Decentralized verification in a distributed system
First Claim
Patent Images
1. A system for managing authentication credentials in a distributed computing environment, comprising:
- under the control of one or more computer systems configured with executable instructions,one or more computing resources collectively having one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the system to, for each password of a plurality of passwords, at least;
derive, based at least in part on the password and a first salt value, a preliminary key;
for each key-use zone of a plurality of key-use zones;
derive a key hash value based at least in part on a second salt value and a key-derivation parameter specific to the key-use zone, the key hash value being a hash value derived based at least in part on a key;
generate a verification key based at least in part on the preliminary key and the key hash value; and
configure a password verification system for the key-use zone to use the verification key to authenticate a computer system having access to the password without requiring the computer system to provide the password to the password verification system.
1 Assignment
0 Petitions
Accused Products
Abstract
A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.
221 Citations
23 Claims
-
1. A system for managing authentication credentials in a distributed computing environment, comprising:
under the control of one or more computer systems configured with executable instructions, one or more computing resources collectively having one or more processors and memory including executable instructions that, when executed by the one or more processors, cause the system to, for each password of a plurality of passwords, at least; derive, based at least in part on the password and a first salt value, a preliminary key; for each key-use zone of a plurality of key-use zones; derive a key hash value based at least in part on a second salt value and a key-derivation parameter specific to the key-use zone, the key hash value being a hash value derived based at least in part on a key; generate a verification key based at least in part on the preliminary key and the key hash value; and configure a password verification system for the key-use zone to use the verification key to authenticate a computer system having access to the password without requiring the computer system to provide the password to the password verification system. - View Dependent Claims (2, 3, 4, 5, 6)
-
7. A computer-implemented method for authentication credential management, comprising:
-
under the control of one or more computer systems configured with executable instructions, for each key-use zone of a plurality of key-use zones; generating, using the one or more computer systems, a verification key for the key-use zone based at least in part on a credential, a first salt that corresponds to the credential, a second salt that corresponds to the credential, and a key-derivation parameter specific to the key-use zone by at least; generating, using the one or more computer systems, based at least in part on the credential and the first salt, a preliminary key; and generating, using the one or more computer systems, based at least in part on the preliminary key, the second salt, and the key-derivation parameter, the verification key; and causing, using the one or more computer systems, an authentication system for the key-use zone to be configured to perform authentication operations using the verification key. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer system, comprising:
-
one or more processors; and memory including instructions that, when executed by the one or more processors, cause the computer system to at least; obtain information specific to an entity; use the information specific to the entity to generate a set of verification keys comprising a verification key for each key-use zone of multiple different key-use zones, the verification key for a corresponding key-use zone generated based at least in part on a first salt, a second salt, and information specific to the corresponding key-use zone by causing the computer system to; generate, based at least in part on the information specific to the entity and the first salt, a preliminary key; and generate, based at least in part on the preliminary key, the second salt, and the information specific to the corresponding key-use zone, the verification key; and provide the verification keys of the set of verification keys for use in authenticating the entity for corresponding key-use zones. - View Dependent Claims (14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium having stored thereon instructions that, when executed by one or more processors of a computer system, cause the computer system to at least:
-
determine information specific to a key-use zone of a plurality of key-use zones; generate, based at least in part on a plurality of salts specific to an entity and the information specific to the key-use zone, a verification key by causing the computer system to at least; generate, based at least in part on the information specific to the entity and a first salt of the plurality of salts, a preliminary key; and generate, based at least in part on the preliminary key, a second salt of the plurality of salts, and the information specific to the key-use zone, the verification key; and electronically prove access to secret information to an authentication system of the key-use zone using the verification key but without providing the secret information to the authentication system. - View Dependent Claims (20, 21, 22, 23)
-
Specification