id, current_date and system_id may be obtained using the appropriate operating system calls.
  • the output of the AC Generator 50 is the authentication code (AC), which may be output as, for example, a character string in a file or to a display of the PC/workstation 20.
  • the AC may be encrypted in accordance with the security concerns of the computer installation 1.
  • the inputs to the AC Interpreter 60 may include the AC, which is input as a character string (e.g., by user entry or within a file) . If the AC is encrypted, the AC Interpreter 60 decrypts the AC using the complementary decryption technique to the encryption technique used by the AC Generator 50. Also input to the AC Interpreter 60 may be the user id, system id, and current_date, which are obtained operating system calls. These values may be compared to the user_id, system_id, and current_date contained within the AC to verify the user's identity. After the user's identity is verified, the user_id and application password may be passed to the access system 70 to determine if the user is authorized for access to the application software.
  • the AC Generator 50 and AC Interpreter 60 may be written in a high-level language (e.g., C or C++) or may be implemented by linking applets (e.g., Java), and may reside on the network server 10, PCs/workstations 20, remote server 25, or remote mainframe 30 as stand-alone programs or, modules incorporated and linked to other applications. Further, the AC Generator 50, AC Interpreter 60 and Access system 70 do not have to reside on the same network server 10, PC/workstation 20, remote server 25, or remote mainframe 30. In such an implementation, information (e.g., the AC, user_id and application password) may be passed between the AC Generator 50, AC Interpreter 60 and Access system 70 via API calls, scripts, and user prompted data entry.
  • information e.g., the AC, user_id and application password
  • Each PC or workstation 20 may be provided with an AC Generator 50 such that users may access the AC Generator 50 and generate ACs to be used to access to software applications.
  • access to the AC Generator 50 (as well as the source code of the AC Generator 50 and AC Interpreter 60) may be limited to, for example, a system administrator, who would generate ACs for users.
  • a user desiring secondary access authentication for a particular application or system executes the AC Generator program at step 100.
  • the user may launch the AC Generator at the PC or workstation 20 via a GUI interface or by entering a command at an operating system command prompt.
  • the AC Generator may be stored and executed on, e.g., the network server 10.
  • the generated AC may be limited to the system, personal computer, or workstation on which it is generated, or may be passed to and used on other remote systems.
  • the source code for the AC Generator may be restricted, such that only the executable code is accessible to users.
  • the AC Generator identifies the user's user_id by making the appropriate operating system calls (e.g., UNIX whoami). Also at step 102, the AC Generator may use system calls to identify the system on which the user is logged-on (system id), and the current date (current date) if such information is desired to be incorporated into the AC. Further, the date may be an integer value calculated by the number of days, etc., from a base date (e.g., 1/1/97).
  • the AC Generator prompts the user to enter his or her application password (password).
  • the user's application password that is entered at step 106 may be any allowable system password, and may be different than the user's primary-level password for added security.
  • the AC Generator creates a string containing the user id, password, system id and current_date by concatenating the information into a single character string.
  • the AC Generator encrypts the character string containing the user id, password, system_id and current_date into an encrypted string of characters using, for example, public key encryption methods, bit shuffling, byte or nibble (i.e., half-byte) swapping, etc.
  • the encryption technique that is utilized at step 110 may be determined in accordance with a level of security required for the particular computer system and infrastructure. Further, additional or less information than that noted-above may be included in the character string prior to encryption. For example, a time period that the AC will be valid may be included, and an AC start date or time may also be included. As noted, the current_date field may also be converted into an offset from a base date if desired. The length of the resulting AC may vary in accordance with the amount of site-specific information that was included into the AC, or the encryption technique utilized.
  • the AC Generator provides the encrypted AC string as output for subsequent use such that the user may gain access to applications and remote systems running the complementary AC Interpreter of the present invention (to be described below).
  • the AC may be output as information contained in a file (e.g., an ASCII text file), sent to the printer 15, or output directly to the screen of the PC or workstation 20.
  • a file e.g., an ASCII text file
  • a user may generate an AC as follows. Assume, for example, that a user "LTJ” on system “XYZ” having an application password of "QWERTY” desiring an AC that is valid until January 1, 1999 (which is calculated as an integer offset from an initial date) executes the AG Generator to create a starting string such as "LTJXYZQWERTY687". The character string may then be converted, for example, to hexadecimal format and nibble swapping may be performed in a set sequence to encrypt the starting string. Other encryption techniques may be used so long as the AC Interpreter utilizes a complementary decryption technique.
  • the encrypted character string, which represents the generated AC may be, for example, "S!d5SH%LAAnET*&E#!.
  • the generated AC may be provided to the user so that it may be written down, embedded into scripts, or entered directly by the user as it would only be valid and usable by the particular user on the particular system for a predetermined period of time, as described below.
  • an application to which the user desires access may utilize the AC Interpreter to read the AC and grant secondary access.
  • the AC Interpreter of the present invention may be used in conjunction with existing software applications requiring secondary access authentication.
  • a software application requiring secondary access authentication at the PC or workstation 20 (e.g., the GUI interface or a command entered at the command prompt)
  • the AC Interpreter may be automatically executed as a linked module. The user may be prompted to enter the AC, the AC may be read from a file, or the AC may be passed to the AC Interpreter via a script or environmental variable.
  • the AC Interpreter may be launched as a stand-alone program, and utilizing information contained within a validated AC, the AC Interpreter may pass the user's user_id and application password and launch the software application requiring secondary access authentication.
  • the AC Interpreter reads the AC (e.g., "S!d5SH%LAAnET*&E#!) and at step 202, solicits the current_date, system_id and user_id from the operating system using the appropriate system calls.
  • the AC may be passed by the user to the AC Interpreter as a string embedded in a script, or entered directly by the user when accessing the application or remote system.
  • the AC, the current date, system_id and user_id values are temporarily stored by the AC Interpreter in a memory (not shown) of, for example, the network server 10.
  • the AC is decrypted in accordance with the encryption scheme utilized by the AC Generator to recreate the above-noted character string (e.g., "LTJXYZQWERTY687").
  • the decrypted AC is then broken into its requisite component fields (e.g., user_id, password, system_id, and current_date) and the user_id, system_id and current_date are compared at step 208 to the temporarily stored values in memory solicited from the operating system at step 202.
  • the AC Inte ⁇ reter may include logic to specify how to break the AC into each of the component fields by predefining the field lengths of the user id, password, system_id, and current_date.
  • the user_id has a field length of three characters
  • the password has field length of three characters
  • the systern d has a field length of six characters
  • the current_date is an integer value.
  • Other field lengths may be used in accordance with system requirements and preferences.
  • the AC Inte ⁇ reter determines if the AC is valid in accordance with the comparison performed at step 208.
  • the AC may be determined to be invalid if any of the user id, system id, and current date values do not match the values in memory. If the AC is invalid (e.g., expired, not for the present system, does not contain the user identification, or fails other pre- validation tests), the user may be prompted to obtain or update the application password and/or to reenter the AC, at step 214, where after the AC Inte ⁇ reter terminates. If the AC is valid at step 210, then at step 212, the application password (and any other necessary information) is provided to the validation logic to perform the secondary access authentication in accordance with the application's specific requirements. For example, the validation logic may compare the user_id and application password with an application specific password repository to validate that the user is authorized to access the application.
  • application specific information may be included in the character string to provide additional security and authentication information.
  • the application specific information may be contained in a repository (located on, for example, server 10) and may include the user's application user_id and password.
  • the AC Inte ⁇ reter may determine if the AC is valid or has expired, if the user should be prompted to change his or her application password, or if the AC is not yet valid.
  • the AC Inte ⁇ reter of the present invention may be used in conjunction with existing software applications, including commercially available database applications such as Oracle Database Management System, available from Oracle Co ⁇ ., of Redwood Shores, CA.
  • the AC Inte ⁇ reter may be linked to existing software applications as a module that is executed when the user accesses the application.
  • the module could validate the system, user and date information and pass the decrypted user_id and password in an application-recognized format to the application software for authentication.
  • the AC Inte ⁇ reter may authenticate the user and provide the application with an indication that the user is authorized to access the application code.
  • the apparatus and method of the present invention offers adequate levels of security for a variety of pu ⁇ oses, and by utilizing the appropriate restrictions to the AC Generator and AC Inte ⁇ reter source code, a very secure and robust AC may be provided. Also, because the user information solicited by the application to perform secondary access authentication is dependent on a successful operating system-level authentication, the secondary level authentication via an AC remains secure, even though the AC may be made public.
  • the AC may include additional data and information that the site deems necessary.
  • the AC may include client specific information such that the user may access the application from designated client PCs and workstations within the computer infrastructure.
  • the AC Generator and AC Inte ⁇ reter may be provided with a mechanism to periodically (e.g., hourly or daily) change the encryption technique to further enhance security.
  • the AC Inte ⁇ reter may operate as a stand-alone module or be inco ⁇ orated into the application or system which requires secondary access authentication.
  • the AC Generator and AC Inte ⁇ reter may be utilized in an environment where the PC or workstation is connected to a network, but where the application requiring secondary access executes locally on the PC or workstation.
  • the AC Generator and AC Inte ⁇ reter may be utilized in a stand-alone (i.e., non-networked) PC or workstation, which performs operating-system level authentication and is loaded with applications which perform secondary access authentication.
  • a stand-alone i.e., non-networked
  • workstation which performs operating-system level authentication and is loaded with applications which perform secondary access authentication.

Abstract

L'invention concerne un appareil et un procédé permettant l'authentification d'accès secondaires (45) d'utilisateurs qui ont été en premier lieu authentifiés par un procédé d'authentification de niveau de système d'exploitation. Un code d'authentification est utilisé, ce code étant sûr et permettant aux utilisateurs de le divulguer publiquement. Dans ledit code d'authentification, peuvent être incorporées des restrictions concernant des systèmes hôtes spécifiques, des dates et heures d'accès, des informations d'expiration, ainsi qu'une clé garantissant que des changements sont opérés à des intervalles spécifiés. D'autres informations peuvent être incorporées dans ce code d'authentification si elles sont jugées nécessaires. Le système permet également l'expiration automatique d'un mot de passe de niveau d'application et/ou d'un accès d'application conformément à des paramètres prédéterminés. Le code d'authentification peut être utilisé concurremment avec une identification d'utilisateur authentifiée pour un niveau de système d'exploitation, ceci pour valider les informations du code d'authentification sans que ces informations soient exposées à d'autres personnes.
PCT/US1998/009206 1997-05-07 1998-05-07 Appareil et procede d'authentification personnalisee d'acces secondaires WO1998051029A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US85240597A 1997-05-07 1997-05-07
US08/852,405 1997-05-07

Publications (1)

Publication Number Publication Date
WO1998051029A1 true WO1998051029A1 (fr) 1998-11-12

Family

ID=25313227

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1998/009206 WO1998051029A1 (fr) 1997-05-07 1998-05-07 Appareil et procede d'authentification personnalisee d'acces secondaires

Country Status (1)

Country Link
WO (1) WO1998051029A1 (fr)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001090859A1 (fr) * 2000-05-19 2001-11-29 Netscape Communications Corporation Systeme adaptatif d'authentification a plusieurs niveaux
WO2001029741A3 (fr) * 1999-10-18 2002-01-17 Stamps Com Ouverture de session specifique de machine pour systeme en ligne d'articles portant une valeur
WO2002079953A1 (fr) * 2001-03-30 2002-10-10 Nokia Corporation Procede d'ouverture de session
US6671813B2 (en) 1995-06-07 2003-12-30 Stamps.Com, Inc. Secure on-line PC postage metering system
US7174454B2 (en) 2002-11-19 2007-02-06 America Online, Inc. System and method for establishing historical usage-based hardware trust
US7237119B2 (en) 2003-06-30 2007-06-26 At&T Intellectual Property, Inc. Method, system and computer program for managing user authorization levels
US7251632B1 (en) 1999-10-18 2007-07-31 Stamps. Com Machine dependent login for on-line value-bearing item system
US20140037089A1 (en) * 2012-08-02 2014-02-06 Fujitsu Limited Encryption processing device and method
EP2424215A3 (fr) * 2010-08-24 2014-04-02 Samsung Electronics Co., Ltd. Appareil de formation d'images pour exécuter l'authentification d'utilisateurs et procédé pour exécuter l'authentification d'utilisateurs dans l'appareil de formation d'images

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5706349A (en) * 1995-03-06 1998-01-06 International Business Machines Corporation Authenticating remote users in a distributed environment
US5706347A (en) * 1995-11-03 1998-01-06 International Business Machines Corporation Method and system for authenticating a computer network node
US5761309A (en) * 1994-08-30 1998-06-02 Kokusai Denshin Denwa Co., Ltd. Authentication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5761309A (en) * 1994-08-30 1998-06-02 Kokusai Denshin Denwa Co., Ltd. Authentication system
US5706349A (en) * 1995-03-06 1998-01-06 International Business Machines Corporation Authenticating remote users in a distributed environment
US5706347A (en) * 1995-11-03 1998-01-06 International Business Machines Corporation Method and system for authenticating a computer network node

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6671813B2 (en) 1995-06-07 2003-12-30 Stamps.Com, Inc. Secure on-line PC postage metering system
WO2001029741A3 (fr) * 1999-10-18 2002-01-17 Stamps Com Ouverture de session specifique de machine pour systeme en ligne d'articles portant une valeur
US7251632B1 (en) 1999-10-18 2007-07-31 Stamps. Com Machine dependent login for on-line value-bearing item system
US8612747B2 (en) 2000-05-19 2013-12-17 Microsoft Corporation System and method for establishing historical usage-based hardware trust
US7849307B2 (en) 2000-05-19 2010-12-07 Aol Inc. System and method for establishing historical usage-based hardware trust
EP1657663A3 (fr) * 2000-05-19 2006-06-07 Netscape Communications Corporation Système d'authentification adaptif multiniveau
US9397996B2 (en) 2000-05-19 2016-07-19 Microsoft Technology Licensing, Llc Establishing historical usage-based hardware trust
US7216361B1 (en) 2000-05-19 2007-05-08 Aol Llc, A Delaware Limited Liability Company Adaptive multi-tier authentication system
US8954730B2 (en) 2000-05-19 2015-02-10 Microsoft Technology Licensing, Llc Establishing historical usage-based hardware trust
WO2001090859A1 (fr) * 2000-05-19 2001-11-29 Netscape Communications Corporation Systeme adaptatif d'authentification a plusieurs niveaux
EP1657663A2 (fr) * 2000-05-19 2006-05-17 Netscape Communications Corporation Système d'authentification adaptif multiniveau
US7908644B2 (en) 2000-05-19 2011-03-15 Aol Inc. Adaptive multi-tier authentication system
WO2002079953A1 (fr) * 2001-03-30 2002-10-10 Nokia Corporation Procede d'ouverture de session
US7174454B2 (en) 2002-11-19 2007-02-06 America Online, Inc. System and method for establishing historical usage-based hardware trust
US7237119B2 (en) 2003-06-30 2007-06-26 At&T Intellectual Property, Inc. Method, system and computer program for managing user authorization levels
EP2424215A3 (fr) * 2010-08-24 2014-04-02 Samsung Electronics Co., Ltd. Appareil de formation d'images pour exécuter l'authentification d'utilisateurs et procédé pour exécuter l'authentification d'utilisateurs dans l'appareil de formation d'images
US8997212B2 (en) 2010-08-24 2015-03-31 Samsung Electronics Co., Ltd. Image forming apparatus to execute user authentication and method of executing user authentication in image forming apparatus
US20140037089A1 (en) * 2012-08-02 2014-02-06 Fujitsu Limited Encryption processing device and method

Similar Documents

Publication Publication Date Title
US10769288B2 (en) Methods and systems for providing access control to secured data
US5604490A (en) Method and system for providing a user access to multiple secured subsystems
US6434700B1 (en) Authentication and authorization mechanisms for Fortezza passwords
EP1320011B1 (fr) Procédé et architecture de sécurisation répandue de produits numériques
US6754829B1 (en) Certificate-based authentication system for heterogeneous environments
EP1320012B1 (fr) Système et méthode pour fournir un controle d'accès distribué à des elements sécurisés
US8397077B2 (en) Client side authentication redirection
AU2003262473B2 (en) Methods and systems for authentication of a user for sub-locations of a network location
EP1918843B1 (fr) Procédé et appareil pour la partition cryptée à gestion centrale
US20030177376A1 (en) Framework for maintaining information security in computer networks
US7150038B1 (en) Facilitating single sign-on by using authenticated code to access a password store
US20110307937A1 (en) Security system for generating keys from access rules in a decentralized manner and methods therefor
JPH0652110A (ja) 分配されたコンピュータシステム用単一時間ログオン手段および方法
WO1998051029A1 (fr) Appareil et procede d'authentification personnalisee d'acces secondaires
US8171530B2 (en) Computer access security
US7272722B2 (en) Method for industrially changing the passwords of AIX/UNIX users
Cisco Understanding CiscoWorks2000 Security
Cisco Understanding CiscoWorks2000 Security
Cisco Understanding CiscoWorks2000 Security
Cisco The AA Database
Cisco The AA Database
Cisco The AA Database
Cisco Configuring Security for the AccessPath-TS3 System
Cisco Configuring Security for the Cisco AccessPath System
Snow et al. Simple authentication

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP KR MX

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: JP

Ref document number: 1998548425

Format of ref document f/p: F

122 Ep: pct application non-entry in european phase