Password-based key management
First Claim
Patent Images
1. A method comprising:
- creating a data structure including a plurality of user id-user key pairs, each user id-user key pair comprising a user id associated with one of a plurality of users and a user key comprising a master key and a keyed-hash message authentication code encrypted using a hash of a password associated with the user ID, wherein the data structure comprises a plurality of different encryptions of the master key such that the master key may be obtained by operation of any of a plurality of different keys, and each of the plurality of different encryptions is associated with a different user from among the plurality of users, respectively, and wherein a data integrity verification feature, comprising the keyed-hash message authentication code, is based on the hash of the password and is added to each of the plurality of different encryptions of the master key;
checking integrity of user keys from the plurality of user id-user key pairs after each of the plurality of user keys is produced, wherein the integrity check comprises decrypting the user key for comparison to the master key;
storing data encrypted using the master key;
receiving a user id and user password from one of the plurality of users;
selecting a user key from the data structure based on the received user id;
preventing fraudulent access to data comprising;
tracking attempts by a user to access data, and blocking attempts for a time period after a threshold number of failed attempts;
reporting failed data access attempts to a system administrator according to user ID;
increasing a time period a user must wait to attempt to access data after successive failed attempts to access the data; and
, deleting a user ID and a user key after a threshold number of failed attempts to access data;
hashing the received password to produce a hash value;
decrypting the selected user key using the hash value to reproduce the master key; and
decrypting the stored data using the master key.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and data structures permit data to be protected with complex keys and allow users to access the protected data using only a simple user id and password.
31 Citations
12 Claims
-
1. A method comprising:
-
creating a data structure including a plurality of user id-user key pairs, each user id-user key pair comprising a user id associated with one of a plurality of users and a user key comprising a master key and a keyed-hash message authentication code encrypted using a hash of a password associated with the user ID, wherein the data structure comprises a plurality of different encryptions of the master key such that the master key may be obtained by operation of any of a plurality of different keys, and each of the plurality of different encryptions is associated with a different user from among the plurality of users, respectively, and wherein a data integrity verification feature, comprising the keyed-hash message authentication code, is based on the hash of the password and is added to each of the plurality of different encryptions of the master key; checking integrity of user keys from the plurality of user id-user key pairs after each of the plurality of user keys is produced, wherein the integrity check comprises decrypting the user key for comparison to the master key; storing data encrypted using the master key; receiving a user id and user password from one of the plurality of users; selecting a user key from the data structure based on the received user id; preventing fraudulent access to data comprising;
tracking attempts by a user to access data, and blocking attempts for a time period after a threshold number of failed attempts;
reporting failed data access attempts to a system administrator according to user ID;
increasing a time period a user must wait to attempt to access data after successive failed attempts to access the data; and
, deleting a user ID and a user key after a threshold number of failed attempts to access data;hashing the received password to produce a hash value; decrypting the selected user key using the hash value to reproduce the master key; and decrypting the stored data using the master key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
-
means for producing a plurality of user keys, wherein each user key is associated with one of a plurality of users, respectively, and wherein each of the plurality of user keys comprises a different encryption of a single master key, and wherein each different encryption is performed by operation of a reversible process using a hash value of a password associated with each user as a key in the reversible process, and wherein each user key additionally comprises a keyed-hash message authentication code encrypted using the hash value of the password associated with the user; means for checking integrity of the plurality of user keys after each of the plurality of user keys is produced, wherein the integrity check comprises decrypting the user key for comparison to the master key; means for storing a plurality of user IDs, wherein each user ID is associated with one of a plurality of user keys within a user key data structure, and wherein the user key data structure is configured to provide a user key in response to input of a user ID; means for storing encrypted data using the master key; means for accessing, upon presentation of a user ID of a user, a user key associated with the user ID of the user, wherein the accessing is from the user key data structure; means for hashing, upon presentation of a password of the user, the presented password to produce a hash value; means for verifying the keyed-hash message authentication code encrypted using the hash of the password associated with the user; means for decrypting the user key using the hash value, thereby creating the master key; means for preventing fraudulent access to data comprising;
tracking attempts by a user to access data, and blocking attempts for a time period after a threshold number of failed attempts;
reporting failed data access attempts to a system administrator according to user ID;
increasing a time period a user must wait to attempt to access data after successive failed attempts to access the data; and
, deleting a user ID and a user key after a threshold number of failed attempts to access data; andmeans for decrypting data using the master key.
-
-
11. A computer-readable medium having stored thereon computer executable instructions for performing acts of:
-
storing data encrypted with a master key; creating a data structure comprising a plurality of user keys paired with user IDs, wherein each user key is associated with one of a plurality of users, respectively, and wherein each of the plurality of user keys comprises a different encryption of the master key, encrypted by operation of a reversible process using a hash value of a password associated with user, and wherein each user key additionally comprises a keyed-hash message authentication code encrypted using the hash value of the password associated with the user; accessing, upon presentation of a user ID of a user, a user key associated with the user ID, from the data structure; hashing, upon presentation of a password of the user, the presented password to produce a hash value; preventing fraudulent access to data comprising;
tracking attempts by a user to access data, and blocking attempts for a time period after a threshold number of failed attempts;
reporting failed data access attempts to a system administrator according to user ID;
increasing a time period a user must wait to attempt to access data after successive failed attempts to access the data; and
, deleting a user ID and a user key after a threshold number of failed attempts to access data;verifying the keyed-hash message authentication code encrypted using the hash of the password associated with the user; decrypting the user key using the hash value, thereby creating the master key; decrypting data using the master key; and sending the data to the user. - View Dependent Claims (12)
-
Specification