Method and system for automating the recovery of a credential store when a user has forgotten their password using a temporary key pair created based on a new password provided by the user

US 9,094,194 B2
Filed: 04/18/2006
Issued: 07/28/2015
Est. Priority Date: 04/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method, embodied in at least one computer system, of recovering a user'"'"'s credential store, comprising at least the following steps performed by said computer system:

receiving an indication from said user that said user has forgotten their previous password;

responsive to receipt of said indication that said user has forgotten their password, generating a user interface object in a user interface displayed to said user, said user interface object for receiving a new password from said user;

receiving said new password from said user through said user interface object;

generating, on a client computer system, a temporary encryption key pair based on said new password obtained from said user, said temporary encryption key pair including a public key and a private key;

sending said public key from said client computer system to a recovery process executing on a recovery server computer system;

receiving, by said recovery process, an approval message from a help desk administrator;

obtaining, by said recovery process, recovery information associated with said credential store;

encrypting, by said recovery process responsive to receipt of said approval message, said recovery information using said public key;

downloading said encrypted recovery information to said client computer system;

decrypting said recovery information on said client computer system using said private key; and

obtaining a decrypted copy of said credential store based on said decrypted recovery information to recover the credential store.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automating the recovery of a credential store, in which client software generates a temporary key pair based on a new password, and sends client information including the user'"'"'s name, the public half of the temporary key pair, and the host name of the client computer system to a server system, from which the client information is passed to a recovery process. The client software process displays a prompt indicating that the user should call a help desk. A help desk administrator verifies the user'"'"'s identity and approves the user'"'"'s request by causing an approval message to be sent to the recovery process. The recovery process obtains recovery information consisting of either the decryption key(s) for the credential store, or a decrypted copy of the credential store, and encrypts the recovery information using the temporary public key. The client process downloads the recovery information from the server, and decrypts it using private key of the temporary key pair. The credential store can then be decrypted using the recovery information if necessary, then re-encrypted based on the new password. The encrypted recovery information is stored on the server and re-used for a certain period of time, after which it is deleted, thus allowing multiple copies of the credential store to be conveniently recovered.

Citations

17 Claims

1. A method, embodied in at least one computer system, of recovering a user'"'"'s credential store, comprising at least the following steps performed by said computer system:
- receiving an indication from said user that said user has forgotten their previous password;
  
  responsive to receipt of said indication that said user has forgotten their password, generating a user interface object in a user interface displayed to said user, said user interface object for receiving a new password from said user;
  
  receiving said new password from said user through said user interface object;
  
  generating, on a client computer system, a temporary encryption key pair based on said new password obtained from said user, said temporary encryption key pair including a public key and a private key;
  
  sending said public key from said client computer system to a recovery process executing on a recovery server computer system;
  
  receiving, by said recovery process, an approval message from a help desk administrator;
  
  obtaining, by said recovery process, recovery information associated with said credential store;
  
  encrypting, by said recovery process responsive to receipt of said approval message, said recovery information using said public key;
  
  downloading said encrypted recovery information to said client computer system;
  
  decrypting said recovery information on said client computer system using said private key; and
  
  obtaining a decrypted copy of said credential store based on said decrypted recovery information to recover the credential store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - wherein said recovery information includes a decryption key associated with said credential store;
      
      wherein said obtaining said decrypted copy of said credential store based on said decrypted recovery information comprises decrypting said credential store using said decryption key contained in said decrypted recovery information; and
      
      re-encrypting the decrypted credential store on the client computer system based on the newly obtained password.
  - 3. The method of claim 2, further comprising:
    - prompting said user to call said help desk administrator upon receipt of said public key by said recovery process;
      
      providing a help desk user interface on a help desk computer system, wherein said help desk user interface provides indication of the contents of a queue of recovery requests pending processing by said recovery process;
      
      wherein said help desk user interface further provides a user interface mechanism enabling said help desk administrator to indicate that said approval message should be sent to said recovery process; and
      
      verifying, by said recovery process, that said help desk administrator is authorized to approve recovery of said credential store.
  - 4. The method of claim 3, further comprising:
    - wherein said sending said public key from said client computer system to said recovery process executing on a recovery server computer system further comprises sending client information from said client computer system to said recovery process, wherein said client information further includes a user name associated with said user, a host name of said client computer system, and a timestamp; and
      
      wherein said obtaining said recovery information by said recovery process is responsive, at least in part, to said user name and said timestamp.
  - 5. The method of claim 4, further comprising:
    - storing said encrypted recovery information on said server computer system for a predetermined time period; and
      
      deleting said encrypted recovery information from said server computer system upon expiration of said predetermined time period.
  - 6. The method of claim 5, further comprising:
    - sending said client information from said client computer system to an application server computer system;
      
      sending said client information from said application server computer system to a recovery server computer system on which said recovery process executes;
      
      forwarding said recovery information from said recovery server computer system to said application server computer system; and
      
      wherein said downloading said recovery information to said client computer system includes authenticating said client computer system by said application computer system based on said temporary encryption key pair, and downloading said recovery information to said client computer system from said application computer system.
  - 7. The method of claim 6, wherein said obtaining said recovery information associated with said credential store is responsive to receipt of a plurality of approval messages from a plurality of corresponding help desk administrators.
  - 8. The method of claim 7, further comprising:
    - wherein said public key from said client computer system is received by said recovery process executing on said recovery server computer system as part of an initial recovery request, wherein said initial recovery request is to recover a first copy of said credential store stored on said client computer system;
      
      receiving a subsequent recovery request by said recovery process, wherein said subsequent recovery request is to recover a second copy of said credential store stored on another computer system;
      
      sending, in the event that said receiving said subsequent recovery request occurs after receipt of said first recovery request and receipt of said approval message, but prior to deletion of said encrypted recovery information, said encrypted recovery information to said another computer system without receiving further approval from any help desk administrator.

9. A system for recovering a user'"'"'s credential store, comprising:
- at least one processor;
  
  at least one non-transitory computer readable memory, said computer readable memory having program code stored thereon for, when executed on said processor, recovering the user'"'"'s credential store, said program code comprising;
  
  program code for receiving an indication from said user that said user has forgotten their previous password;
  
  program code for, responsive to receipt of said indication that said user has forgotten their password, generating a user interface object in a user interface displayed to said user, said user interface object for receiving a new password from said user;
  
  program code for receiving said new password from said user through said user interface object;
  
  program code for generating, on a client computer system, a temporary encryption key pair based on said new password obtained from said user, said temporary encryption key pair including a public key and a private key;
  
  program code for sending said public key from said client computer system to a recovery process executing on a recovery server computer system;
  
  program code for receiving, by said recovery process, an approval message from a help desk administrator;
  
  program code for obtaining, by said recovery process, recovery information associated with said credential store;
  
  program code for encrypting, by said recovery process responsive to receipt of said approval message, said recovery information using said public key;
  
  program code for downloading said encrypted recovery information to said client computer system;
  
  program code for decrypting said recovery information on said client computer system using said private key; and
  
  program code for obtaining a decrypted copy of said credential store based on said decrypted recovery information to recover the credential store.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - wherein said recovery information includes a decryption key associated with said credential store;
      
      wherein said program code for obtaining said decrypted copy of said credential store based on said decrypted recovery information comprises program code for decrypting said credential store using said decryption key contained in said decrypted recovery information; and
      
      said program code further comprising re-encrypting the decrypted credential store on the client computer system based on the newly obtained password.
  - 11. The system of claim 10, said program code further comprising:
    - program code for prompting said user to call said help desk administrator upon receipt of said public key from said temporary encryption key pair by said recovery process;
      
      program code for providing a help desk user interface on a help desk computer system, wherein said help desk user interface provides indication of the contents of a queue of recovery requests pending processing by said recovery process;
      
      wherein said help desk user interface further provides a user interface mechanism enabling said help desk administrator to indicate that said approval message should be sent to said recovery process; and
      
      program code for verifying, by said recovery process, that said help desk administrator is authorized to approve recovery of said credential store.
  - 12. The system of claim 11, further comprising:
    - wherein said program code for sending said public key from said client computer system to said recovery process executing on a recovery server computer system further comprises program code for sending client information from said client computer system to said recovery process, wherein said client information further includes a user name associated with said user, a host name of said client computer system, and a timestamp; and
      
      wherein said program code for obtaining said recovery information by said recovery process is responsive, at least in part, to said user name and said timestamp.
  - 13. The system of claim 12, said program code further comprising:
    - program code for storing said encrypted recovery information on said server computer system for a predetermined time period; and
      
      program code for deleting said encrypted recovery information from said server computer system upon expiration of said predetermined time period.
  - 14. The system of claim 13, said program code further comprising:
    - program code for sending said client information from said client computer system to an application server computer system;
      
      program code for sending said client information from said application server computer system to a recovery server computer system on which said recovery process executes;
      
      program code for forwarding said recovery information from said recovery server computer system to said application server computer system; and
      
      wherein said program code for downloading said recovery information to said client computer system includes program code for authenticating said client computer system by said application computer system based on said temporary encryption key pair, and for downloading said recovery information to said client computer system from said application computer system.
  - 15. The system of claim 14, wherein said program code for obtaining said recovery information associated with said credential store is responsive to receipt of a plurality of approval messages from a plurality of corresponding help desk administrators.
  - 16. The system of claim 15, further comprising:
    - wherein public key from said client computer system received by said recovery process executing on said recovery server computer system is part of an initial recovery request, wherein said initial recovery request is to recover a first copy of said credential store stored on said client computer system;
      
      program code for receiving a subsequent recovery request by said recovery process, wherein said subsequent recovery request is to recover a second copy of said credential store stored on another computer system;
      
      program code for, in the event that said receiving said subsequent recovery request occurs after receipt of said first recovery request and receipt of said approval message, but prior to deletion of said encrypted recovery information, sending said encrypted recovery information to said another computer system without receiving further approval from any help desk administrator.

17. A computer program product including a computer readable storage medium, said computer readable storage medium not comprising a propagated signal, said computer readable storage medium having program code stored thereon for recovering a user'"'"'s credential store, said program code comprising:
- program code for receiving an indication from said user that said user has forgotten their previous password;
  
  program code for, responsive to receipt of said indication that said user has forgotten their password, generating a user interface object in a user interface displayed to said user, said user interface object for receiving a new password from said user;
  
  program code for receiving said new password from said user through said user interface object;
  
  program code for generating, on a client computer system, a temporary encryption key pair based on said new password obtained from said user, said temporary encryption key pair including a public key and a private key;
  
  program code for sending said public key from said client computer system to a recovery process executing on a recovery server computer system;
  
  program code for receiving, by said recovery process, an approval message from a help desk administrator;
  
  program code for obtaining, by said recovery process, recovery information associated with said credential store;
  
  program code for encrypting, by said recovery process responsive to receipt of said approval message, said recovery information using said public key;
  
  program code for downloading said encrypted recovery information to said client computer system;
  
  program code for decrypting said recovery information on said client computer system using said private key; and
  
  program code for obtaining a decrypted copy of said credential store based on said decrypted recovery information to recover the credential store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Kern, David S., Poon, Shiu F., Paganetti, Robert J.
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US11/379,088
Publication Number

US 20070255943A1
Time in Patent Office

3,388 Days
Field of Search

726/6
US Class Current

1/1
CPC Class Codes

H04L 9/0894 Escrow, recovery or storing...

Method and system for automating the recovery of a credential store when a user has forgotten their password using a temporary key pair created based on a new password provided by the user

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for automating the recovery of a credential store when a user has forgotten their password using a temporary key pair created based on a new password provided by the user

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links