Method and apparatus for password based authentication in a distributed system

US 6,094,721 A
Filed: 10/31/1997
Issued: 07/25/2000
Est. Priority Date: 10/31/1997
Status: Expired due to Term

First Claim

Patent Images

1. In a client process capable of attempting access to one or more server processes, an apparatus for enabling authentication of a password which is changed from time to time, the apparatus comprising:

a. identification logic configured to maintain a plurality of keys associated with the client process, each of the keys associated with a password, one of the keys being designated as current and derived from a current password that is in use, other of the keys designated as non-current and derived from non-current previously-used passwords;

b. response logic configured to allow access to a server process if any one of the current and non-current keys corresponds to authentication data with which the server process challenged an access attempt by the client process; and

c. update logic configured to provide a current key identifier to the server process, if the authentication data did not correspond to the current key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for updating the password status of one or more servers in a client/server environment utilizes multiple passwords associated with a client process, including a current password and one or more non-current passwords. Each password has associated therewith a key and a key identifier. If upon an attempted access, a server process challenges the client process with a non-current key identifier, the client process provides the corresponding key associated with the non-current password. Once access to the server is achieved, the key identifier associated with the current password is supplied to the server process by the client process. In a networked server environment, the updated server process may provide the updated key identifier to other server processes which have knowledge of the client profile.

Citations

26 Claims

1. In a client process capable of attempting access to one or more server processes, an apparatus for enabling authentication of a password which is changed from time to time, the apparatus comprising:
- a. identification logic configured to maintain a plurality of keys associated with the client process, each of the keys associated with a password, one of the keys being designated as current and derived from a current password that is in use, other of the keys designated as non-current and derived from non-current previously-used passwords;
  
  b. response logic configured to allow access to a server process if any one of the current and non-current keys corresponds to authentication data with which the server process challenged an access attempt by the client process; and
  
  c. update logic configured to provide a current key identifier to the server process, if the authentication data did not correspond to the current key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the identification logic further comprises:
    - a.1 password logic configured to associate with the client process, a plurality of passwords, one of the passwords designated as a current password.
  - 3. The apparatus of claim 2 wherein the identification logic further comprises:
    - a.2 key generation logic responsive to one of the passwords and configured to generate a key at least partially derived from one of the passwords.
  - 4. The apparatus of claim 3 wherein the generation logic further comprises:
    - a.3 identifier generation logic responsive to one of the keys and configured to generate a key identifier at least partially derived from the key.
  - 5. The apparatus of claim 3 wherein the key generation logic comprises:
    - a.2.1 cryptographic logic configured to generate a cryptographic key at least partially derived from one of the passwords.
  - 6. The apparatus of claim 5 wherein the key comprises a cryptographic key combination comprising a private key component and a public key component.
  - 7. The apparatus of claim 6 wherein the authentication data comprises a public key identifier and wherein the update logic comprises:
    - c.1 public key logic configured to respond to the server process with a public key corresponding to the public key identifier of the authentication data.
  - 8. The apparatus of claim 7 wherein the update logic comprises:
    - c.2 public key identifier logic configured to supply a public key identifier associated with the current password, if the public key identifier of the authentication data corresponds to other than the current password.
  - 9. The apparatus of claim 1 wherein the server process is operatively coupled to a second secure server process and wherein the server process provides the current key identifier to second server process.

10. A method of authenticating a password which is changed from time to time in a computer system, the computer system having at least first and second processes executable on the computer system, the second process requiring authentication to gain access thereto by the first process, the method comprising the steps of:
- a. associating with the first process a plurality of keys, one of the keys being designated as current and derived from a current password that is in use, other of the keys designated as non-current and derived from non-current previously-used passwords, each of the keys having a key identifier associated therewith;
  
  b. presenting one of the keys to the second process, the presented key corresponding to a key identifier with which the second process challenged the first process, the second process allowing access by the first process if the presented key is any of the current and non-current keys and corresponds to authentication data in the second process; and
  
  c. supplying to the second process a key identifier associated with the current key for use in subsequent challenges, if the second process challenged with a key identifier corresponding to other than the current key.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10 wherein step (a) comprises the step of:
    - a.1 associating with the first process, a plurality of passwords, one of the passwords designated as a current password.
  - 12. The method of claim 11 wherein step (a) further comprises the step of:
    - a.2 generating a key at least partially derived from one of the passwords.
  - 13. The method of claim 11 wherein step (a) further comprises the step of:
    - a.3 generating a key identifier at least partially derived from one of the keys.
  - 14. The method of claim 13 wherein the key comprises a secret key useable to both encrypt and decrypt data.
  - 15. The method of claim 13 wherein the key comprises a cryptographic key combination having a private key component and a public key component.
  - 16. The method of claim 15 wherein step a.3 further comprises the step of:
    - a.3.1 generating a public key identifier at least partially derived from the public key component of the cryptographic key combination.
  - 17. The method of claim 16 wherein the authentication data comprises a public key identifier and wherein step (c) comprises:
    - c.1 responding to the server process with a public key corresponding to the public key identifier of the authentication data.
  - 18. The method of claim 16 wherein step (c) further comprises:
    - c.2 supplying a public key identifier associated with the current password, if the public key identifier of the authentication data corresponds to other than the current password.
  - 19. The method of claim 10 wherein the second process is operatively coupled to a third process and wherein the second process distributes to the third process the key identifier associated with the current key.
  - 20. The method of claim 10 wherein step (c) further comprises the step of:
    - c.1 determining whether the server process is logically associated with another server process to which the client process has previously supplied the key identifier associated with the current key.

21. A computer program product for authenticating a password which is changed from time to time in a computer system, the computer system having at least first and second processes executable on the computer system, the second process requiring authentication to gain access thereto by the first process, the computer program product comprising a computer usable medium having computer program code embodied therein, the program code comprising:
- a. program code for associating with a first process, a plurality of keys, one of the keys designated as current and derived from a current password that is in use, other of the keys designated as non-current and derived from non-current previously-used passwords, each of the keys having a key identifier associated therewith;
  
  b. program code responsive to an authorization challenge from a second process, for supplying one of the keys to the second process, the key corresponding to a key identifier with which the second process presented the authorization challenge, the second process allowing access by the first process if the supplied key is any of the current and non-current keys and corresponds to authentication data in the second process; and
  
  c. program code for supplying to the second process a key identifier associated with the current key for use in subsequent challenges, if the second process presented a key identifier corresponding to other than the current key.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The computer program product of claim 21 wherein the program code for associating further comprises:
    - program code for associating with the client process, a plurality of passwords, one of the passwords designated as a current password.
  - 23. The computer program product of claim 22 wherein the program code for associating further comprises:
    - program code for generating a key at least partially derived from one of the passwords.
  - 24. The computer program product of claim 21 wherein the program code for associating further comprises:
    - program code for generating a key identifier at least partially derived from one of the keys.
  - 25. The computer program product of claim 21 wherein the key comprises a cryptographic key combination having a private key component and a public key component.
  - 26. The computer program product of claim 21 wherein the program code for associating further comprises:
    - program code for determining whether the second process is logically associated with another process to which the first process has previously supplied the key identifier associated with the current key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kaufman, Charles W., Eldridge, Alan D.
Primary Examiner(s)
Swann, Tod R.
Assistant Examiner(s)
JACK, TODD M

Application Number

US08/961,630
Time in Patent Office

998 Days
Field of Search

380/21, 380/25, 713/168, 235/382.5
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

Method and apparatus for password based authentication in a distributed system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for password based authentication in a distributed system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links