Splitting knowledge of a password

US 6,959,394 B1
Filed: 09/29/2000
Issued: 10/25/2005
Est. Priority Date: 09/29/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method of accessing a password comprising:

dividing the password received from a client into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each password piece of the plurality of pieces;

storing each piece of the plurality of pieces of the password on a different one of a plurality of servers, each of the plurality of servers being independent from others of the plurality of servers;

separately authenticating a user at each of the plurality of servers, each of the plurality of servers transmitting the piece of the password stored at the respective server to the user when the authentication at that server is successful;

assembling the password from the password pieces transmitted from the plurality of servers; and

deleting the password and the plurality of pieces of the password from the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A password is split into a plurality of pieces. The pieces are stored at different remote servers. The different remote servers have the property that together they can determine that the user has knowledge of the correct password. If any subset of the servers are compromised, the compromised subset cannot convince any remaining servers that they know the password.

Citations

27 Claims

1. A method of accessing a password comprising:
- dividing the password received from a client into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each password piece of the plurality of pieces;
  
  storing each piece of the plurality of pieces of the password on a different one of a plurality of servers, each of the plurality of servers being independent from others of the plurality of servers;
  
  separately authenticating a user at each of the plurality of servers, each of the plurality of servers transmitting the piece of the password stored at the respective server to the user when the authentication at that server is successful;
  
  assembling the password from the password pieces transmitted from the plurality of servers; and
  
  deleting the password and the plurality of pieces of the password from the client.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the password is a private key in a public/private key pair.
  - 3. The method of claim 1, wherein a second password is used to authenticate the user at each of the plurality of servers, the second password being a weak password.
  - 4. The method of claim 3, wherein each of the pieces of the password are encrypted before being stored on each of the servers, encryption keys for the encryption of the password pieces being derived from the second password.

5. A method of securely storing a password comprising:
- receiving an encrypted portion of the password, the encrypted portion of the password comprising less than the entire password and being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the password which is then encrypted;
  
  storing the encrypted portion of the password with identification information for a user of the encrypted portion of the password;
  
  receiving a request for the encrypted portion of the password, the request including the identification information; and
  
  returning the encrypted portion of the password to the user when the identification information in the request matches the stored identification information.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the password is a private key in a public/private key pair.
  - 7. The method of claim 5, wherein the received encrypted portion of the password is encrypted based on a symmetric encryption of the portion of the password using a key based on a second password, the second password being a weak password.
  - 8. The method of claim 7, wherein the identification information of the user of the encrypted portion of the password is based on the second password.

9. A method of receiving a first password of a user, the method comprising:
- entering a second password of the user;
  
  authenticating the user at each of a plurality of servers based on the second password, the plurality of servers being independent from one another;
  
  receiving an encrypted version of a portion of the first password from each of the plurality of servers at which the authentication was successful, each of the portions of the first password containing less than the entire password, and the portion of the first password being derived by taking a plurality of hashes of the first password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the first password;
  
  decrypting the received encrypted portions of the first password using encryption keys based on the second password; and
  
  assembling the first password from the decrypted portions.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein the first password is a strong user password.
  - 11. The method of claim 9, wherein the first password is a private key in a public/private key pair.
  - 12. The method of claim 9, wherein the second password is a weak password.

13. A method of authenticating a user at a remote computer system comprising:
- dividing a password entered by the user into a plurality of pieces by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent each piece of the plurality of pieces of the password;
  
  transmitting each piece of the plurality of pieces to corresponding ones of a plurality of remote servers, each of the plurality of remote servers being independent from others of the plurality of remote servers, and each of the remote servers having a respective piece of the plurality of pieces of the password pre-registered with the remote server;
  
  comparing the transmitted piece of the plurality of pieces of the password to the pre-registered piece of the password at the plurality of servers;
  
  generating an authentication accept message at each of the plurality of servers at which the pre-registered piece of the password matches the transmitted piece of the plurality of pieces of the password; and
  
  authenticating the user when the authentication accept message is generated for all of the plurality of pieces of the password at the plurality of servers.
- View Dependent Claims (14, 15)
- - 14. The method of claim 13, wherein a piece of the password is pre-registered at a computer local to the user and the authentication accept message is generated by the computer local to the user when the pre-registered piece of the password at the computer local to the user matches a corresponding piece of the password entered by the user.
  - 15. The method of claim 14, wherein the authentication accept messages are received and accepted at a content server remote from the user.

16. A computer server comprising:
- a computer memory; and
  
  a processor coupled to the computer memory, whereinthe processor receives an encrypted portion of a password, the encrypted portion of the password comprising less than the entire password, the encrypted portion of the password being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the password which is then encrypted the encrypted portion of the password is stored with identification information of a user of the encrypted portion of the password over a secure connection, a request for the encrypted portion of the password is recieved, the request including the identification information, the encrypted portion of the password is returned to the user when the identification information in the request matches the stored identification information, and the computer server is independent of other computer servers storing other portions of the password.
- View Dependent Claims (17, 18, 19)
- - 17. The computer server of claim 16, wherein the password is a private key in a public/private key pair.
  - 18. The computer server of claim 16, wherein the received encrypted portion of the password is encrypted based on a symmetric encryption of the portion of the password using a key based on a second password, the second password being a weak password.
  - 19. The computer server of claim 18, wherein the identification information of the user of the encrypted portion of the password is based on the second password.

20. A computer readable medium containing computer instructions that when executed by a processor cause the processor to perform operations for securely storing a password comprising:
- receiving an encrypted portion of the password, the encrypted portion of the password comprising less than the entire password and being derived by taking a plurality of hashes of the password, each hash using a different salt value to obtain a plurality of hash values, from each of which, a predetermined number of bits are taken to represent the portion of the password which is then encrypted;
  
  storing over a secure connection the encrypted portion of the password with identification information of a user of the encrypted portion of the password;
  
  receiving a request for the encrypted portion of the password, the request including the identification information; and
  
  returning the encrypted portion of the password to the user when the identification information in the request matches the stored identification information.
- View Dependent Claims (21, 22, 23)
- - 21. The computer readable medium of claim 20, wherein the password is a private key in a public/private key pair.
  - 22. The computer readable medium of claim 20, wherein the received encrypted portion of the password is encrypted based on a symmetric encryption of the portion of the password using a key based on a second password, the second password being a weak password.
  - 23. The computer readable medium of claim 22, wherein the identification information of the user of the encrypted portion of the password is based on the second password.

24. A computer readable medium containing computer instructions that when executed by a processor cause the processor to perform operations that receive a first password of a user, comprising:
- receiving a second password entered by the user;
  
  authenticating the user at each of a plurality of servers based on the second password, the plurality of servers being independent from one another;
  
  receiving an encrypted version of a portion of the first password from each of the plurality of servers at which the authentication was successful, each portion of the first password containing less than the entire password and being derived by taking a plurality of hashes of the first password, each hash using a different salt value to obtain a plurality of hash values, from each of which a predetermined number of bits are taken to represent the portion of the first password;
  
  decrypting the received encrypted portions of the first password using encryption keys based on the second password; and
  
  assembling the first password from the decrypted portions.
- View Dependent Claims (25, 26, 27)
- - 25. The computer readable medium of claim 24, wherein the first password is a strong user password.
  - 26. The computer readable medium of claim 24, wherein the first password is a private key in a public/private key pair.
  - 27. The computer readable medium of claim 24, wherein the second password is a weak password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Chan, Keen, Brickell, Ernie
Primary Examiner(s)
Zand, Kambiz

Application Number

US09/672,495
Time in Patent Office

1,852 Days
Field of Search

713/202, 713/183, 713/200, 713/201, 713/184, 380/44, 705/18, 705/71, 700225-227, 700/237, 711/164, 714/164
US Class Current

726/5
CPC Class Codes

G06Q 20/3829   involving key management

H04L 63/0435   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

Splitting knowledge of a password

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Splitting knowledge of a password

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links