System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record
First Claim
1. A machine-readable memory [650] for operable use by a machine system [FIGS. 1,6] that maintains confidential digital information [113,643] generally in encrypted form [109,656] while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a user-associated password [101] and a user-associated passport [150], said machine-readable memory storing for each of an associated one or more authorized users, a passport data structure [150/170] comprising:
- (a) a first field [156/176] storing a first secured-by-encryption key [KS(0/1)*], where said first secured key is covered by a first covering signal [PW*] derived from a valid password [PW,101] of the passport-associated user;
(b) a second field [155/175] storing a second secured-by-encryption key [PriUK*], where said second secured key is covered by a plaintext version [KS(0/1)] of the first secured key; and
(c) a third field [154/174],(c.1) where said third field stores a third secured-by-encryption key [PriWK1*] that is different from the first secured key in situations where the machine-readable memory is physically-secured [100] within said machine system,(c.2) where said third field [174] is blank or is filled with irrelevant information in situations where the machine-readable memory is not physically-secured within said machine system, and(d) where said machine system requires local presence of a physically-secured, in-system version of the associated passport data structure [150] and a verified local uncovering from said in-system version of the associated passport data structure of the secured keys in the second and third fields [154,155] before the machine system locally grants to a requesting user, intelligible access to corresponding confidential information.
2 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed for controlling intelligible access to secured files by means of a user-memorized password in combination with a user-associated passport record. The passport record takes on two forms, one when it is physically secured within the workstation and a different second form when the passport record is in-transit. Log-in privileges are granted after a presented passport record passes a number of tests including digital signature authentication, and the ability to extract two different encrypted keys from the passport record. The in-transit record does not carry one of those two keys.
179 Citations
19 Claims
-
1. A machine-readable memory [650] for operable use by a machine system [FIGS. 1,6] that maintains confidential digital information [113,643] generally in encrypted form [109,656] while allowing for intelligible access to such confidential information by users who are authorized for access by a combination of a user-associated password [101] and a user-associated passport [150], said machine-readable memory storing for each of an associated one or more authorized users, a passport data structure [150/170] comprising:
-
(a) a first field [156/176] storing a first secured-by-encryption key [KS(0/1)*], where said first secured key is covered by a first covering signal [PW*] derived from a valid password [PW,101] of the passport-associated user; (b) a second field [155/175] storing a second secured-by-encryption key [PriUK*], where said second secured key is covered by a plaintext version [KS(0/1)] of the first secured key; and (c) a third field [154/174], (c.1) where said third field stores a third secured-by-encryption key [PriWK1*] that is different from the first secured key in situations where the machine-readable memory is physically-secured [100] within said machine system, (c.2) where said third field [174] is blank or is filled with irrelevant information in situations where the machine-readable memory is not physically-secured within said machine system, and (d) where said machine system requires local presence of a physically-secured, in-system version of the associated passport data structure [150] and a verified local uncovering from said in-system version of the associated passport data structure of the secured keys in the second and third fields [154,155] before the machine system locally grants to a requesting user, intelligible access to corresponding confidential information.
-
-
2. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the access request includes submission of a password [101] and submission of an identification [152] of a requesting user, said method [201] comprising the steps of:
-
(a) finding [200] a machine-readable passport [150] associated with the submitted identification, wherein said passport includes; (a.1) a first field [152] having a user identification matching the submitted identification and associating the passport with a corresponding user; (a.2) a second field [156] containing a first secured key [KS(0/1)*] derived from a valid password [PW] of the passport-associated user; (a.3) a third field [155] containing a second secured key [PriuK*] covered by a plaintext version [KS(0/1)] of the first secured key; and (a.4) a fourth field [154] containing a third secured key [PriWK1*] that is different from the first secured key; (b) using [216] the submitted password [101] to attempt decryption of the first secured key [KS(0/1)*], said attempt producing a putative first uncovering [116] of the first secured key; (c) using [245] the putative first uncovering [116] to attempt decryption of the second secured key [PriUK*], said attempt producing a putative second uncovering [121] of the second secured key; and (d) using [235] the putative first uncovering [116] to attempt decryption of the third secured key [PriWK*], said attempt producing a putative third uncovering [PriWK1] of the third secured key. - View Dependent Claims (3, 4)
-
-
5. A machine-instructing device [635] for instructing a prespecified, instructable machine [610] to carry out a method for providing intelligible access to algorithmically-secured data in response to an access request, wherein the access request includes submission of a password [101] and submission of an identification [152] of a requesting user, said instruction-defined method comprising the steps of:
-
(a) finding [200] a machine-readable passport [150] associated with the submitted identification, wherein said passport includes; (a.1) a first field [152] having a user identification matching the submitted identification and associating the passport with a corresponding user; (a.2) a second field [156] containing a first secured key [KS(0/1)*] derived from a valid password [PW] of the passport-associated user; (a.3) a third field [155] containing a second secured key [PriUK*] covered by a plaintext version [KS(0/1)] of the first secured key; and (a.4) a fourth field [154] containing a third secured key [PriWK1*] that is different from the first secured key; (b) using [216] the submitted password [101] to attempt decryption of the first secured key [KS(0/1)*], said attempt producing a putative first uncovering [116] of the first secured key; (c) using [245] the putative first uncovering [116] to attempt decryption of the second secured key [PriUK*], said attempt producing a putative second uncovering [121] of the second secured key; and (d) using [235] the putative first uncovering [116] to attempt decryption of the third secured key [PriWK*], said attempt producing a putative third uncovering [PriWK1] of the third secured key. - View Dependent Claims (6, 7)
-
-
8. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request submitted at a first location [100], wherein the access request includes submission of a password [101] and submission of an identification [152] of a requesting user, said method [202] comprising the steps of:
-
(a) obtaining for importation into a physically secured part of said first location [221]a machine-readable passport [170] associated with the submitted identification, wherein said obtained passport includes; (a.1) a first field [172] having a user identification matching the submitted identification and associating the passport with a corresponding user; (a.2) a second field [176] containing a first algorithmically-secured key [KS0*] derived from a valid password [PW] of the passport-associated user; (a.3) a third field [175] containing a second algorithmically-secured key [PriUK*] covered by a plaintext version [KS0] of the first secured key; (a.4) a fourth field [174] that is either blank or contains irrelevant data, where a revised version [154] of the fourth field must be filled with a relevant, third algorithmically-secured key [PriWK1*] before said intelligible access is provided; and (a.5) a fifth field [180] containing a digital signature covering at least said first through fourth fields; and (b) using [222] the digital signature to authenticate the signature-covered contents of the obtained passport [170]. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A machine-implemented method for providing intelligible access to algorithmically-secured data in response to an access request submitted at a first location [Wk2], wherein the access request includes submission of a password [101] and submission of an identification [152] of a requesting user at the first location, and further wherein a user-associated passport [150] required for servicing the access request is physically secured in a second location [100], said method [400] comprising the steps carried out at the second location of:
-
(a) finding [200] the passport [150] associated with the submitted identification, wherein said passport includes; (a.1) a first field [152] having a user identification matching the submitted identification and associating the passport with a corresponding user; (a.2) a second field [156] containing a first secured key [KS(0/1)*] derived from a valid password [PW] of the passport-associated user; (a.3) a third field [155] containing a second secured key [PriUK*] covered by a plaintext version [KS(0/1)] of the first secured key; (a.4) a fourth field [154] containing a third secured key [PriWK1*] that is different from the first secured key, said third secured key being covered by either a plaintext version the first secured key or by an alternate key [KS1]; (a.5) a fifth field [157] containing a secured copy [KS1*] of the alternate key, said secured copy of the alternate key being covered by the public key [PubUK] of the passport-associated user; and (a.6) a sixth field [160] containing a digital signature covering at least said first through fifth fields; (b) copying [410] the found passport; (c) clearing [420] the fourth and fifth fields [154,157] of the passport copy; (d) overwriting [430] the sixth field [160] of the passport copy with a new digital signature covering all other fields of the cleared passport copy; and (e) exporting [450] the cleared and resigned passport copy [170] out of the second location [100].
-
-
16. A machine-implemented method for protecting algorithmically-secured data [109] from being intelligibly accessed [123/113] by other than authorized users, where an access request includes submission of a putative password [101] of an authorized user, and submission of a putative identification [152] of the same authorized user [X/Y/Z] to a request-servicing station [100,600] that has physically secured, storage [640,650] and processing [610] facilities, said method [200] comprising the steps of:
-
(a) requiring presentation within said physically secured, storage facilities of the request-servicing station, of an authenticated [210,222] passport record associated with a user identified by the putative identification, where the presented passport record [150] includes; (a.1) a first field [156] containing data of a first algorithmically-secured key [KS(0/1)*], where said first secured key is derived from a valid password [PW] of the passport-associated user and from a first counterpart-plaintext key [115] that is temporarily originated [112] in either the physically secured facilities of the request-servicing station or in physically secured facilities of a like, external station; (a.2) a second field [155] containing data of a second algorithmically-secured key [PriUK*], where said second secured key is derived from a second counterpart and private key of the passport-associated user and from said first counterpart-plaintext key [KS(0/1),115]; (a.3) a third field [157] containing data of a third algorithmically-secured key [KS1)*], where said third secured key is derived from a public key [PubUK-- X] of the passport-associated user and from a third counterpart-plaintext key [115] that is temporarily created [112] in the physically secured facilities of the request-servicing station, where the third counterpart-plaintext key [KS1] may be the same as the first counterpart-plaintext key [KS(0/1)] if both of the first and third counterpart-plaintext keys originate in the physically secured facilities of the request-servicing station; (a.4) a fourth field [154] containing data of a fourth algorithmically-secured key [PriWK1*], where said fourth secured key is derived from a fourth counterpart and private key [162] of the request-servicing station [100] and from said third counterpart-plaintext key [KS1]; (b) requiring use of the data of said fourth field [154] and use of the data of at least of said first field [156] for reproducing [118] in the physically secured facilities of the request-servicing station, said fourth counterpart and private key [162] of the request-servicing station; and (c) requiring use of the data of said second field [155] and use of the data of said first field [156] for reproducing [120] in the physically secured facilities of the request-servicing station, said second counterpart and private key of the passport-associated user. - View Dependent Claims (17, 18, 19)
-
Specification