Splitting knowledge of a password
First Claim
Patent Images
1. A method of accessing a password comprising:
- dividing the password received from a client into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each password piece of the plurality of pieces;
storing each piece of the plurality of pieces of the password on a different one of a plurality of servers, each of the plurality of servers being independent from others of the plurality of servers;
separately authenticating a user at each of the plurality of servers, each of the plurality of servers transmitting the piece of the password stored at the respective server to the user when the authentication at that server is successful;
assembling the password from the password pieces transmitted from the plurality of servers; and
deleting the password and the plurality of pieces of the password from the client.
1 Assignment
0 Petitions
Accused Products
Abstract
A password is split into a plurality of pieces. The pieces are stored at different remote servers. The different remote servers have the property that together they can determine that the user has knowledge of the correct password. If any subset of the servers are compromised, the compromised subset cannot convince any remaining servers that they know the password.
-
Citations
27 Claims
-
1. A method of accessing a password comprising:
-
dividing the password received from a client into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each password piece of the plurality of pieces; storing each piece of the plurality of pieces of the password on a different one of a plurality of servers, each of the plurality of servers being independent from others of the plurality of servers; separately authenticating a user at each of the plurality of servers, each of the plurality of servers transmitting the piece of the password stored at the respective server to the user when the authentication at that server is successful; assembling the password from the password pieces transmitted from the plurality of servers; and deleting the password and the plurality of pieces of the password from the client. - View Dependent Claims (2, 3, 4)
-
-
5. A method of securely storing a password comprising:
-
receiving an encrypted portion of the password, the encrypted portion of the password comprising less than the entire password and being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the password which is then encrypted; storing the encrypted portion of the password with identification information for a user of the encrypted portion of the password; receiving a request for the encrypted portion of the password, the request including the identification information; and returning the encrypted portion of the password to the user when the identification information in the request matches the stored identification information. - View Dependent Claims (6, 7, 8)
-
-
9. A method of receiving a first password of a user, the method comprising:
-
entering a second password of the user; authenticating the user at each of a plurality of servers based on the second password, the plurality of servers being independent from one another; receiving an encrypted version of a portion of the first password from each of the plurality of servers at which the authentication was successful, each of the portions of the first password containing less than the entire password, and the portion of the first password being derived by taking a plurality of hashes of the first password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the first password; decrypting the received encrypted portions of the first password using encryption keys based on the second password; and assembling the first password from the decrypted portions. - View Dependent Claims (10, 11, 12)
-
-
13. A method of authenticating a user at a remote computer system comprising:
-
dividing a password entered by the user into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each piece of the plurality of pieces of the password; transmitting each piece of the plurality of pieces to corresponding ones of a plurality of remote servers, each of the plurality of remote servers being independent from others of the plurality of remote servers, and each of the remote servers having a respective piece of the plurality of pieces of the password pre-registered with the remote server; comparing the transmitted piece of the plurality of pieces of the password to the pre-registered piece of the password at the plurality of servers; generating an authentication accept message at each of the plurality of servers at which the pre-registered piece of the password matches the transmitted piece of the plurality of pieces of the password; and authenticating the user when the authentication accept message is generated for all of the plurality of pieces of the password at the plurality of servers. - View Dependent Claims (14, 15)
-
-
16. A computer server comprising:
-
a computer memory; and a processor coupled to the computer memory, wherein the processor receives an encrypted portion of a password, the encrypted portion of the password comprising less than the entire password, the encrypted portion of the password being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the password which is then encrypted the encrypted portion of the password is stored with identification information of a user of the encrypted portion of the password over a secure connection, a request for the encrypted portion of the password is recieved, the request including the identification information, the encrypted portion of the password is returned to the user when the identification information in the request matches the stored identification information, and the computer server is independent of other computer servers storing other portions of the password. - View Dependent Claims (17, 18, 19)
-
-
20. A computer readable medium containing computer instructions that when executed by a processor cause the processor to perform operations for securely storing a password comprising:
-
receiving an encrypted portion of the password, the encrypted portion of the password comprising less than the entire password and being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which, a predetermined number of bits are taken to represent the portion of the password which is then encrypted; storing over a secure connection the encrypted portion of the password with identification information of a user of the encrypted portion of the password; receiving a request for the encrypted portion of the password, the request including the identification information; and returning the encrypted portion of the password to the user when the identification information in the request matches the stored identification information. - View Dependent Claims (21, 22, 23)
-
-
24. A computer readable medium containing computer instructions that when executed by a processor cause the processor to perform operations that receive a first password of a user, comprising:
-
receiving a second password entered by the user; authenticating the user at each of a plurality of servers based on the second password, the plurality of servers being independent from one another; receiving an encrypted version of a portion of the first password from each of the plurality of servers at which the authentication was successful, each portion of the first password containing less than the entire password and being derived by taking a plurality of hashes of the first password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the first password; decrypting the received encrypted portions of the first password using encryption keys based on the second password; and assembling the first password from the decrypted portions. - View Dependent Claims (25, 26, 27)
-
Specification