Security system that uses indirect password-based encryption

US 7,836,310 B1
Filed: 11/01/2002
Issued: 11/16/2010
Est. Priority Date: 11/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user to a file security system, the method comprising:

receiving notification of a login request that includes at least a password associated with the user;

decrypting an encrypted authentication string with the password received with the login request to produce a decrypted authentication string, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password associated with the user; and

determining whether the user is authenticated based on the decrypting.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved system and approaches for protecting passwords are disclosed. A file security system for an organization operates to protect the files of the organization and thus prevents or limits users from accessing some or all of the files (e.g., documents) associated with the organization. According to one aspect, a password entered by a user is used, provided it is authenticated, to obtain a respective authentication string (a relatively longer string of numbers or characters). The retrieved authentication string is then used to enable the user to enter the file security system and/or to access secured files therein. According to another aspect, user passwords are not stored in the file security system to avoid security breaches due to unauthorized capture of user passwords.

480 Citations

45 Claims

1. A method for authenticating a user to a file security system, the method comprising:
- receiving notification of a login request that includes at least a password associated with the user;
  
  decrypting an encrypted authentication string with the password received with the login request to produce a decrypted authentication string, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password associated with the user; and
  
  determining whether the user is authenticated based on the decrypting.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, wherein the received password is never stored in a file by or for the file security system.
  - 3. The method as recited in claim 1, wherein the received password is never stored in a non-volatile manner.
  - 4. The method as recited in claim 1, further comprising:
    - permitting access to files protected by the file security system in response to determining that the user is authenticated.
  - 5. The method as recited in claim 1, further comprising:
    - denying access to files protected by the file security system in response to determining that the user is not authenticated.

6. A method for authenticating a user to a file security system, the method comprising:
- receiving a password associated with the user;
  
  accessing an encrypted authentication string from a server machine associated with the file security system, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password, wherein the encrypted authentication string is associated with the user;
  
  decrypting the encrypted authentication string with the received password to produce a decrypted authentication string; and
  
  determining whether the user is authenticated based on the decrypting.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method as recited in claim 6, further comprising removing the received password from memory after the decrypting.
  - 8. The method as recited in claim 6, wherein the file security system is provided on at least one computer, the computer having non-volatile storage and volatile storage,the method further comprising:
    - removing the received password from the volatile storage after the decrypting, andwherein following receiving the password and before removing the received password after the decrypting, the received password is only stored in the volatile storage.
  - 9. The method as recited in claim 6, the determining further comprising determining whether decryption of the encrypted authentication string was successful.
  - 10. The method as recited in claim 6, further comprising:
    - permitting access to files protected by the file security system in response to determining that the user is authenticated.
  - 11. The method as recited in claim 6, further comprising:
    - denying access to files protected by the file security system in response to determining that the user is not authenticated.

12. A method for re-authenticating a user to a file security system, where the user was previously authenticated to the file security system, comprising:
- determining whether a re-authorization condition exists; and
  
  re-authenticating the user to the file security system in response to determining that the re-authorization condition exists, said re-authenticating includes at least;
  
  receiving a password associated with the user;
  
  accessing an encrypted authentication string from a server machine associated with the file security system;
  
  decrypting the encrypted authentication string with the received password to produce an authentication string; and
  
  determining whether the user is re-authenticated based on said decrypting.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as recited in claim 12, wherein determining whether a re-authorization condition exists includes determining that the user is attempting to perform an operation with respect to the file security system that is deemed to be highly guarded.
  - 14. The method as recited in claim 12, wherein determining whether a re-authorization condition exists includes determining that the user is attempting to export a certificate.
  - 15. The method as recited in claim 12, wherein the re-authentication further includes the act of removing the received password from memory after the decrypting.
  - 16. The method as recited in claim 12, wherein the file security system is provided on at least one computer, the computer having non-volatile storage and volatile storage,wherein the re-authentication further includes the act of:
    - removing the received password from the volatile storage after the decrypting, andwherein following the receiving of the password and before the removing, the received password is only stored in the volatile storage.
  - 17. The method as recited in claim 12, the determining further comprising determining whether decryption of the encrypted authentication string was successful.
  - 18. The method as recited in claim 12, further comprising:
    - permitting access to the file security system in response to determining that the user is re-authenticated.
  - 19. The method as recited in claim 12, further comprising:
    - denying access to the file security system in response to determining that the user is not re-authenticated.

20. A method for changing a password of a user, wherein the password is associated with a file security system, the method comprising:
- retrieving a stored, existing password associated with the user;
  
  accessing an encrypted authentication string from a server machine associated with the file security system, the encrypted authentication string having been created by;
  
  generating a random number of a predetermined length;
  
  converting the random number into the authentication string; and
  
  encrypting the authentication string using the existing password, so as to associate the encrypted authentication string with the user;
  
  decrypting the encrypted authentication string with the existing password to produce a decrypted authentication string; and
  
  determining whether the user is authenticated based on the decrypting.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The method as recited in claim 20, wherein the method does not require any of the files protected by the file security system to be modified if a password is changed for the user.
  - 22. The method as recited in claim 20, further comprising:
    - denying the user from changing the password from the existing password to a new password in response to determining that the user is not authenticated.
  - 23. The method as recited in claim 20, further comprising:
    - permitting a password to be changed from the existing password to the new password in response to determining that the user is authenticated.
  - 24. The method as recited in claim 23, wherein the permitting comprises:
    - encrypting the authentication string using the new password to produce a new encrypted authentication string; and
      
      storing the new encrypted authentication string in the server machine for subsequent usage.

25. An article of manufacture including a computer readable medium having instructions stored thereon, that, in response to execution by a computing device, cause the computing device to perform operations for authenticating a user to a file security system, the operations comprising:
- receiving a file access request including at least a password associated with the user;
  
  decrypting an encrypted authentication string with the password received with the file access request to produce a decrypted authentication string, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password associated with the user; and
  
  determining whether the user is authenticated based on the decrypting.
- View Dependent Claims (26, 27)
- - 26. The article of manufacture as recited in claim 25, the operations further comprising:
    - permitting access to files protected by the file security system in response to determining that the user is authenticated.
  - 27. The article of manufacture as recited in claim 25, the operations further comprising:
    - denying access to files protected by the file security system in response to determining that the user is not authenticated.

28. A computer readable medium having stored thereon, computer program code that, in response to execution by a computer, causes the computer to authenticate a user to a file security system by a method comprising:
- receiving a password associated with the user;
  
  accessing an encrypted authentication string from a server machine associated with the file security system, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password, wherein the encrypted authentication string is associated with the user;
  
  wherein the encrypted authentication string is associated with the user;
  
  decrypting the encrypted authentication string with the received password to produce an authentication string; and
  
  determining whether the user is authenticated based on the decrypting by the computer code for decrypting.
- View Dependent Claims (29, 30)
- - 29. The computer readable medium as recited in claim 28, the method further comprising:
    - permitting access to files protected by the file security system in response to determining that the user is authenticated.
  - 30. The computer readable medium as recited in claim 28, the method further comprising:
    - denying access to files protected by the file security system in response to determining that the user is not authenticated.

31. A computer readable medium having stored thereon, computer program code that, in response to execution by a computer, causes the computer to re-authenticate a user to a file security system by a method, where the user was previously authenticated to the file security system, the method comprising:
- accessing an encrypted authentication string from a server machine associated with the file security system, wherein the encrypted authentication string is associated with the user;
  
  determining whether a re-authorization condition exists; and
  
  re-authenticating the user to the file security system when the re-authorization condition exists, the re-authenticating comprising;
  
  receiving a password associated with the user;
  
  accessing an encrypted authentication string from a server machine associated with the file security system;
  
  decrypting the encrypted authentication string with the received password to produce an authentication string; and
  
  determining whether the user is re-authenticated based on the decrypting by the computer code for decrypting.
- View Dependent Claims (32, 33)
- - 32. The computer readable medium as recited in claim 31, the method further comprising:
    - permitting access to the file security system in response to determining that the user is re-authenticated.
  - 33. The computer readable medium as recited in claim 31, the method further comprising:
    - denying access to the file security system determining determines that the user is not re-authenticated.

34. A tangible computer readable medium having instructions stored thereon to change a password associated with a file security system, the instructions comprising:
- instructions to receive a new password;
  
  instructions to retrieve a stored, existing password associated with the user;
  
  instructions to access an encrypted authentication string from a server machine associated with the file security system, the encrypted authentication string having been created by;
  
  generating a random number of a predetermined length;
  
  converting the random number into the authentication string; and
  
  encrypting the authentication string using the existing password,wherein the encrypted authentication string is associated with a user;
  
  instructions to decrypt the encrypted authentication string with the existing password to produce a decrypted authentication string; and
  
  instructions to determine whether the user is authenticated based on the decrypting.
- View Dependent Claims (35, 36)
- - 35. The tangible computer readable medium as recited in claim 34, the instructions further comprising:
    - instructions to deny the password to be changed from the existing password to the new password in response to determining that the user is not authenticated.
  - 36. The tangible computer readable medium as recited in claim 34, the instructions further comprising:
    - instructions to permit the password to be changed from the existing user password to the new password in response to determining that the user is authenticated.

37. A method for authenticating a user to a file security system, wherein the file security system includes a server portion and at least one client portion, the server portion residing in a server machine, and the client portion residing in a client machine, the method comprising:
- receiving a login request including at least a password associated with the user;
  
  decrypting an encrypted authentication string with the password received with the login request to produce a decrypted authentication string, the encrypted authentication string having been created using a random number of a predetermined length and encrypted using a previously-received password associated with the user; and
  
  determining whether the user is authenticated based on the decrypting.
- View Dependent Claims (38, 39)
- - 38. The method as recited in claim 37, further comprising:
    - permitting access to files protected by the file security system in response to determining that the user is authenticated.
  - 39. The method as recited in claim 37, further comprising:
    - denying access to files protected by the file security system in response to determining that the user is not authenticated.

40. A method for authenticating a user to a file security system, the method comprising:
- generating a random number of a predetermined length;
  
  converting the random number into an authentication string;
  
  encrypting the authentication string using a previously-received password to produce an encrypted authentication string, wherein the encrypted authentication string and the previously-received password are associated with the user; and
  
  storing the encrypted authentication string in a server machine associated with the file security system for subsequent usage.
- View Dependent Claims (41, 42, 43)
- - 41. The method as recited in claim 40, wherein the file security system includes a server portion and at least one client portion, the server portion residing in a server machine, and the client portion residing in a client machine associated with the user, andfurther comprising causing the client machine to store the encrypted authentication string associated with the user.
  - 42. The method as recited in claim 40, further comprising storing the encrypted authentication string in the server machine.
  - 43. The method as recited in claim 40, wherein the method is performed on a client machine operating on a client portion of the file security system, andfurther comprising causing deletion of the received password after the authentication string is encrypted from memory of the client machine.

44. An article of manufacture including a computer readable medium having instructions stored thereon, that, in response to execution by a computing device, cause the computing device to perform operations for authenticating a user to a file security system, the operations comprising:
- generating a random number of a predetermined length;
  
  converting the random number into an authentication string;
  
  encrypting the authentication string using a previously-the received password to produce an encrypted authentication string, wherein the encrypted authentication string and the previously-received password are is associated with the user; and
  
  storing the encrypted authentication string in a server machine associated with the file security system for subsequent usage.

45. A method for authenticating a user to a file security system, wherein the file security system includes a server portion and at least one client portion, the server portion residing in a server machine, and the client portion residing in a client machine, the method comprising:
- generating a random number of a predetermined length;
  
  converting the random number into an authentication string;
  
  encrypting the authentication string using a previously-received password associated with a user to produce an encrypted authentication string; and
  
  storing the encrypted authentication string in the file security system to the server machine for subsequent usage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intellectual Ventures I LLC (Intellectual Ventures LLC)
Original Assignee
Guardian Data Storage LLC
Inventors
Gutnik, Yevgeniy
Primary Examiner(s)
Moorthy; Aravind K

Application Number

US10/286,524
Time in Patent Office

2,937 Days
Field of Search

713/161, 713/165, 713/168, 713181-186, 726 4- 6, 726/17, 726/18, 726/27, 380/28, 380/255, 380/262, 380/268
US Class Current

713/183
CPC Class Codes

G06F 21/6209 to a single file or object,...

H04L 9/3226 using a predetermined code,...

Security system that uses indirect password-based encryption

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

480 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

Security system that uses indirect password-based encryption

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

480 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links