Secure object for convenient identification

US 7,581,099 B2
Filed: 02/20/2007
Issued: 08/25/2009
Est. Priority Date: 03/03/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to a process to be executed on a data processing system, comprising:

providing an interface for coupling a security device to the data processing system, wherein the security device is a separate hardware device from the data processing system;

receiving user input of an identifier for accessing the security device;

verifying the identifier;

accessing the security device, in response to the identifier being verified, to obtain authentication data for the process to be executed on the data processing system;

automatically capturing user authentication data input by a user into the data processing system;

automatically converting the user authentication data into a stronger form of user authentication data to be presented to a process for accessing the process; and

automatically storing the stronger form of user authentication data in the security device; and

injecting the stronger form of authentication data into a login process associated with the process to be executed to automatically authenticate a user to the process to be executed, wherein the automatic capturing, converting and storing operations are performed by an access agent executing on the data processing system, and wherein the access agent is configured to periodically change the user authentication data for accessing a process automatically without the user being aware of the change.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for controlling access to a process to be executed on a data processing system is provided. An interface is provided for coupling a security device to the data processing system. The security device is a separate hardware device from the data processing system. User input of an identifier for accessing the security device is received, the identifier is verified, and the security device is accessed, in response to the identifier being verified, to obtain authentication data for the process to be executed on the data processing system. The authentication data is injected into a login process associated with the process to be executed to automatically authenticate a user to the process to be executed. The security device uses private-public key authentication to authenticate the user to the process to be executed without the user being aware that private-public key authentication is being performed.

25 Citations

View as Search Results

17 Claims

1. A method for controlling access to a process to be executed on a data processing system, comprising:
- providing an interface for coupling a security device to the data processing system, wherein the security device is a separate hardware device from the data processing system;
  
  receiving user input of an identifier for accessing the security device;
  
  verifying the identifier;
  
  accessing the security device, in response to the identifier being verified, to obtain authentication data for the process to be executed on the data processing system;
  
  automatically capturing user authentication data input by a user into the data processing system;
  
  automatically converting the user authentication data into a stronger form of user authentication data to be presented to a process for accessing the process; and
  
  automatically storing the stronger form of user authentication data in the security device; and
  
  injecting the stronger form of authentication data into a login process associated with the process to be executed to automatically authenticate a user to the process to be executed, wherein the automatic capturing, converting and storing operations are performed by an access agent executing on the data processing system, and wherein the access agent is configured to periodically change the user authentication data for accessing a process automatically without the user being aware of the change.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the security device stores authentication data for a plurality of processes, and wherein accessing the security device to obtain authentication data for the process to be executed comprises selecting authentication data for the process to be executed, from the stored authentication data for the plurality of processes, based on an identity of the process to be executed.
  - 3. The method of claim 1, wherein the authentication data comprises a user identifier and a password associated with the process to be executed.
  - 4. The method of claim 1, wherein:
    - the security device stores a setup program that executes in response to coupling the security device to the data processing system,the setup program determines if an access agent is installed on the data processing system, andif an access agent is determined to not be installed on the data processing system, the setup program initiates an operation through which the data processing system retrieves the access agent from a remote computing device identified by the security device and installs the access agent on the data processing system.
  - 5. The method of claim 1, wherein the identifier is verified by the data processing system communicating with a remote computing device that compares the identifier with an authentic identifier for accessing the security device.
  - 6. The method of claim 1, wherein:
    - the receiving, verifying, and accessing operations are performed by an access agent executing as a background process on the data processing system,the access agent monitors at least one of login, logout, or change of password activities performed by a user via user interfaces generated on the data processing system, andthe access agent records authentication data associated with the login, logout, or change of password activities in the security device as encrypted access scripts.
  - 7. The method of claim 1, wherein:
    - the receiving, verifying, and accessing operations are performed by an access agent executing as a background process on the data processing system,the access agent captures operating system messages for an application executing on the data processing system and identifies whether any operating system messages in the captured operating system messages comprise user authentication data,the access agent stores the user authentication data in the security device in response to a captured operating system message being identified as having user authentication data, andthe access agent generates access scripts to be played back when a user subsequently attempts to access the application.
  - 8. The method of claim 7, wherein the process to be executed is the application, and wherein injecting the authentication data into a login process associated with the process to be executed to automatically authenticate a user to the process to be executed further comprises:
    - in response to the user attempting to access the application, determining whether an access script exists for the application in the security device; and
      
      playing back the access script to thereby inject the user authentication data into a login process of the application in response to determining that an access script exists for the application.
  - 9. The method of claim 8, wherein, if an access script does not exist for the application, the access agent captures logon information entered by the user and stores the logon information as authentication data in the security device.
  - 10. The method of claim 1, wherein automatically converting the user authentication data into a stronger form of user authentication data comprises at least one of automatically generating a longer password by adding alpha-numeric characters into a password of the user authentication data or generating a random password to be used instead of a password in the user authentication data.
  - 11. The method of claim 1, wherein automatically converting the user authentication data into a stronger form of user authentication data is performed without the user being aware of the conversion.
  - 12. The method of claim 1, wherein the security device stores a trusted host list identifying remote computing devices with which the identifier for accessing the security device may be verified, and wherein the verifying operation is limited to verifying the identifier with only remote computing devices identified in the trusted host list.
  - 13. The method of claim 1, wherein the access agent compares the identifier with a previous valid identifier used to access a previous SOCI device, and wherein if the identifier is different from the previous identifier, the access agent encrypts the identifier with a public key of all SOCI devices used by a user associated with the SOCI device and distributes the encrypted identifier to all SOCI devices used by the user for storing in the SOCI devices.
  - 14. The method of claim 1, wherein the security device uses private-public key authentication to authenticate the user to the process to be executed without the user being aware that private-public key authentication is being performed.
  - 15. The method of claim 1, further comprising:
    - cloning the security device to generate a second security device, wherein cloning the security device comprises;
      
      encrypting contents of a first security device with a symmetric key;
      
      encrypting the symmetric key with a public key of a second security device; and
      
      transferring the encrypted contents of the first security device and the encrypted symmetric key to the second security device.
  - 16. The method of claim 1, wherein the security device comprises a physical feature for allowing a user to manually input the user'"'"'s authentication for the security device to provide the authentication data, and wherein the security device only provides the authentication data in response to a physical interaction by the user with the physical feature of the security device.
  - 17. The method of claim 1, wherein the security device comprises a display, and wherein the display presents information about the authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Ong, Peng T.
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
JOHNSON, CARLTON

Application Number

US11/708,795
Publication Number

US 20070208950A1
Time in Patent Office

917 Days
Field of Search

713/189, 726/28, 726/29
US Class Current

713/170
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

Secure object for convenient identification

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Secure object for convenient identification

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links