Password hardening system using password shares distributed across multiple servers
First Claim
1. A method comprising:
- storing in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password;
intercepting in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and
providing from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password;
wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by;
providing one or more simulated authentication entity responses based on the user password to the client; and
providing one or more simulated client messages based on the hardened surrogate password to the authentication entity;
wherein providing the second set of one or more communications to the authentication entity comprises;
verifying correctness of first authentication information in the first set of one or more communications under the user password;
computing second authentication information based on the hardened surrogate password;
modifying the first set of one or more communications to include the second authentication information; and
providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and
wherein the storing, intercepting and providing are implemented by at least one processing platform comprising at least one processing device.
9 Assignments
0 Petitions
Accused Products
Abstract
A password hardening system is arranged between one or more clients and a domain controller or other authentication entity. The password hardening system comprises a plurality of servers configured to store in a distributed manner respective shares of at least one of a hardened surrogate password and a corresponding user password. The password hardening system is configured to intercept a first set of one or more communications based at least in part on the user password and directed to an authentication entity external to the password hardening system, and to provide to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password. The password hardening system may be configured to serve as a proxy between an authenticating client and the authentication entity.
-
Citations
20 Claims
-
1. A method comprising:
-
storing in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password; intercepting in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and providing from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password; wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by; providing one or more simulated authentication entity responses based on the user password to the client; and providing one or more simulated client messages based on the hardened surrogate password to the authentication entity; wherein providing the second set of one or more communications to the authentication entity comprises; verifying correctness of first authentication information in the first set of one or more communications under the user password; computing second authentication information based on the hardened surrogate password; modifying the first set of one or more communications to include the second authentication information; and providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and wherein the storing, intercepting and providing are implemented by at least one processing platform comprising at least one processing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 20)
-
-
17. A computer program product comprising a non-transitory processor-readable storage medium having embodied therein one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the at least one processing device:
-
to store in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password; to intercept in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and to provide from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password; wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by; providing one or more simulated authentication entity responses based on the user password to the client; and providing one or more simulated client messages based on the hardened surrogate password to the authentication entity; and wherein providing the second set of one or more communications to the authentication entity comprises; verifying correctness of first authentication information in the first set of one or more communications under the user password; computing second authentication information based on the hardened surrogate password; modifying the first set of one or more communications to include the second authentication information; and providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications.
-
-
18. An apparatus comprising:
-
a password hardening system comprising a plurality of servers configured to store in a distributed manner respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password; wherein the password hardening system is configured to intercept a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system, and to provide to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password; wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by; providing one or more simulated authentication entity responses based on the user password to the client; and providing one or more simulated client messages based on the hardened surrogate password to the authentication entity; wherein the password hardening system is configured to provide the second set of one or more communications to the authentication entity by; verifying correctness of first authentication information in the first set of one or more communications under the user password; computing second authentication information based on the hardened surrogate password; modifying the first set of one or more communications to include the second authentication information; and providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and wherein the password hardening system is implemented using at least one processing device comprising a hardware processor coupled to a memory. - View Dependent Claims (19)
-
Specification