Method for enabling an administrator to configure a recovery password

US 8,296,827 B2
Filed: 12/29/2005
Issued: 10/23/2012
Est. Priority Date: 12/29/2005
Status: Active Grant

First Claim

Patent Images

1. A method for enabling a user to protect a password stored in a central repository and maintained by a plurality of recovery authorities and to initiate a backup copy of the user'"'"'s credentials, the method comprising:

retrieving recovery information embedded in the user'"'"'s credentials;

generating a symmetric key and a public key private key pair;

encrypting the user'"'"'s credentials with the public key, wherein the private key is operable to decrypt the user'"'"'s credentials encrypted with the public key;

encrypting said private key with said symmetric key;

identifying a plurality of recovery authorities from the recovery information embedded in the user'"'"'s credentials;

retrieving a public key for each of the plurality of recovery authorities;

generating a recovery password for each of the plurality of recovery authorities based on at least a portion of a user-defined password for the plurality of recovery authorities;

encrypting the symmetric key with each recovery password, wherein the symmetric key encryption includes a quorum requirement of the recovery password generated for each of the plurality of recovery authorities, wherein decrypting the symmetric key includes retrieving the generated recovery passwords from the plurality of recovery authorities; and

encrypting each recovery password of the plurality of recovery authorities with each respective recovery authority'"'"'s public key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for a enabling a user to initiate a password protected backup copy of the user'"'"'s credentials. The method includes providing a user with a credential store containing information relating to the user'"'"'s identity, generating a different recovery password of any length for each recovery authority, encrypting the recovery password for each recovery authority, storing the encrypted recovery passwords in the credential store, and sending a copy of the information by the user from the credential store to a central repository.

Citations

24 Claims

1. A method for enabling a user to protect a password stored in a central repository and maintained by a plurality of recovery authorities and to initiate a backup copy of the user'"'"'s credentials, the method comprising:
- retrieving recovery information embedded in the user'"'"'s credentials;
  
  generating a symmetric key and a public key private key pair;
  
  encrypting the user'"'"'s credentials with the public key, wherein the private key is operable to decrypt the user'"'"'s credentials encrypted with the public key;
  
  encrypting said private key with said symmetric key;
  
  identifying a plurality of recovery authorities from the recovery information embedded in the user'"'"'s credentials;
  
  retrieving a public key for each of the plurality of recovery authorities;
  
  generating a recovery password for each of the plurality of recovery authorities based on at least a portion of a user-defined password for the plurality of recovery authorities;
  
  encrypting the symmetric key with each recovery password, wherein the symmetric key encryption includes a quorum requirement of the recovery password generated for each of the plurality of recovery authorities, wherein decrypting the symmetric key includes retrieving the generated recovery passwords from the plurality of recovery authorities; and
  
  encrypting each recovery password of the plurality of recovery authorities with each respective recovery authority'"'"'s public key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, comprising the user manually initiating backup of the user'"'"'s credentials.
  - 3. The method according to claim 2, wherein the user manually initiating backup of the user'"'"'s credentials comprises overwriting encrypted symmetric keys and encrypted recovery passwords generated for each of the plurality of recovery authorities stored in the central repository without overwriting contents stored in a credential store.
  - 4. The method according to claim 1, comprising encrypting a portion of the user'"'"'s credentials with said public key.
  - 5. The method of claim 1, wherein a Certifying Authority used for certifying the user, is configured with the recovery information.
  - 6. The method according to claim 5, wherein the recovery information comprises a quorum number of recovery authorities.
  - 7. The method according to claim 5, wherein the recovery information comprises a location of a credential store.
  - 8. The method according to claim 5, wherein the recovery information comprises a length of recovery passwords.
  - 9. The method according to claim 5, wherein the recovery information comprises a list of recovery authorities.
  - 10. The method according to claim 1, wherein different recovery passwords are of any length for each of said recovery authorities.
  - 11. The method according to claim 1, comprising storing said encrypted symmetric key and said encrypted recovery password generated for each of the plurality of recovery authorities in a credential store.
  - 12. The method according to claim 1, comprising updating the recovery password generated for each of the plurality of recovery authorities in a stored hash.

13. A method for enabling a user to protect a password stored in a central repository and to initiate a backup copy of the user'"'"'s credentials, the method comprising:
- providing a user with a credential store containing information relating to the user'"'"'s identity;
  
  retrieving recovery information embedded in the information relating to the user'"'"'s identity;
  
  querying the user for a password for encrypting at least a portion of said information;
  
  receiving a user'"'"'s password in response to said query;
  
  generating a symmetric key and a public key private key pair, the symmetric key generated from the user'"'"'s password;
  
  encrypting the information relating to the user'"'"'s identity with the public key, wherein the private key is operable to decrypt the information encrypted with the public key;
  
  encrypting said private key with said symmetric key;
  
  identifying a plurality of recovery authorities from the recovery information embedded in the information relating to the user'"'"'s identity;
  
  retrieving a public key for each of the plurality of recovery authorities;
  
  generating a recovery password for each of the plurality of recovery authorities based on at least a portion of a user-defined password for the plurality of recovery authorities;
  
  encrypting the symmetric key with each recovery password, wherein the symmetric key encryption includes a quorum requirement of the recovery password generated for each of the plurality of recovery authorities, wherein decrypting the symmetric key includes retrieving the generated recovery passwords from the plurality of recovery authorities;
  
  encrypting each recovery password of the plurality of recovery authorities with each respective recovery authority'"'"'s public key;
  
  linking said user'"'"'s password with said recovery password generated for each of the plurality of recovery authorities;
  
  storing said user'"'"'s password and said recovery password generated for each of the plurality of recovery authorities in the credential store; and
  
  sending said portion of said information together with said user'"'"'s password and said recovery password generated for each of the plurality of recovery authorities by the user from the credential store to the central repository.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method according to claim 13, comprising the user initiating backup of the user'"'"'s credentials by pushing a user interface button.
  - 15. The method according to claim 14, wherein the user initiating backup of the user'"'"'s credentials by pushing a user interface button comprises overwriting encrypted symmetric keys and encrypted recovery passwords generated for each of the plurality of recovery authorities stored in the central repository without overwriting contents stored in the credential store.
  - 16. The method according to claim 13, comprising encrypting said portion of information with said public key.
  - 17. The method of claim 13, wherein a Certifying Authority used for certifying the user, is configured with the recovery information.
  - 18. The method according to claim 17, wherein the recovery information comprises a quorum number of recovery authorities.
  - 19. The method according to claim 17, wherein the recovery information comprises a location of the credential store.
  - 20. The method according to claim 17, wherein the recovery information comprises a length of recovery passwords.
  - 21. The method according to claim 17, wherein the recovery information comprises a list of recovery authorities.
  - 22. The method according to claim 13, wherein different recovery passwords are of any length for each of said recovery authorities.
  - 23. The method according to claim 13, comprising updating the recovery password generated for each of the plurality of recovery authorities in a stored hash.

24. A system for enabling a user to protect a password stored in a central repository and to initiate a backup copy of the user'"'"'s credentials, the system comprising:
- a recovery authority server operable to generate a recovery authority public key for each of a plurality of recovery authorities;
  
  a user server operable to;
  
  retrieve recovery information embedded in the user'"'"'s credentials;
  
  generate a symmetric key and a public key private key pair;
  
  encrypt the user'"'"'s credentials with the public key, wherein the private key is operable to decrypt the user'"'"'s credentials encrypted with the public key;
  
  encrypt the private key with the symmetric key;
  
  identify the plurality of recovery authorities from the recovery information embedded in the user'"'"'s credentials;
  
  retrieve the recovery authority public key for each of a plurality of recovery authorities from the recovery authority server;
  
  generate a recovery password for each of a plurality of recovery authorities based on at least a portion of a user-defined password for the plurality of recovery authorities;
  
  encrypt the symmetric key with each recovery password, wherein the symmetric key encryption includes a quorum requirement of the recovery password generated for each of the plurality of recovery authorities, wherein decrypting the symmetric key includes retrieving the generated recovery passwords from the plurality of recovery authorities;
  
  encrypt each recovery password of the plurality of recovery authorities with each respective recovery authority'"'"'s public key;
  
  a credential store operable to store the recovery password generated for each of the plurality of recovery authorities and the symmetric key; and
  
  a central repository operable to store one or more backup copies of content items from the credential store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Paganetti, Robert J., Kern, David S.
Primary Examiner(s)
Pearson, David

Application Number

US11/323,986
Publication Number

US 20070157032A1
Time in Patent Office

2,490 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

G06F 2221/2131 Lost password, e.g. recover...

Method for enabling an administrator to configure a recovery password

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method for enabling an administrator to configure a recovery password

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links