Mitigating dictionary attacks on password-protected local storage

US 20080049939A1
Filed: 08/10/2006
Published: 02/28/2008
Est. Priority Date: 08/10/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a password from a user;

selecting at least one puzzle from a puzzle database based on the received password;

for each selected puzzleproviding the puzzle to the user, andreceiving a solution for the puzzle from the user; and

generating a key based at least on the entirety of at least one solution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention includes a method for key creation and recovery based on solutions to puzzles solvable by humans and not computers. In some exemplary embodiments, the key is created and recovered based on the solution(s) in conjunction with the password entered by the user. The puzzle(s) is selected based on the password used by the user from a puzzle database containing multiple puzzles that is greater in number to the number of puzzles used in conjunction with a particular password.

45 Citations

View as Search Results

20 Claims

1. A method comprising:
- receiving a password from a user;
  
  selecting at least one puzzle from a puzzle database based on the received password;
  
  for each selected puzzleproviding the puzzle to the user, andreceiving a solution for the puzzle from the user; and
  
  generating a key based at least on the entirety of at least one solution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further comprising using the key for encryption of data.
  - 3. The method according to claim 2, further comprising using the key to authenticate the data being encrypted.
  - 4. The method according to claim 1, further comprising using the key for decryption of data encrypted with the key.
  - 5. The method according to claim 1, wherein creating a key is based on the entirety of at least one solution and the received password.
  - 6. The method according to claim 1, wherein at least eight puzzles are selected from the puzzle database.
  - 7. The method according to claim 1, wherein selecting at least one puzzle includes expanding the received password into a predetermined number of indices corresponding to particular puzzles within the puzzle database.
  - 8. The method according to claim 1, further comprising:
    - receiving information other than the password from the user, andwherein selecting at least one puzzle is based on the received password and information provided by the user.
  - 9. The method according to claim 1, wherein at least one of selecting and generating uses a salt.
  - 10. The method according to claim 1, further comprising generating puzzles for the puzzle database.
  - 11. The method according to claim 10, further comprising:
    - receiving information other than the password from the user, andwherein generating puzzles is based on information received from the user.
  - 12. The method according to claim 1, further comprising generating human-only solvable puzzles for the puzzle database.
  - 13. The method according to claim 1, wherein generating includes using a fuzzy extractor.

14. A method comprising:
- receiving a password from a user;
  
  selecting at least four puzzles indexed with the password from a puzzle database having puzzles solvable by a human and not solvable by a non-human entity;
  
  for each selected puzzleproviding the puzzle to the user, andreceiving a solution for the puzzle from the user;
  
  generating a key based on at least the received solutions; and
  
  using the key to encrypt files.
- View Dependent Claims (15, 16)
- - 15. The method according to claim 14, wherein retrieving includes expanding the received password into indices to provide the index to puzzles in the puzzle database.
  - 16. The method according to claim 14, wherein retrieving includes expanding the received password into indices to provide the index to puzzles in the puzzle database.

17. A computer program product comprising a computer useable medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to:
- generate a key includingreceive a password from a user,compute indices based on the received password,select at least one puzzle from a puzzle database based on the computed indices,for each selected puzzle, query the user for a solution,compute a key based on the received at least one solution and the received password, anddiscard the solutions.

18. A method comprising:
- receiving information including a password from a user;
  
  generating one or more puzzles based on at least some of the received information;
  
  for each generated puzzleproviding the puzzle to the user, andreceiving a solution for the puzzle from the user; and
  
  generating a key based at least on the entirety of at least one solution.
- View Dependent Claims (19, 20)
- - 19. The method according to claim 18, wherein generating one or more puzzles uses a salt.
  - 20. The method according to claim 18, further comprising selecting one or more puzzles from at least one of a puzzle database and generated puzzles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Canetti, Ran, Steiner, Michael, Halevi, Shai

Granted Patent

US 8,108,683 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/277
CPC Class Codes

H04L 9/0863   involving passwords or one-...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

Mitigating dictionary attacks on password-protected local storage

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Mitigating dictionary attacks on password-protected local storage

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links