NIS+ password update protocol

US 5,734,718 A
Filed: 07/05/1995
Issued: 03/31/1998
Est. Priority Date: 07/05/1995
Status: Expired due to Term

First Claim

Patent Images

1. A method for updating a password in a name service system, said name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said method comprising the steps of:

sending by a sender a user name in said plurality of user names to a password update process running on said server, said sender being under the control of a user;

determining whether said sender has authority to update said user name'"'"'s password;

determining by said password update process whether password aging criteria for said user name are met;

if said sender has authority to update said user name'"'"'s password and said password aging criteria are met, performing the steps of;

prompting said user for a new password;

encrypting said new password;

sending said encrypted new password to said password update process;

decrypting said encrypted new password; and

storing said new password in said password table.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides methods and apparatus for updating passwords in a name service system. A server includes a name service database that further includes a plurality of tables with information, including passwords and communications information, concerning users. To enforce name service system security, users are denied direct access to their passwords and password aging information. These may be updated only through a process running on the NIS+ server. The password process has write access to the password and aging information in the database and is invoked when users change their passwords. To update a password, the user'"'"'s computer, the client computer, contacts the password update process and sends an encrypted version of the current password. The password update process decrypts the encrypted password and verifies that the user is authentic and the aging criteria are met. The user then enters a new password which is encrypted and provided to the password update process, which enters the new password in the password table.

102 Citations

View as Search Results

24 Claims

1. A method for updating a password in a name service system, said name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said method comprising the steps of:
- sending by a sender a user name in said plurality of user names to a password update process running on said server, said sender being under the control of a user;
  
  determining whether said sender has authority to update said user name'"'"'s password;
  
  determining by said password update process whether password aging criteria for said user name are met;
  
  if said sender has authority to update said user name'"'"'s password and said password aging criteria are met, performing the steps of;
  
  prompting said user for a new password;
  
  encrypting said new password;
  
  sending said encrypted new password to said password update process;
  
  decrypting said encrypted new password; and
  
  storing said new password in said password table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said password table is stored in an NIS+ database.
  - 3. The method of claim 1 wherein said step of determining whether said sender has authority to update said user name'"'"'s password comprises the steps of:
    - prompting said user for a login password;
      
      encrypting said login password;
      
      sending said encrypted login password to said password update process running on said server;
      
      decrypting by said password update process said encrypted login password; and
      
      comparing by said password update process said decrypted login password with a password for said user name stored in said password table.
  - 4. The method of claim 3 wherein:
    - said step of encrypting said login password comprises the steps of;
      
      generating a Diffie-Hellman key pair (P_u, S_u) for said sender based on the current time and said login password;
      
      obtaining said server'"'"'s public key (P_d);
      
      generating a common key (CK_ud) from said server'"'"'s public key and said sender'"'"'s private key (S_u); and
      
      encrypting said login password with CK_ud ; and
      
      said step of decrypting by said password update process said encrypted login password comprises the steps of;
      
      generating CK_ud from said sender'"'"'s public key (P_u) and said server'"'"'s private key (S_d); and
      
      decrypting said encrypted login password with CK_ud.
  - 5. The method of claim 4, where said database further comprises name information service private keys and name information service passwords for at least some user names in said plurality of user names, further comprising the steps, performed after said step of sending said encrypted new password to said password update process, of:
    - attempting by said password update process to retrieve a name information service private key for said user name stored in said database based upon said login password;
      
      if said name information service private key exists and said user name'"'"'s name information service password does not equal said login password, performing the steps of;
      
      generating a new name information service public and private keys;
      
      encrypting said new name information service private key with said new password; and
      
      storing said encrypted new name information service private key in said database,thereby ensuring that a name information service password identical to said new password is stored in said database for said user name.
  - 6. The method of claim 3 further comprising the steps of:
    - initializing an identification variable n to 0;
      
      if said decrypted login password does not match said password for said user name stored in said password table, performing the steps of;
      
      incrementing n; and
      
      if n is equal to a predetermined maximum value N, preventing said user from further attempting to update a password in said database.
  - 7. The method of claim 1, further comprising the steps, performed if said sender has authority to update said user name'"'"'s password and said password aging criteria are met, of:
    - generating by said password update process a random number R; and
      
      sending R to said sender;
      
      where in said step of encrypting said new password said new password is encrypted together with R;
      
      where in said step of sending said encrypted new password said new password encrypted together with R is sent; and
      
      where said password update process performs said step of storing said new password only if the value of R encrypted together with said new password matches the value as first generated.
  - 8. The method of claim 1 wherein said step of encrypting said new password further includes the step of encrypting said new password according to a data encryption standard (DES) algorithm.
  - 9. The method of claim 1 wherein password aging criteria are stored in said password table.
  - 10. The method of claim 9 wherein said password table comprises a plurality of columns and said password aging criteria are stored in one column of said plurality of columns.

11. A network including a client and a server for updating passwords in a name service system, said name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said network comprising:
- a transmission device included in said client that sends a user name in said plurality of user names to a password update process running on said server, said client being under the control of a user;
  
  a computing device included in said server that determines whether said client has authority to update said user name'"'"'s password;
  
  a computing device included in said server that determines whether password aging criteria for said user name are met;
  
  a prompting device included in said client that prompts said user for a new password if said sender has authority to update said user name'"'"'s password and said aging criteria are met;
  
  an encrypting device included in said client that encrypts said new password;
  
  wherein said transmission device sends said encrypted new password to said password update process;
  
  a decrypting device included in said server that decrypts said encrypted new password; and
  
  a storage device included in said server that stores said new password in a password table.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The network of claim 11 wherein said password able is stored in an NIS+ database.
  - 13. The network of claim 11 wherein said computing device for determining whether said client has authority to update said user name'"'"'s password comprises:
    - a decrypting device that decrypts an encrypted login password; and
      
      a comparator that compares said decrypted login password with a password for said user name stored in said password table.
  - 14. The network of claim 13 wherein:
    - said encrypting device included in said client further comprises;
      
      a Diffie-Hellman key pair generator;
      
      a common key generator that generates a common key (CK_ud) based upon said server'"'"'s public key (P_d) and said client'"'"'s private key (S_u);
      
      a password encrypting device that encrypts said login password with CK_ud ;
      
      said decrypting device included in said server further comprises;
      
      a common key generator that generates CK_ud from said client'"'"'s public key (P_u) and said server'"'"'s secret key (S_d); and
      
      a password decryption device that decrypts said encrypted login password with CK_ud.
  - 15. The network of claim 14 wherein:
    - said server further comprises an initializing device that initializes an attempt variable n to 0;
      
      said server further comprises an incrementer that increments n if said decrypted login password does not match said password for said user name stored in said password table;
      
      said server further comprises logic that transmits an error message to said client when n equals a predetermined maximum value N; and
      
      said client further comprises logic that prevents said user from attempting to update a password in said database when said error message is received.
  - 16. The network of claim 11 wherein:
    - said server further comprises a pseudo-random number generator that generates a random number R;
      
      said server further comprises a device that transmits R to said client;
      
      and wherein;
      
      said encrypting device included in said client encrypts said new password together with R;
      
      said transmission device included in said client sends said new password encrypted together with R to said password update process;
      
      said decrypting device included in said server decrypts said encrypted new password and R, producing a decrypted R;
      
      said storage device included in said server stores said new password for said user name only if said decrypted R is identical to said random number R previously generated by said pseudo-random number generator.
  - 17. The network of claim 11 wherein said client encryption device comprises a data encryption standard (DES) encryption device.
  - 18. The network of claim 11 wherein password aging criteria are stored in said password table.
  - 19. The network of claim 18 wherein said password table comprises a plurality of columns and said password aging criteria are stored in one column of said plurality of columns.

20. A computer program product comprising:
- a computer usable medium having computer readable code embodied therein for updating a password in a name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said computer readable code comprising;
  
  a first computer readable program code device that sends from a client a user name in said plurality of user names to a password update process running on said server, said client being under the control of a user;
  
  a second computer readable program code device that determines whether said client has authority to update said user name'"'"'s password;
  
  a third computer readable program code device that determines by said password update process whether password aging criteria for said user name are met;
  
  a fourth computer readable program code device that prompts said user for a new password if said client has authority to update said user name'"'"'s password and said aging criteria are met;
  
  a fifth computer readable program code device that encrypts said new password;
  
  a sixth computer readable program code device that sends said encrypted new password to said password update process; and
  
  a seventh computer readable program code device that decrypts said encrypted new password and store said new password in said password table.
- View Dependent Claims (21, 22)
- - 21. The computer program product of claim 20 wherein said seventh computer readable program code device stores said new password in an NIS+ database which contains said password table.
  - 22. The computer program product of claim 20 wherein said second computer readable program code device comprises a computer readable program code device that:
    - prompts said user for a login password;
      
      encrypts said login password; and
      
      sends said encrypted login password to said password update process running on said server.

23. A method for updating a password in a name service system, said name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said method comprising the steps of:
- receiving a user name in said plurality of user names and information identifying a sender;
  
  determining whether said sender has authority to update said user name'"'"'s password;
  
  determining whether password aging criteria for said user name are met;
  
  if said sender has authority to update said user name'"'"'s password and said password aging criteria are met, performing the steps of;
  
  sending said sender a success message;
  
  receiving an encrypted new password from said sender;
  
  decrypting said encrypted new password; and
  
  storing said new password in said password table.

24. A method for updating a password in a name service system, said name service system comprising a database stored on a server, said database comprising a password table containing a password for each user name in a plurality of user names, said method comprising the steps of:
- sending by a sender a user name in said plurality of user names to a password update process running on said server, said sender being under the control of a user;
  
  receiving by said sender from said password update process running on said server an indication of whether said sender has authority to update said user name'"'"'s password and whether password aging criteria are met for said user name;
  
  if said sender has authority to update said user name'"'"'s password and said password aging criteria are met, performing by said sender the steps of;
  
  prompting said user for a new password;
  
  encrypting said new password; and
  
  sending said encrypted new password to said password update process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Prafullchandra, Hemlata S.
Primary Examiner(s)
Gregory, Bernarr E.

Application Number

US08/498,464
Time in Patent Office

1,000 Days
Field of Search

380/4, 380/9, 380/23, 380/25, 380/29, 380/30, 380/46, 380/49, 380/50, 340/825.31, 340/825.34
US Class Current

713/183
CPC Class Codes

G06F 21/31 User authentication

NIS+ password update protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

NIS+ password update protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links