Interlocking plain text passwords to data encryption keys
First Claim
1. A method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
- generating a unique password for authenticating a user for access to the encrypted storage device by the steps of;
generating, by a random number generator;
i) a root key to encrypt and decrypt data;
ii) a maker'"'"'s password to generate other passwords;
iii) an authentication hash key to generate hashed values of plaintext passwords; and
iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;
generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;
generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;
generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;
storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and
providing the plaintext password to the user;
receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password;
generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key;
retrieving, from the key storage, a hashed value of a generated plaintext password;
comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and
when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device;
changing the user'"'"'s plaintext password, by the steps of;
receiving a desired plaintext password for the user;
extracting the authentication hash key and data key from the encrypted data key; and
generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key.
11 Assignments
0 Petitions
Accused Products
Abstract
Described embodiments provide for authenticating a user request for access to at least a portion of an encrypted storage device. First, the request for access to at least a portion of the encrypted storage device is received. The request includes a plaintext password. A hash module generates a hashed version of the received plaintext password based on an authentication hash key. A hashed value of the generated plaintext password is retrieved from a key storage. A hash comparator compares the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password. If the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the user is authenticated for access to at least a portion of the encrypted storage device. Otherwise, the user is denied access to the encrypted storage device.
-
Citations
16 Claims
-
1. A method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
-
generating a unique password for authenticating a user for access to the encrypted storage device by the steps of; generating, by a random number generator;
i) a root key to encrypt and decrypt data;
ii) a maker'"'"'s password to generate other passwords;
iii) an authentication hash key to generate hashed values of plaintext passwords; and
iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key; generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key; generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key; storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and providing the plaintext password to the user; receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password; generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key; retrieving, from the key storage, a hashed value of a generated plaintext password; comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device, otherwise, denying the user access to the encrypted storage device; changing the user'"'"'s plaintext password, by the steps of; receiving a desired plaintext password for the user; extracting the authentication hash key and data key from the encrypted data key; and generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory machine-readable storage medium, having encoded thereon program code, wherein, when the program code is executed by a machine, the machine implements a method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
-
generating a unique password for authenticating a user for access to the encrypted storage device by the steps of; generating, by a random number generator;
i) a root key to encrypt and decrypt data;
ii) a maker'"'"'s password to generate other passwords;
iii) an authentication hash key to generate hashed values of plaintext passwords; and
iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key; generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key; generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key; storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and providing the plaintext password to the user; receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password; generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key; retrieving, from the key storage, a hashed value of a generated plaintext password; comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device, otherwise, denying the user access to the encrypted storage device; changing the user'"'"'s plaintext password, by the steps of; receiving a desired plaintext password for the user; extracting the authentication hash key and data key from the encrypted data key; and generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus for authenticating a user for access to an encrypted storage device, the apparatus comprising:
-
a random number generator configured to generate;
(i) a root key to encrypt and decrypt data;
(ii) a maker'"'"'s password to generate other passwords;
(iii) an authentication hash key to generate hashed values of plaintext passwords; and
(iv) a random data key corresponding to the unique plaintext password;an encryption module configured to (i) generate an encrypted data key based on the random data key and the root key;
(ii) generate a unique plaintext password for the user based on a random number and the encrypted data key, and (iii) extract the authentication hash key and data key from the encrypted data key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;a hash module configured to generate (i) a hashed value of the generated plaintext password based on the authentication hash key; and
(ii) a hashed version of the received plaintext password based on the authentication hash key;a key storage configured to store the hashed value of the plaintext password and the corresponding encrypted data key; a communication link configured to (i) providing the plaintext password to the user; and
(ii) receive the request for access to at least a portion of the encrypted storage device, the request including the plaintext password; anda hash comparator configured to compare the hashed version of the received plaintext password with the hashed value of the generated plaintext password, wherein, when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the hash comparator is configured to authenticate the user for access to at least a portion of the encrypted storage device, otherwise, the hash comparator is configured to deny the user access to the encrypted storage device, wherein the apparatus is configured to change the user'"'"'s plaintext password, by receiving a desired plaintext password for the user, extracting the authentication hash key and data key from the encrypted data key, and generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key. - View Dependent Claims (13, 14, 15, 16)
-
Specification