WO2008098710A1 - Procédé de gestion de mots de passe au moyen d'un mot de passe maître - Google Patents

Procédé de gestion de mots de passe au moyen d'un mot de passe maître Download PDF

Info

Publication number
WO2008098710A1
WO2008098710A1 PCT/EP2008/000981 EP2008000981W WO2008098710A1 WO 2008098710 A1 WO2008098710 A1 WO 2008098710A1 EP 2008000981 W EP2008000981 W EP 2008000981W WO 2008098710 A1 WO2008098710 A1 WO 2008098710A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
user
user terminal
server system
service
Prior art date
Application number
PCT/EP2008/000981
Other languages
English (en)
Inventor
Ole NØRGAARD
Original Assignee
Zequr Technologies A/S
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zequr Technologies A/S filed Critical Zequr Technologies A/S
Publication of WO2008098710A1 publication Critical patent/WO2008098710A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2117User registration

Definitions

  • the present invention relates generally to managing of passwords and more particularly to methods of supporting registration and authenticating of a user operating a user terminal to a password server system.
  • the present invention also relates to a method and a computer framework for managing passwords and/or user ID'S of users desiring access to applications or service sites requiring passwords and/or user ID'S.
  • the password is generated by the supplier of the service or the application program itself.
  • the user may or may not be able to modify that password to be something easily remembered. This can result in a single user having many different user names and passwords, each of which is associated with a single website or application program.
  • This approach can cause a security problem in that the piece of paper may be found by an unauthorized user, resulting in unauthorized access to the user's programs and online accounts.
  • the piece of paper can be lost causing unnecessary difficulty to the user in getting new passwords assigned to his or her accounts. If a user stores his or her passwords in a computer file on a PDA or PC, he may password- protect that file to provide some security, but may find this file is not available as easily as the paper copy.
  • a method of supporting registration of a user operating said user terminal to said password server system comprising: specifying a server user ID being unique to the password server system at the user terminal; specifying a master password at the user terminal; generating a first message at the user terminal, said first message being at least partly based on the specified master password; forwarding the first message and the server user ID to the password server system; and storing at the password server system a user entry comprising the first message and the server user ID.
  • the first message is a first cryptographic message formed by use of a first cryptographic function.
  • the first cryptographic function may preferably be downloaded from the password server system to the user terminal.
  • the method further comprises generating at the password server system a unique lock-up code corre- sponding to the server user ID, and forwarding the lock-up code to the user terminal.
  • the uniqueness of the server user ID being specified at the user terminal is validated at the password server system. It is also preferred that the specification of the master password is followed by a re-specification of the master password at the user terminal.
  • the method of the first aspect of the invention may further comprise: downloading a password service application from the password server system to the user terminal; displaying a password service user interface corresponding to the password service user application at the user terminal; and displaying a password pattern indicator at the password service user interface, wherein said specification of the master password is performed using the password pattern indicator. It is preferred that the re- specification of the master password is also performed using the password pattern indicator. It is also preferred that the first cryptographic function is downloaded from the password server system to the user terminal together with or as part of the password service application.
  • a method of supporting registration of a user operating said user terminal to said password server system comprising: a) downloading a password service application from the password server system to the user terminal and opening a corresponding password service user interface at the user terminal, b) specifying a server user ID at the user terminal at the password service user interface, c) validating the uniqueness of the server user ID at the password server system, and if a positive result of the validation, d) displaying a password pattern indicator at the password service user interface, e) specifying a master password using the password pattern indicator, f) re-specifying the master password using the password pattern indicator, g) generating at the user terminal a first cryptographic message based at least partly on the specified master password, h) forwarding the first cryptographic message and the server user ID to the password server system and storing the first cryptographic message together with the server user ID at the password server system,
  • the first message is further based on the server user ID.
  • the first message is generated by use of a cryptographic hash function.
  • the methods of the first and second aspects of the invention including the display of a password user interface may further comprise a display of an indication of the strength of the specified master password pattern at the password service user in- terface.
  • the password service application may comprise information of the internet address (URL) of an address server of the password server system, said address server providing the address of a key file server of the password server system to which key file server the first message and the server user ID is forwarded.
  • URL internet address
  • the forwarding of the first message and the server user ID from the user terminal to the password server system is performed using a connection based on SSUTLS.
  • the displayed password pattern indicator may comprise a color card comprising a number of colored fields, and the master password is specified at or typed into part of the colored fields.
  • the color card may be a matrix of rows and columns of colored fields, and a part of or all of the colored fields of the color card may comprise a letter or a numeral.
  • a method for authenticating a user operating the user terminal to said password server system comprising: storing one or more user entries corresponding to one or more users registered at said password server system, each said user entry comprising a server user ID corresponding to the registered user and being unique to the password server system, and each said user entry further comprising a first cryptographic message formed by use of a first cryptographic function and based on said server user ID and a master password of the registered user; establishing a data communication channel between the password server system and the user terminal being operated by the user; specifying the users server user ID at the user terminal and forwarding said server user ID to the password server system; forwarding a login random value or random challenge from the password server system to the user terminal; specifying the users master password at the user terminal; generating a second cryptographic message at the user terminal, said second cryptographic message being formed by use of a second cryptographic function and based on the
  • the server user ID being specified at the user terminal is validated at the password server system before the login random value or challenge is forwarded to the user terminal.
  • the method of the third aspect of the invention further comprises downloading a password service application from the password server system to the user terminal and displaying a corresponding password service user interface at the user terminal, said specification of the server user ID being performed by use of the displayed password service user interface.
  • the method may further comprise displaying a password pattern indicator at the password service user interface, where the specification of the master password may be performed by use of the password pattern indicator.
  • the first and second cryptographic functions are downloaded from the password server system to the user terminal.
  • the first and second cryptographic functions may be downloaded from the password server system to the user terminal together with or as part of the password service application.
  • the registration of a user operating a user terminal to said password server system is performed by a registration method comprising: specifying the server user ID being unique to the password server system at the user terminal, specifying the master password of the user to be registered at the user terminal, generating the first cryptographic message at the user terminal, forwarding the first cryptographic message and the server user ID to the password server system, and storing at the password server system a user entry comprising the first message and the server user ID.
  • the first cryptographic function used for generat- ing the first cryptographic message at the user terminal may be downloaded from the password server system to the user terminal.
  • the registration method may further comprise: generating at the password server system a unique lock-up code corresponding to the server user ID, and forwarding the lock-up code to the user terminal.
  • the uniqueness of the server user ID being specified at the user terminal during said registration method may preferably be validated at the password server system.
  • the specification of the master password during said registration method may be followed by a re-specification of the master password at the user terminal.
  • the registration method further comprises: downloading a password service application from the password server system to the user terminal, displaying a password service user interface corresponding to the password service user application at the user terminal, and displaying a password pattern indicator at the password service user interface, wherein said specification of the master password is performed using the password pattern indicator.
  • the first cryptographic function may be downloaded from the password server system to the user terminal together with or as part of the pass- word service application. It is within an embodiment of the methods of the third aspect of the invention that the first and second cryptographic functions are cryptographic hash functions. Here, it is preferred that the first and second cryptographic functions are the same crypto- graphic hash function.
  • the password service application may comprise information of the internet address (URL) of an address server of the password server system, said address server providing the address of a key file server of the password server system, which key file server is in communicative connection with the user terminal during said method of authentication.
  • URL internet address
  • the forwarding of cryptographic messages and the server user ID from the user terminal to the password server system and the forwarding of the random value or challenge from the password server system to the user terminal is performed using a connection based on SSUTLS.
  • the displayed password pattern indicator comprises a color card comprising a number of colored fields, and that the master password is specified at or typed into part of the colored fields.
  • the color card may be a matrix of rows and columns of colored fields, and part of or all of the colored fields of the color card may comprise a letter or a numeral.
  • a method of managing service site passwords and/or service site user ID's of users desiring access to one or more applications or service sites that require passwords and/or user ID 1 comprising: storing at said password server system, for a number of users being registered at the password server system, one or more key file entries corresponding to one or more applications or service sites, each said key file entry comprising data representing the service site ID of the application or service site and an encrypted key file message based at least partly on the service site password and/or service site user ID required to access the respective application or service site, said encrypted key file message being encrypted by use of a first key based at least partly on a master password corresponding to the user.
  • a key file entry is generated by a key file generation method comprising: login the user to the password server system; specifying the users master password at the user terminal; receiving, at the user terminal, input specifying the service site ID of the application or service site for which the key file entry is to be generated; specifying or generating, at the user terminal, the service site password and/or service site user ID required to get access to the application or service site for which the key file entry is to be generated; generating, at the user terminal, said first key based at least partly on the specified master password; encrypting, at the user terminal, the required service site password and/or service site user ID by use of the first key to thereby obtain the encrypted key file message; forwarding data representing the application or service site ID and the encrypted key file message to the password server system; and storing at the password server system a key file entry comprising data representing the application or service site ID and the encrypted key file message.
  • a key file random value is generated and stored as part of the key file entry at the password server system, and that the first key used for encrypting the key file message is further based on said key file random value.
  • said key file generation method further comprises: generating a key file random value at the user terminal, wherein said first key being generated at the user terminal is generated by use of a cryptographic function based on the users master password and the key file random value, and the generated key file random value is forwarded to the password server system and stored as part of the key file entry.
  • said key file generation method comprises: downloading a password service application from the password server system to the user terminal, displaying a password service user interface corresponding to the password service user application at the user terminal, and displaying a password pattern indicator at the password service user interface, wherein said specification of the master password is performed using the password pattern indicator.
  • the functions for generating the first key and the encrypted key file message may be downloaded from the password server system to the user terminal together with or as part of the password service application.
  • the function(s) for generating the key file random value is/are downloaded from the password server system to the user terminal together with or as part of the password service application.
  • said method when the user is logged out from the password server system, said method further includes a key file message re-generation method comprising: login the user to the password server system; downloading a key file entry, which corresponds to an application or service site selected by the user, from the password server system to the user terminal; specifying the users master password at the user terminal; re-generating the first key corresponding to the downloaded key file entry at the user terminal; decrypting the encrypted key file message of the downloaded key file entry at the user terminal by use of said re-generated first key to thereby obtain the service site password and/or service site user ID required to access the selected application or service site; and using the obtained service site password and/or service site user ID to get access to the selected application or service site from the user terminal.
  • the key file random value being stored as part of the downloaded key file entry is retrieved at the user terminal, and that the first key corresponding to the downloaded key file entry is re-generated based on the specified master password and the retrieved
  • the key file message re-generation method further comprises: downloading a password service application from the password server system to the user terminal, displaying a password service user interface corresponding to the password service user application at the user terminal, and displaying a password pattern indicator at the password service user interface, wherein said specification of the master password is performed using the password pattern indicator.
  • the functions for generating the first key and the encrypted key file message are downloaded from the password server system to the user terminal together with or as part of the password service application. It is also preferred that the first key is generated by use of a cryptographic hash function.
  • the password service application may comprise information of the internet address (URL) of an address server of the password server system, said address server providing the address of a key file server of the password server system, which key file server is in communicative connection with the user terminal during said generation and storage of a key file entry.
  • URL internet address
  • the commu- nication between the user terminal and the password server system is performed using a connection based on SSL/TLS.
  • the displayed password pattern indicator may comprise a color card comprising a number of colored fields, and the master password may be specified at or typed in the colored fields.
  • the colour card may be a matrix of rows and columns of colored fields, and part of or all of the colored fields of the color card may comprise a letter or a numeral.
  • the login of the user to the password server system comprises a user authentication, which includes a specification of the users master password at the user terminal.
  • the user authentication comprises a method selected from any of the methods of the third aspect of the invention.
  • a computer program product in a computer readable media for use in a network comprising one or more user terminals and a password server system
  • said computer program product being a password service application program for supporting registration of a user operating a user terminal to said password server system and comprising: means for displaying, at a user terminal having a display device and having said password service application program installed, a password service user interface with a password pattern indicator, means for generating a first cryptographic message by use of a first cryptographic function and based at least partly on a master password specified at or typed into the displayed password pattern indicator, and means for forwarding the first cryptographic message from the user terminal to the password server system.
  • the means for generating the first cryptographic message is further adapted for generating the first cryptographic message based at least partly on a server user ID for the password server system, which server user ID is specified at or typed into the displayed password service user interface, and on the master password specified at or typed into the displayed password pattern indicator.
  • the means for forwarding the first cryptographic message from the user terminal to the password server system is further adapted for forwarding the server user ID from the user terminal to the password server system.
  • the means for generating the first cryptographic message is adapted for generating the first cryptographic message by use of a cryptographic hash function. It is also preferred that the computer program product according to the fifth aspect of the invention further comprises means for displaying at the password service user interface an indication of the strength of the specified master password.
  • the computer program product may further comprise: means for generating a second cryptographic message by use of a second cryptographic function and based on a received login value or challenge and a generated cryptographic message formed by use of the first cryptographic function and based on the specified server user ID and master password, and means for forwarding the second cryptographic message from the user terminal to the password server system.
  • the login value or challenge may be a random value or challenge received from the password server system.
  • the password server system may be adapted for managing service site passwords and/or service site user ID'S of users desiring access to one or more applications or service sites that require passwords and/or user ID's.
  • the computer program product further comprises: means for receiving input specifying the service site ID of an application or service site for which the user desires to get access, means for generating a first encryption/decryption key based at least partly on the master password specified at or typed into the displayed password pattern indicator, means for generating an encrypted key file message by use of the first encryption/decryption key and based on a service site password and/or service site user ID being specified for the application or service site for which the user desires to get access, and means for forwarding the application or service site ID and the encrypted key file message from the user terminal to the password server system, whereby a key file entry comprising the specified service site ID and the encrypted key file message can be stored at the password server system.
  • the service site password and/or service site user ID may be specified at the displayed password user interface.
  • the computer program product may also or further comprise means for gener- ating upon a user request said service site password and/or service site user ID.
  • the computer program product may comprise means for generating a key file random value, with said means for generating the first encryption/decryption key being adapted to generate said first key by use of a cryptographic function, which may be a cryptographic hash function, and based on the specified master password and the key file random value.
  • the computer program may also further comprise means for forwarding the key file random value from the user terminal to the password server system to thereby form part of the key file entry.
  • the computer program product further comprises: means for downloading a key file entry, which corresponds to an application or service site specified by the user at the password service user interface, from the password server system to the user terminal, means for retrieving the key file random value and the service site ID from the downloaded key file entry at the user terminal, means for re-generating the first encryption/decryption key based on the retrieved key file random value and on the master password specified at the password service interface, and means for decrypting the encrypted key file message of the downloaded key file entry by use of the re-generated first encryption/decryption key to thereby obtain, at the password service user interface, the service site password and/or service site user ID required to access the specified application or service site.
  • the displayed password pattern indicator comprises a color card com- prising a number of colored fields.
  • the color card may be a matrix of rows and columns of colored fields, and part of or all of the colored fields of the color card may comprise a letter or a numeral.
  • the computer program product further comprises means for establishing a secure connection between the user terminal and the password server system, said secure connection being based on SSTVTLS.
  • a computer framework for managing service site passwords and/or service site user ID's of users desiring access to one or more applications or service sites that require passwords and/or user ID's
  • said framework comprising: a password server system for storing one or more key file entries corresponding to one or more applications or service sites, and a user terminal with a first program executed thereon for generating a key file entry or data for a key file entry, said first program comprising means for receiving input specifying the service site ID of an application or service site for which the user desires to get access, means for generating a first encryption/decryption key based at least partly on a users master password specified at the user terminal, means for generating an encrypted key file message by use of the first encryption/decryption key and based on a service site password and/or service site user ID being specified for the application or service site for which the user desires to get access, and means for forwarding key file entry data representing the service site ID and the encrypted key file message from the user
  • the first program of the computer framework further comprises means for generating a key file random value, and that said means for generating the first encryption/decryption key is adapted to generate said first key by use of a cryptographic function and based on the specified master password and the key file random value, with said means for forwarding key file entry data further being adapted for forwarding data representing the key file random value from the user terminal to the password server system to thereby form part of the key file entry.
  • the first encryption/decryption key is generated by use of a cryptographic hash function.
  • the first program of the computer framework further comprises: means for downloading a key file entry, which corresponds to an application or service site specified at the user terminal, from the password server system to the user terminal, means for retrieving the key file random value and the service site ID from the downloaded key file entry at the user terminal, means for re-generating the first encryption/decryption key based on the retrieved key file random value and on the users master password specified at the user terminal, and means for decrypting the encrypted key file message of the downloaded key file entry by use of the re-generated first encryption/decryption key to thereby obtain, at the user terminal, the service site password and/or service site user ID required to access the specified application or service site.
  • the first program comprises means for displaying, at a display of the user terminal, a password service user interface with a password pattern indicator for specification or entering of the user's master password.
  • the displayed password pattern indicator may comprise a color card comprising a number of colored fields.
  • the color card may be a matrix of rows and columns of colored fields, and part of or all of the colored fields of the color card may comprise a letter or a numeral.
  • Zeqr is the presently used name for the overall solution and system of the present invention.
  • the Zeqr solution aims at making it easy for a user to handle a multitude of login information (user ID, password) that is required nowadays. It allows the user to use really strong passwords if he wishes, of a type that he normally would not be able to remember. Those passwords may be stored in encrypted form on an internet server, allowing the user to access the login information anywhere, anytime, as long as he has internet access.
  • the Zeqr solution When using the Zeqr solution it is possible to start from a current status quo (either weak passwords or identical passwords for many services), and to improve this to a level where the user only has to remember one single master password, also called pattern. This pattern should therefore be chosen as strong as possible. In order to facilitate strong patterns, the Zeqr solution may give the user a number of mnemonic helps that make it easier for him to remember long and complex patterns.
  • a service site is the service that the user wants to log into. It could be a web site, but also an automatic teller machine, his mobile phone, or a computer program.
  • the Zeqr application is the program that runs on the user's computational device or terminal and that helps him with remembering passwords.
  • KFS key file server
  • All communication between the user and the key file server may be protected by SSL/TLS.
  • SSL/TLS In order to reduce workload for the server, resuming of SSUTLS sessions should be enabled.
  • the key file server should be a trustworthy entity that is run by a reliable party (such as a bank, the organization you work with, Zeqr, or some kind of official authorities). It is assumed that the key file server is protected in an appropriate way against all standard attacks that do not target peculiarities of the Zeqr protocol (i.e., it runs firewall and virus scanner, has been penetration tested etc.). It is also assumed that there is always a server available. This can be achieved e.g. by server replication.
  • the user may have to identify himself to the KFS. This may be done by use of a color card.
  • a color card is an NxM matrix of colored fields that is displayed on the user's screen.
  • the fields can also contain other mnemonic helps, such as characters or symbols. It may be a 6x6 matrix with the letters 'A'-'Z' and '0'- '9'.
  • the pattern is what the user may enter into the color card by clicking on a succession of fields (or pressing the equivalent buttons on the keyboard).
  • the pat- tern is used to authorize the user to the Zeqr application, and is used as a master password.
  • a KFS user ID may be the name the user has given himself for use with the key file server.
  • the service site ID may be the mnemonic name used by the user for a login site. Examples for site IDs could be "Amazon", “Netbank” or "gmail". The site ID may be chosen by the user and does not have to match the name that the site would use for itself.
  • the sen/ice user ID may be the name that the user is known under at a given site. It could be something like “jesper.hansen”, “jh@mymail.dk” or “klodshans”. When chosen by the user, the user ID will typically be mnemonic and easy to guess.
  • the password may be what the user uses as input to the "password" field of a login site.
  • the password may be chosen by the user or by the Zeqr application.
  • the definition of a password may also cover PIN numbers.
  • KFE key file entry
  • a key file is a collection of all key file entries for a given user.
  • we sometimes use the notion of a key which is denoted like this for traditional reasons and has nothing to do with the key file:
  • a key may be any internal secret used by the Zeqr application. The user may not be aware of the existence of such a key. Examples for keys could be values derived from the pattern and other inputs, or they could be internal serial numbers that are different for each copy of the application or for each password file (see below).
  • An encryption algorithm uses a key to transform an input string (plaintext) into an encrypted output string (ciphertext). For those who do not know the key, the ci- phertext cannot be distinguished from a random string.
  • a cryptographic hash function is an algorithm that transforms an input string of arbitrary length into an output string of fixed length. For those who do not know the input string, the output cannot be distinguished from a random string. Note that this is not the same as a general-purpose hash function as it is taught in elementary computer-science education.
  • a random number generator is an algorithm that generates random- looking output strings from a root value. Note that this generator has to be a cryptographic RNG, and that it has to be properly initialized before the first use.
  • NIST Special Publication 800-39a Recommendation for Block Cipher Modes of Operation. July, 2001
  • Federal Information Processing Standards Publication 180-2 Secure Hash Standard. August 01 , 2002, respectively.
  • Implementations in C and C++ are available from a number of libraries, such as those described at http://www.homeport.org/ ⁇ adam/crypto/table.html.
  • the most well-known libraries here are OpenSSL, CryptLib (requires a license) and Crypto++ (powerful, but difficult to use).
  • the generator provided with the cryptographic library should be used (do not use generators that are provided with a normal software library).
  • Enc() denotes the key
  • RNG() the input is the (integer) range of possible output values.
  • Il b means that you first write string a, and then string b.
  • the color card can be seen as the keyboard that is used to log into a protected part of the Zeqr application. Behind the scenes, the pattern typed into the color card may be used for different purposes, e.g. as authentication key and for decryption purposes, but the user may not be aware of this. For him, typing the pattern into the color card may be like locking up a box containing all his passwords.
  • the color card may be identical for all users, i.e., all color cards may have the same layout with respect to colors and characters. No matter where the user starts the
  • This card may contain 6x6 fields, each of which may have one of five possible colors.
  • each field may also be marked with a character (letter or number), where the characters are ordered alphabetically. Enhancing the Pattern Quality
  • the pattern represents a master password. Its quality is thus of paramount importance.
  • the main threat here may be dictionary attacks, where the attacker simply guesses the pattern, starting with the most likely ones.
  • the following techniques can be used to make life harder for the attacker:
  • the user may be given a feedback of his pattern quality.
  • This may be implemented as a status bar describing the level of protection against brute-force attacks.
  • the status bar may be increased by one step for each additional click.
  • the maximum security could be reached for a pattern length that corresponds to 280 brute-force guesses, a security of 50% could be reached for an equivalent of 240 brute-force guesses. If the recommended color card size of 6x6 is used, then this corresponds to 8 clicks for "medium” security and 16 clicks for "high” security. Future versions of the Zeqr application may also test for patterns that are too simple. Clicking sixteen times on the same field obviously should not give a security rating of "high”.
  • the program may encourage the user to improve the pattern over time.
  • the idea behind this is that the user could start to learn, e.g., a 6-click pattern. Once he got used to this pattern, he might be able to memorize one or two additional clicks, thus significantly improving the quality of his pattern.
  • the pattern update reminder may be displayed after a given period of time (e.g., every second month), or after the pattern was entered a given number of times (e.g., 50 times).
  • FIG. 1 illustrates a network comprising a user terminal and a password server according to an embodiment of the invention
  • FIG. 2 shows a password service user interface according to an embodiment of the invention
  • FIG. 3 shows a password service user interface with a password pattern indicator according to an embodiment of the invention
  • FIG. 4 illustrates a tool bar being part of a password service user interface according to an embodiment of the invention
  • FIG. 5 shows a login dropdown menu being opened in a password service user in- terface according to an embodiment of the invention
  • FIG. 6 shows a main menu being opened in a password service user interface according to an embodiment of the invention
  • FIG. 7 shows an example of a print out of user data according to an embodiment of the invention
  • FIG. 8 shows a password service user interface including an advertisement service according to an embodiment of the invention
  • FIG. 9 shows a display of last displayed advertisements according to an embodiment of the invention.
  • FIG. 10 shows a password service user interface on a mobile handset according to an embodiment of the invention
  • FIG. 11 is a flowchart illustrating the process of registration of a user to set up a user account at a password server system according to an embodiment of the invention
  • FIG. 12 is a flowchart illustrating the process of authenticating a user to be logged in to a password server system according to an embodiment of the invention
  • FIG. 13 is a flowchart illustrating a user logout from a password server system according to an embodiment of the invention
  • FIG. 14 is a flowchart illustrating the process of locking down a user account and re- enabling the user account according to an embodiment of the invention
  • FIG.15 is a flowchart illustrating the process of generating and uploading to a pass- word server system a key file entry comprising user login information relating to an application or service site in accordance with an embodiment of the invention
  • FIG. 16 is a flowchart illustrating a process of downloading the key file entry generated and uploaded as illustrated in FIG. 15,
  • FIG. 17 is a flowchart illustrating a process of deleting the key file entry generated and uploaded as illustrated in FIG. 15,
  • FIG. 18 is a flowchart illustrating a process of updating the key file entry generated and uploaded as illustrated in FIG. 15, and
  • FIG. 19 is a flowchart illustrating the process of changing a master password or pattern for a user being registered at a password server system in accordance with an embodiment of the invention.
  • Fig. 1 illustrates a network comprising a user terminal and a password server according to an embodiment of the invention.
  • Fig.1 is schematically shown how the Zeqr system can be used to assist logging into a service site.
  • a user 11 will log into the key file server, KFS 12, and download the data required.
  • the data is then de- crypted by the Zeqr application 13 and set into the service site's login field 14.
  • SSL/TLS All communication between the user and the key file server is preferably protected by SSL/TLS.
  • SSL/TLS protocol allows the user to verify the identity of the server, but not vice versa. Thus, the user has to authenticate himself to the server; otherwise everyone could download the user's key file.
  • the key file server has to be a trustworthy entity that is run by a reliable party. It is assumed that the key file server is protected in an appropriate way against all stan- dard attacks that do not target peculiarities of the Zeqr protocol, i.e. it runs firewall and virus scanner, has been penetration tested etc. It is also assumed that there is always a server available. This can be achieved e.g. by server replication.
  • Fig. 2 shows a password service user interface according to an embodiment of the invention.
  • the user interface is provided by the Zeqr application 21 , which is a browser plug-in. It has a color card 22, which is only displayed when needed in order to make the application as user friendly as possible.
  • the application also features a text field 23 where information of relevance for the user will be displayed.
  • the application has a field for user names 24 where one or several user names can be entered if several users share the same application.
  • the application also has a "Next" link 25.
  • Fig. 3 a password service user interface with a password pattern indicator according to an embodiment of the invention.
  • the password pattern indica- tor is a color card 31 in the forma of a virtual keyboard, where the user can enter his master password for his Zeqr account.
  • it is a 6x6 matrix with characters and numbers so it is easy to use as a virtual keyboard.
  • the fields of the color card have 5 different colors by default, black, red, green, blue, yellow, arranged randomly making it a mnemo technical tool for the user, who can choose a pattern he finds easy to remember, and use the pattern as his Zeqr master password.
  • a meter 34 may automatically compute the strength of the pattern entered by the user, and a warning message may be shown if the user chooses a pattern that is weak.
  • a tool bar being part of a password service user interface according to an embodiment of the invention.
  • a Zeqr tool bar will be integrated in the browsers tool bar 41.
  • the appearance of the tool bar be will different according to whether the user is logged in to his Zeqr account or not. If the user is logged in, the tool bar will display a "Zeqr login to" dropdown menu 42.
  • Fig. 5 a login dropdown menu being opened in a password service user interface according to an embodiment of the invention. If the user clicks on the login dropdown menu 51 a list will be displayed with names of all the service sites 52 where the user has created an account using the Zeqr application.
  • Fig. 6 shows a main menu being opened in a password service user interface according to an embodiment of the invention. If the user clicks on the Zeqr icon 61 in the tool bar, a main menu 62 will be opened with all the options offered by the application.
  • the Zeqr application may also feature a print out option so the user can print out his Zeqr data including the unlock code.
  • a print out option so the user can print out his Zeqr data including the unlock code.
  • the print out shows one color card 71 for each character of the users pattern, and it may also have a text field 72 with the users KFS User ID, his password as text and the unlock code. It is recommended that the user keeps the print out in a safe place as a back up in case he forgets his login data.
  • Fig. 8 shows a password service user interface including an advertisement service according to an embodiment of the invention.
  • the application may have a field 81 where information or advertisements can be displayed according to preset rules.
  • the application may also have an option for the user to open a website 91 with the last 20 advertisements displayed by the application. This is shown in Fig. 9.
  • Fig. 10 shows a password service user interface on a mobile handset according to an embodiment of the invention,
  • a special edition of the application can be installed on mobile handsets 101 as illus- trated in Fig. 10 and a special user interface 102 may adapt the application to the mobile operative system, be it Windows Mobile, Symbian or any other platform.
  • Fig. 11 is shown a flowchart illustrating the process of registration of a user to set up a user account at a password server system according to an embodiment of the invention.
  • the user starts by going to a web site where he can download the Zeqr application 111. He then installs the application following standard procedures.
  • the user is asked to choose a KFS User ID 112. This could be his own name, his e-mail address or any other unique but memorizable string.
  • the key file server system checks if the KFS User ID is free 113 and if it is already being used an error message will be displayed.
  • a color card is displayed 114 and the user is asked to enter his pattern or master password. He types his pattern into the card (client- sided). The status bar on the application may give him an indication of the pattern strength. He is then asked to re-enter the pattern 115. After the user has re-entered his pattern, a Zeqr account has to be set up at the KFS. To this end, the Zeqr application sends 116 the KFS user ID and the following value H1 to the KFS:
  • H1 Hash (1
  • the KFS stores these values 117 for later use as authenticator.
  • a lock-up code a randomly generated 80-bit value, may be generated at the KFS
  • the KFS saves the lock-up code together with the other account data for later use.
  • the code may be displayed to the user in Base32 format (16 characters long) in the style known from program codes: xxxx-xxxx-xxxx-xxxx.
  • the lock-up code is required to unlock an account that has been locked after to many wrong login attempts, either by the user or by an attacker.
  • the system may recommend printing the pattern 119, and if the user chooses to print, the printing job is executed by the application 1110.
  • the warning message may clearly state that the Zeqr system cannot reconstruct the pattern and that the user is solely responsible for remembering it.
  • the user now has a working Zeqr ac- count 1111.
  • FIG. 12 is a flowchart illustrating the process of authenticating a user to be logged in to a password server system according to an embodiment of the invention.
  • the Zeqr appli- cation establishes a secure connection from the user terminal to the KFS using
  • the Zeqr application may contain the internet address (URL, not IP address) of a server where the KFS address can be obtained.
  • the server will choose 122 a suitable KFS for the user. This choice can be based on criteria like physical proximity, availability, customer class, etc. In theory, we could allow the user to choose the KFS by himself. This should be an advanced option, since most users will be confused by such a choice.
  • the KFS will keep their records synchronized in order to guarantee that there is always at least one server available for the user. Note that since contacting the server is security-critical, this connection should be based on SSL/TLS, too.
  • the user After the contact to the KFS is established 123, the user has to be authenticated to log into his KFS account. In order to do this, he types in his KFS User ID 124 at the Zeqr application user interface, and the KFS User ID is then sent to the KFS. The KFS checks if the KFS User ID is valid 125 and if it is not valid an error message is displayed. If the KFS User ID is valid the KFS sends 126 a random value N, a so- called challenge, to the Zeqr application at the user terminal. The user enters his pattern or master password into the color card 127 and the Zeqr application computes 128 the hash value H2:
  • H2 Hash (2
  • Logging out from a Zeqr account does not require any special cryptographic method.
  • the server automatically terminates the session when the operation has been finished 131 , e.g., a requested key file entry, KFE 1 has been sent, a new KFE has been installed, or the pattern has been changed.
  • the user's pattern or master password that was stored by the Zeqr application is deleted 133.
  • "deleting" means more than just removing the pointer to an object in memory; the pattern should be overwritten with zeroes. The same holds for the list of available service site IDs.
  • Fig. 14 is a flowchart illustrating the process of locking down a user account and re- enabling the user account according to an embodiment of the invention.
  • the user only gets a limited number of login attempts to protect the user account against guessing attacks.
  • the KFS locks down the account 142.
  • the user has to enter his lock-up code 143 in order to re-enable the account. This lock-up code was displayed when he set up the account.
  • the KFS re-enables the account 144.
  • Fig.15 is shown a flowchart illustrating the process of generating and uploading to a password server system a key file entry comprising user login information relating to an application or service site in accordance with an embodiment of the invention.
  • the main activity of the user who has logged in to the KFS is to store or retrieve passwords, i.e. key file entries.
  • One key file entry should contain all the login information that relates to one service site.
  • a key file entry (KFE) should contain information of the service site ID, the service user ID, and the password. However, here the service user ID and the password are encrypted.
  • the KFE must not be stored on the user's computer longer than absolutely necessary for the task at hand. Typically, it is downloaded, used, and deleted again, long before the browser is closed or the user is logged out of his computer.
  • the user wants to add login data for a new service site, he starts by having his browser open at the user terminal to the service site in question 151. Then he opens his Zeqr application 152 and logs in to the KFS by entering his KFS User ID and his pattern or master password. The user chooses the application option "Register at new website" 153. The user selects a name for the service 154, the service site ID. The KFS checks if the name is free 155; if it is not free an error message is displayed. The root name of the service site is automatically picked up 156 by the Zeqr application if possible.
  • the user can now choose 157 whether he wants to select username, service user ID, and password for the service site himself, or if he wants the Zeqr application to generate them.
  • the service user ID can either be a string that the user chooses himself (such as "Henry"), or a string that is randomly generated by the Zeqr application.
  • the password can also be a string that the user selects himself, in fact, manually entering the password might be necessary in certain scenarios, for in- stance where the user has no right to choose the username and/or password, or if the user for some reason wants to use a specific username and/or password.
  • CipherKey Hash (3
  • EncData Enc (CipherKey, (Service User ID
  • the encryption key is generated by hashing the pattern/master password and a random value, thus generating a seemingly random distribution of the key bits.
  • the data is encrypted under that key.
  • the main purpose of the random value is to guarantee that even if the user uses the same User ID and password for two different log-in sites, the EncData values will nonetheless be different. If the user asks the Zeqr application to generate the username and/or password 1511 he may be able to select the character set and the length 1512 from dropdown menus. Then the Zeqr application will generate these values 1513 following this procedure:
  • CipherKey Hash(3 I I Pattern
  • EncData Enc (CipherKey, (Service User ID
  • the encryption key is generated by hashing the pattern/master password and a random value, thus generating a seemingly random distribution of the key bits. Then the data is encrypted under that key.
  • the main purpose of the random value is to guarantee that even if the user uses the same User ID and password for two different log-in sites, the EncData values will nonetheless be different.
  • the key file entry is generated 1515 with the following components: • The service site ID.
  • the KFS now uploads the key file entry 1516 from the user terminal to the KFS.
  • the server checks 1517 whether a file with the same service site ID already exists. If the result of this check is "yes”, the user is warned 1518 that he is about to overwrite the old file. If he insists, the old file is overwritten.
  • the key file entry has now been generated, uploaded and stored at the KFS.
  • the user wants to open an account at the website or service site for which the key file entry has been generated.
  • the user wants to enter the password and/or User ID for the service site account in question being opened at the user terminal, which is illustrated by steps 1519 to 1522.
  • the application looks for at match 1519 to the service site ID in a template library on a Zeqr server. If there is no match the user will have to enter usemame and password in fields manually 1520. If there is a match the Zeqr application will automatically 1521 insert usemame and password in the fields of the service site according to the format of the template. The user has now created an account at the service site 1522.
  • Fig. 16 is a flowchart illustrating a process of downloading the key file entry generated and uploaded as illustrated in Fig. 15.
  • the user Before downloading a key file entry the user must login 161 to the KFS by entering his KFS User ID and his pattern or master password. If it is the first time that the user logs in to the KFS from a given computer or user terminal 162, an identification token, e.g. a cookie, may be stored both on the computer and on the KFS 163. This token is at least 16 bytes long; it is randomly generated by the KFS and then transmitted to the user's computer. If such a token is present when the Zeqr application is started at a later point in time, the Zeqr application may automatically fetch the list of all service site IDs for the user from the KFEs.
  • an identification token e.g. a cookie
  • the KFE that was downloaded is in encrypted form; it has to be decrypted using the user's pattern or master password. As the Zeqr application may have stored the user's pattern, the user may not have to type it in again.
  • the Zeqr application automatically decrypts 166 the password by inverting the encryption as follows:
  • CipherKey Hash (3 I I Pattern
  • the Zeqr application compares 167 the current domain name in the browser with that of the service site ID. If they do not match, a warning 168 is given to the user. This may protect against a number of phishing attacks, but not against all. For example, if the correct site has the address www.hostingpartner.com/toyshop, then the attacker might register a site under www.hostingpartner.com/fashionshop. A Zeqr version may only compare the root address (www.hostingpartner.com), and then it would not notice the attack.
  • the application looks for a match to the service site ID in a template library stored on a Zeqr server 169. If a match is not found, the user has to enter username and password manually 1610. If a match is found the application may automatically insert 1611 the username and password in the service site fields according to the format of the template. Then the user is logged in to the service site 1612.
  • Fig. 17 is shown a flowchart illustrating a process of deleting the key file entry generated and uploaded as illustrated in Fig. 15.
  • a user wants to delete a KFE, he opens the application and logs in to the KFS by entering his KFS User ID and pattern 171.
  • the user chooses the item from his list of server site IDs 172 that he wishes to delete.
  • the user chooses the application option "Delete service” 173, and then the Zeqr application sends an appropriate command to the KFS 174, which deletes the corresponding KFE 175. In this process, no additional cryptographic protection is required.
  • the service site ID is also deleted from the user's list of available sites.
  • Fig. 18 is a flowchart illustrating a process of updating the key file entry generated and uploaded as illustrated in Fig. 15.
  • Updating a KFE could be the modification of any of the three components service site ID, service user ID, and password.
  • the modification process consists in downloading the existing KFE as described above, modifying the desired contents as described in the section on generating a KFE, and sending the updated entry back to the KFS. Note in particular that a new random value Rand is also used. Also note that if the service site ID was changed, the list on the user's Zeqr application has to be updated, too.
  • the user wants to update the login data for a service site he opens his Zeqr application 181 and logs in to the KFS by entering his KFS User ID and his pattern.
  • the KFS checks if the name is free 185, if it is not free an error message is displayed. The user can now choose 186 whether he wants to select username and password for the service site himself, or if he wants the Zeqr application to generate them.
  • the service user ID can either be a string that the user chooses himself (such as "Henry"), or a string that is randomly generated by the Zeqr application.
  • the password can also be a string that the user selects himself, in fact, manually entering the password might be necessary in certain scenarios, for instance where the user has no right to choose the username and/or password, or if the user for some reason wants to use a specific username and/or password.
  • CipherKey Hash (3 I I Pattern
  • EncData Enc (CipherKey, (Service User ID
  • the encryption key is generated by hashing the pattern and a random value, thus generating a seemingly random distribution of the key bits. Then the data is encrypted under that key.
  • the main purpose of the random value is to guarantee that even if the user uses the same User ID and password for two different login sites, the EncData values will nonetheless be different.
  • CipherKey Hash (3
  • EncData : Enc (CipherKey, (Service User ID
  • the encryption key is generated by hashing the pattern and a random value, thus generating a seemingly random distribution of the key bits. Then the data is encrypted under that key.
  • the main purpose of the random value is to guarantee that even if the user uses the same User ID and password for two different log-in sites, the EncData values will nonetheless be different.
  • the key file entry is generated 1814 with the following components:
  • the KFS can now upload the key file entry 1815.
  • the server checks 1816 whether a file with the same service site ID already exists. If the result of this check is "yes", the user is warned 1817 that he is about to overwrite the old file. If he insists, the old file is overwritten.
  • the application looks for a match 1818 to the service site ID in a template library on a Zeqr server. If there is no match the user will have to enter username and password in fields manually 1819. If there is a match the Zeqr appli- cation will automatically 1820 insert username and password in the dedicated fields of the service site according to the format of the template. The user has now updated the Key File Entry 1821.
  • the whole key file has to be re-encrypted. This is illustrated in Fig. 19.
  • the user first has to use the old pattern to identify himself to the key file server. After that, all key file entries have to be downloaded. They are decrypted and re-encrypted using new Rand values and the new pattern or master password. Then the new key file entries are uploaded again. Finally, a new value H1 has to be provided, as described under "setting up the account”. It is not before this final step is completed, that the changes become valid.
  • the step-by-step procedure for changing a Zeqr pattern is: The user opens his Zeqr application and logs in to the KFS by entering his KFS
  • the user chooses the application option "Change pattern" 192.
  • the user authenticates himself 193 by entering his existing pattern.
  • the KFS downloads all the Key File Entries 194 to the application.
  • the application decrypts 195 all KFE using the existing pattern and following the procedure described earlier.
  • the user enters a new pattern or master password 196 and re-enters the new pattern 197.
  • the application encrypts all the KFE using the new pattern 198 and following the procedure described earlier and generates a new hash value 1 199 which is uploaded to the KFS 1910.
  • the encrypted KFE and the new hash value 1 are stored on the KFS together with the user's KFS User ID 1911.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

La présente invention concerne un procédé pour prendre en charge l'enregistrement d'un utilisateur se servant d'un terminal d'utilisateur auprès d'un système serveur de mots de passe dans un réseau comprenant le terminal d'utilisateur et le système serveur de mots de passe. Le procédé comprend la spécification d'un identificateur d'utilisateur de serveur qui est unique pour le système serveur de mots de passe dans le terminal d'utilisateur, et la spécification d'un mot de passe maître dans le terminal d'utilisateur. Un premier message est généré dans le terminal d'utilisateur, ce premier message étant au moins partiellement basé sur le mot de passe maître spécifié, puis le premier message et l'identificateur d'utilisateur de serveur sont transmis au système serveur de mots de passe, et une entrée d'utilisateur comprenant le premier message et l'identificateur d'utilisateur de serveur est stockée dans le système serveur de mots de passe. Le premier message peut être un premier message cryptographique formé au moyen d'une première fonction cryptographique, et la première fonction cryptographique peut être téléchargée du système serveur de mots de passe au terminal d'utilisateur. Le procédé peut comprendre en outre la génération, dans le système serveur de mots de passe, d'un code de verrouillage unique correspondant à l'identificateur d'utilisateur de serveur, et la transmission du code de verrouillage au terminal d'utilisateur. Le caractère unique de l'identificateur d'utilisateur de serveur, spécifié dans le terminal d'utilisateur, peut être validé dans le système serveur de mots de passe et la spécification du mot de passe maître peut être suivie par une nouvelle spécification du mot de passe maître dans le terminal d'utilisateur. Le procédé peut également comprendre le téléchargement d'une application de service de mot de passe du système serveur de mots de passe au terminal d'utilisateur, l'affichage d'une interface utilisateur de service de mot de passe correspondant à l'application d'utilisateur de service de mot de passe dans le terminal d'utilisateur et l'affichage d'un indicateur de modèle de mot de passe dans l'interface utilisateur de service de mot de passe, ladite spécification du mot de passe maître étant effectuée au moyen de l'indicateur de modèle de mot de passe. La nouvelle spécification du mot de passe maître peut être effectuée au moyen de l'indicateur de modèle de mot de passe et la première fonction cryptographique peut être téléchargée du système serveur de mots de passe au terminal d'utilisateur conjointement avec l'application de service de mot de passe ou en tant que partie de cette dernière. La présente invention propose également un procédé pour authentifier un utilisateur se servant du terminal d'utilisateur auprès du système serveur de mots de passe. La présente invention propose en outre un procédé pour gérer des mots de passe de site de services et/ou des identificateurs d'utilisateurs de site de services souhaitant accéder à un ou plusieurs sites d'applications ou de services qui requièrent des mots de passe et/ou des identificateurs d'utilisateur.
PCT/EP2008/000981 2007-02-12 2008-02-08 Procédé de gestion de mots de passe au moyen d'un mot de passe maître WO2008098710A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US88946307P 2007-02-12 2007-02-12
US60/889,463 2007-02-12

Publications (1)

Publication Number Publication Date
WO2008098710A1 true WO2008098710A1 (fr) 2008-08-21

Family

ID=39471836

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/000981 WO2008098710A1 (fr) 2007-02-12 2008-02-08 Procédé de gestion de mots de passe au moyen d'un mot de passe maître

Country Status (1)

Country Link
WO (1) WO2008098710A1 (fr)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011089307A2 (fr) 2010-01-21 2011-07-28 Mph Technologies Oy Procédé et système de gestion de données
EP2506177A1 (fr) * 2011-04-01 2012-10-03 Palio AG Procédé et dispositif destinés à la comparaison de données d'identification
US8656473B2 (en) 2009-05-14 2014-02-18 Microsoft Corporation Linking web identity and access to devices
US8756667B2 (en) 2008-12-22 2014-06-17 Lenovo (Singapore) Pte. Ltd. Management of hardware passwords
US20140172548A1 (en) * 2012-12-18 2014-06-19 Virtual Keyring, LLC Providing notifications of user selection of advertisements
JP2016505985A (ja) * 2012-12-24 2016-02-25 ロウェム インコーポレイテッド パスコード管理方法及び装置
CN113242120A (zh) * 2021-04-12 2021-08-10 深圳市智莱科技股份有限公司 终端设备密码更新方法、系统、装置及存储介质
US11595375B2 (en) 2020-04-14 2023-02-28 Saudi Arabian Oil Company Single sign-on for token-based and web-based applications

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0493232A1 (fr) * 1990-12-27 1992-07-01 Aeg Schneider Automation Procédé de contrôle de l'utilisation d'un poste de travail informatique par mot de passe et poste de travail informatique mettant en oeuvre ce procédé
GB2281645A (en) * 1993-09-03 1995-03-08 Ibm Control of access to a networked system
US6006333A (en) * 1996-03-13 1999-12-21 Sun Microsystems, Inc. Password helper using a client-side master password which automatically presents the appropriate server-side password to a particular remote server
US20030154403A1 (en) * 2001-08-14 2003-08-14 Keinsley Brian E. Web-based security with controlled access to data and resources
US20040030934A1 (en) * 2001-10-19 2004-02-12 Fumio Mizoguchi User selectable authentication interface and universal password oracle
US20040107269A1 (en) * 1998-12-08 2004-06-03 Rangan P. Venkat Method and apparatus for providing and maintaining a user-interactive portal system accesible via internet or other switched-packet-network
US20040139178A1 (en) * 1996-12-13 2004-07-15 Visto Corporation System and method for globally and securely accessing unified information in a computer network
US6826686B1 (en) * 2000-04-14 2004-11-30 International Business Machines Corporation Method and apparatus for secure password transmission and password changes

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0493232A1 (fr) * 1990-12-27 1992-07-01 Aeg Schneider Automation Procédé de contrôle de l'utilisation d'un poste de travail informatique par mot de passe et poste de travail informatique mettant en oeuvre ce procédé
GB2281645A (en) * 1993-09-03 1995-03-08 Ibm Control of access to a networked system
US6006333A (en) * 1996-03-13 1999-12-21 Sun Microsystems, Inc. Password helper using a client-side master password which automatically presents the appropriate server-side password to a particular remote server
US20040139178A1 (en) * 1996-12-13 2004-07-15 Visto Corporation System and method for globally and securely accessing unified information in a computer network
US20040107269A1 (en) * 1998-12-08 2004-06-03 Rangan P. Venkat Method and apparatus for providing and maintaining a user-interactive portal system accesible via internet or other switched-packet-network
US6826686B1 (en) * 2000-04-14 2004-11-30 International Business Machines Corporation Method and apparatus for secure password transmission and password changes
US20030154403A1 (en) * 2001-08-14 2003-08-14 Keinsley Brian E. Web-based security with controlled access to data and resources
US20040030934A1 (en) * 2001-10-19 2004-02-12 Fumio Mizoguchi User selectable authentication interface and universal password oracle

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8756667B2 (en) 2008-12-22 2014-06-17 Lenovo (Singapore) Pte. Ltd. Management of hardware passwords
US8656473B2 (en) 2009-05-14 2014-02-18 Microsoft Corporation Linking web identity and access to devices
US10091185B2 (en) 2010-01-21 2018-10-02 Finnish Technology Management Oy Method and system for managing data
WO2011089307A3 (fr) * 2010-01-21 2011-09-09 Mph Technologies Oy Procédé et système de gestion de données
WO2011089307A2 (fr) 2010-01-21 2011-07-28 Mph Technologies Oy Procédé et système de gestion de données
EP2506177A1 (fr) * 2011-04-01 2012-10-03 Palio AG Procédé et dispositif destinés à la comparaison de données d'identification
US20140172548A1 (en) * 2012-12-18 2014-06-19 Virtual Keyring, LLC Providing notifications of user selection of advertisements
JP2016505985A (ja) * 2012-12-24 2016-02-25 ロウェム インコーポレイテッド パスコード管理方法及び装置
EP2937808A4 (fr) * 2012-12-24 2016-08-31 Rowem Inc Procédé et appareil de gestion de mot de passe
US9729545B2 (en) 2012-12-24 2017-08-08 Rowem Inc. Method and apparatus for managing passcode
US11595375B2 (en) 2020-04-14 2023-02-28 Saudi Arabian Oil Company Single sign-on for token-based and web-based applications
CN113242120A (zh) * 2021-04-12 2021-08-10 深圳市智莱科技股份有限公司 终端设备密码更新方法、系统、装置及存储介质
CN113242120B (zh) * 2021-04-12 2023-03-14 深圳市智莱科技股份有限公司 终端设备密码更新方法、系统、装置及存储介质

Similar Documents

Publication Publication Date Title
Todorov Mechanics of user identification and authentication: Fundamentals of identity management
Li et al. The {Emperor’s} new password manager: Security analysis of web-based password managers
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
CN102804200B (zh) 双因素用户认证系统及其方法
CN111447214B (zh) 一种基于指纹识别的公钥密码集中服务的方法
EP2160864B1 (fr) Système et procédé d'authentification
US8775794B2 (en) System and method for end to end encryption
US9002750B1 (en) Methods and systems for secure user authentication
US9768963B2 (en) Methods and systems for secure user authentication
JP5133248B2 (ja) クライアント/サーバー認証システムにおけるオフライン認証方法
US20100332841A1 (en) Authentication Method and System
WO2008098710A1 (fr) Procédé de gestion de mots de passe au moyen d'un mot de passe maître
RU2584500C2 (ru) Криптографический способ аутентификации и идентификации с шифрованием в реальном времени
NO324315B1 (no) Metode og system for sikker brukerautentisering ved personlig dataterminal
CN101507233A (zh) 用于提供对于应用程序和基于互联网的服务的可信单点登录访问的方法和设备
EP2572489B1 (fr) Système et procédé permettant de protéger un accès à des systèmes d'authentification
GB2488310A (en) A method and system for authenticating a computer user by using an array of elements
KR101108660B1 (ko) 인증 시스템
EP4072064A1 (fr) Système de signature électronique et dispositif inviolable
EP1868125A1 (fr) Procédé d'identification d'un utilisateur du système informatique
Al Maqbali et al. AutoPass: An automatic password generator
Horsch et al. PALPAS--PAssword Less PAssword Synchronization
CN106797381A (zh) 认证棒
Crocker et al. Two factor encryption in cloud storage providers using hardware tokens
Raddum et al. Security analysis of mobile phones used as OTP generators

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08707626

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08707626

Country of ref document: EP

Kind code of ref document: A1