System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
First Claim
1. A machine system for maintaining confidential digital information generally in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a password and a passport, said machine system comprising:
- (a) a passport generator for generating within a first station an in-station passport, wherein the in-station passport includes;
(a.1) a first secured key derived from a first password of a first authorized user; and
(a.2) a second secured key that is different from the first secured key; and
(b) a passport exporter for generating within the first station an exportable passport, wherein said exportable passport includes a copy of the first secured key but does not include a copy of the second secured key.
1 Assignment
0 Petitions
Accused Products
Abstract
A system is disclosed for controlling intelligible access to secured files by means of a user-memorized password in combination with a user-associated passport record. The passport record takes on two forms, one when it is physically secured within the workstation and a different second form when the passport record is in-transit. Log-in privileges are granted after a presented passport record passes a number of tests including digital signature authentication, and the ability to extract two different encrypted keys from the passport record. The in-transit record does not carry one of those two keys.
76 Citations
34 Claims
-
1. A machine system for maintaining confidential digital information generally in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a password and a passport, said machine system comprising:
-
(a) a passport generator for generating within a first station an in-station passport, wherein the in-station passport includes;
(a.1) a first secured key derived from a first password of a first authorized user; and
(a.2) a second secured key that is different from the first secured key; and
(b) a passport exporter for generating within the first station an exportable passport, wherein said exportable passport includes a copy of the first secured key but does not include a copy of the second secured key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A machine system for maintaining confidential digital information generally in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a password and a passport, said machine system comprising:
(a) a passport inspector for receiving a user password supplied at a given station, for locating an in-station passport associated with the user, and for verifying correlation between the user-supplied password and the user-associated in-station passport;
wherein the in-station passport includes;
(a.1) a first secured key derived from a valid password of the passport-associated user;
(a.2) a second secured key covered by a plaintext version of the first secured key; and
(a.3) a third secured key that is different from the first secured key; and
wherein the correlation verification carried out by the passport inspector includes;
(a.4) generating a first attempt signal by attempting to uncover the first secured key with the user-submitted password;
(a.5) generating a second attempt signal by attempting to uncover the second secured key with the first attempt signal;
(a.6) generating a third attempt signal by attempting to uncover the third secured key; and
(a.7) performing format checking on each of the second attempt signal and the third attempt signal.
-
9. A machine-implemented method for maintaining confidential digital information generally in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a password and a passport, said method comprising the steps of:
-
(a) receiving a user password supplied at a given station;
(b) fetching an in-station passport associated with the user, wherein the in-station passport includes;
(b.1) a first secured key derived from a valid password of the passport-associated user;
(b.2) a second secured key covered by a plaintext version of the first secured key; and
(b.3) a third secured key that is different from the first secured key; and
(c) verifying correlation between the user-supplied password and the user-associated in-station passport, wherein said correlation verification includes;
(c.1) generating a first attempt signal by attempting to uncover the first secured key with the user-submitted password;
(c.2) generating a second attempt signal by attempting to uncover the second secured key with the first attempt signal;
(c.3) generating a third attempt signal by attempting to uncover the third secured key; and
(c.4) performing format checking on each of the second attempt signal and the third attempt signal.
-
-
10. A machine-readable memory for use in a machine system that maintains confidential digital information generally in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a user-associated password and a user-associated passport said machine-readable memory storing a passport data structure comprising:
-
(a) a first secured key derived from a valid password of the passport-associated user;
(b) a second secured key covered by a plaintext version of the first secured key; and
(c) a third secured key that is different from the first secured key.
-
-
11. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the access request includes submission of a password and submission of an identification of a requesting user, said method comprising the steps of:
-
(a) finding a machine-readable passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user;
(a.3) a third field containing a second secured key covered by a plaintext version of the first secured key; and
(a.4) a fourth field containing a third secured key that is different from the first secured key;
(b) using the submitted password to attempt decryption of the first secured key, said attempt producing a putative first uncovering of the first secured key;
(c) using the putative first uncovering to attempt decryption of the second secured key, said attempt producing a putative second uncovering of the second secured key; and
(d) using the putative first uncovering to attempt decryption of the third secured key, said attempt producing a putative third uncovering of the third secured key. - View Dependent Claims (12, 13)
-
-
14. A machine-instructing device for instructing a prespecified, instructable machine to carry out a method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the access request includes submission of a password and submission of an identification of a requesting user, said instruction-defined method comprising the steps of:
-
(a) finding a machine-readable passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user;
(a.3) a third field containing a second secured key covered by a plaintext version of the first secured key; and
(a.4) a fourth field containing a third secured key that is different from the first secured key;
(b) using the submitted password to attempt decryption of the first secured key, said attempt producing a putative first uncovering of the first secured key;
(c) using the putative first uncovering to attempt decryption of the second secured key, said attempt producing a putative second uncovering of the second secured key; and
(d) using the putative first uncovering to attempt decryption of the third secured key, said attempt producing a putative third uncovering of the third secured key.
-
-
15. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request submitted at a first location, wherein the access request includes submission of a password and submission of an identification of a requesting user, said method comprising the steps of:
-
(a) finding a machine-readable passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user;
(a.3) a third field containing a second secured key covered by a plaintext version of the first secured key;
(a.4) a fourth field that is either blank or contains irrelevant data; and
(a.5) a fifth field containing a digital signature covering at least said first through fourth fields;
(b) using the digital signature to authenticate the signature-covered contents of the found passport. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request submitted at a first location, wherein the access request includes submission of a password and submission of an identification of a requesting user at the first location, and further wherein a user-associated passport required for servicing the access request is physically secured in a second location, said method comprising the steps carried out at the second location of:
-
(a) finding the passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user;
(a.3) a third field containing a second secured key covered by a plaintext version of the first secured key;
(a.4) a fourth field containing a third secured key that is different from the first secured key, said third secured key being covered by either a plaintext version the first secured key or by an alternate key;
(a.5) a fifth field containing a secured copy of the alternate key, said secured copy of the alternate key being covered by the public key of the passport-associated user; and
(a.6) a sixth field containing a digital signature covering at least said first through fifth fields;
(b) copying the found passport;
(c) clearing the fourth and fifth fields of the passport copy;
(d) overwriting the sixth field of the passport copy with a new digital signature covering all other fields of the cleared passport copy; and
(e) exporting the cleared and resigned passport copy out of the second location.
-
-
21. A machine-implemented method for providing intelligible access to algorithmically-secured data stored at a first location in response to an access request submitted at the first location, wherein the access request includes submission of a password and submission of an identification of a requesting user at the first location, and further wherein a user-associated passport said method comprising the steps carried out at the first location of:
-
(a) finding a passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user; and
(a.3) a third field containing a secured copy of a prespecified bit sequence, said secured copy of the prespecified bit sequence being covered by a plaintext version of the first secured key;
(b) using the submitted password to attempt decryption of the first secured key, said attempt producing a putative first uncovering of the first secured key;
(c) using the putative first uncovering to attempt decryption of the secured copy of a prespecified bit sequence, said attempt producing a putative second uncovering of the prespecified bit sequence; and
(d) comparing the putative second uncovering against the prespecified bit sequence.
-
-
22. A manufactured passport signal structured for operable use by a machine system that maintains confidential digital information in encrypted form while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a user-associated password and a user-associated passport , said manufactured passport signal defining for each of an associated one or more authorized users, a passport data structure comprising:
-
(a) a first field containing a first secured-by-encryption key, where said first secured key is covered by a first covering signal derived from a valid password of the passport-associated user;
(b) a second field containing a second secured-by-encryption key, where said second secured key is covered by a plaintext version of the first secured key; and
(c) a third field that is blank or is filled with irrelevant information, (c.1) where said third field can be overwritten to contain a third secured-by-encryption key that is different from the first secured key in situations where the corresponding passport data structure is physically-secured within said machine system; and
(d) where said machine system requires local presence of a physically-secured, in-system version of the corresponding passport data structure and a verified local uncovering from said in-system version of the corresponding passport data structure of the secured keys in the second and third fields of the in-system version before the machine system locally grants to a requesting user, intelligible access to corresponding confidential information. - View Dependent Claims (23, 24)
-
-
25. A manufactured instruction signal structured for instructing a prespecified, instructable machine to carry out a method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the access request includes submission of a password and submission of an identification of a requesting user, said instruction-defined method comprising:
-
(a) finding a machine-readable passport associated with the submitted identification, wherein said passport includes;
(a.1) a first field having a user identification matching the submitted identification and associating the passport with a corresponding user;
(a.2) a second field containing a first secured key derived from a valid password of the passport-associated user;
(a.3) a third field containing a second secured key covered by a plaintext version of the first secured key; and
(a.4) a fourth field containing a third secured key that is different from the first secured key; and
(a.5) a fifth field containing a fourth secured key, where a plaintext version of the fourth secured key covers the third secured key of the fourth field;
(b) using the submitted password to attempt decryption of the first secured key, said attempt producing a putative first uncovering of the first secured key;
(c) using the putative first uncovering to attempt decryption of the second secured key, said attempt producing a putative second uncovering of the second secured key; and
(d) attempting to generate a plaintext version of the third secured key by using the fourth field in combination with at least the second field. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A manufactured signal structured for loading into a prespecified, programmable machine and thereby causing the machine to carry out a method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the machine has a physically secured storage, wherein the access request includes submission of a user identification, and submission of a putative password of a user identified by said user identification, where said access-providing method comprises:
(a) obtaining from said physically secured storage, a machine-readable passport that is associated with the submitted identification, wherein said passport includes;
(a.1) a first field containing data of a first algorithmically-secured key, which data is derived from a valid password of a passport-associated user and from a plaintext version of the first secured key;
(a.2) a second field containing data of a second algorithmically-secured key that is covered by said plaintext version of the first secured key; and
(a.3) a third field containing data of a third algorithmically-secured key that is different from the first algorithmically-secured key; and
(a.4) a fourth field containing data of a fourth algorithmically-secured key, (a.3a) where the third secured key of the third field is covered by a plaintext version of the fourth secured key;
(b) using the submitted, putative password to attempt a decryption of the first secured key, said attempt producing a putative first uncovering of the first secured key from the data of said first field;
(c) using the putative first uncovering to attempt a further decryption of the second secured key, said further attempt producing a putative second uncovering of the second secured key from the data of said second field; and
(d) attempting to generate a plaintext version of the third secured key by trying to decrypt the data of said fourth field while using at least the putative first uncovering for forming a decryption key for decrypting the data of said fourth field. - View Dependent Claims (32, 33)
-
34. A manufactured instruction signal adapted for instructing a prespecified, instructable machine to carry out a machine-implemented method for protecting algorithmically-secured data from being intelligibly accessed by other than authorized users, where an access request includes submission of a putative password of an authorized user, and submission of a putative identification of the same authorized user to a request-servicing station that has physically secured, storage and processing facilities, where said instructed method comprises:
-
(a) requiring presentation within said physically secured, storage facilities of the request-servicing station, of an authenticated passport record associated with a user identified by the putative identification, where the presented passport record includes;
(a.1) a first field containing data of a first algorithmically-secured key, where said first secured key is derived from a valid password of the passport-associated user and from a first counterpart-plaintext key that is temporarily originated in either the physically secured facilities of the request-servicing station or in physically secured facilities of a like, external station;
(a.2) a second field containing data of a second algorithmically-secured key, where said second secured key is derived from a second counterpart and private key of the passport-associated user and from said first counterpart-plaintext key;
(a.3) a third field containing data of a third algorithmically-secured key, where said third secured key is derived from a public key of the passport-associated user and from a third counterpart-plaintext key that is temporarily created in the physically secured facilities of the request-servicing station, where the third counterpart-plaintext key may be the same as the first counterpart-plaintext key if both of the first and third counterpart-plaintext keys originate in the physically secured facilities of the request-servicing station;
(a.4) a fourth field containing data of a fourth algorithmically-secured key, where said fourth secured key is derived from a fourth counterpart and private key of the request-servicing station and from said third counterpart-plaintext key;
(b) requiring use of the data of said fourth field and use of the data of at least of said first field for reproducing in the physically secured facilities of the request-servicing station, said fourth counterpart and private key of the request-servicing station; and
(c) requiring use of the data of said second field and use of the data of said first field for reproducing in the physically secured facilities of the request-servicing station, said second counterpart and private key of the passport-associated user.
-
Specification