Distributed password verification
First Claim
Patent Images
1. A computer system for distributed password verification to prevent unauthorized access to an account, the computer program product comprising:
- a processor set; and
a computer readable storage medium;
wherein;
the processor set is structured, located, connected, and/or programmed to execute instructions stored on the computer readable storage medium; and
the instructions include;
first instructions executable by a device to cause the device to receive, from a client, a first set of client identifiers for the client, wherein the first set of client identifiers includes;
a first username for the client,a first hashed password for the client, anda first hashed server identifier;
second instructions executable by a device to cause the device to create an account for the client based on the username for the client;
third instructions executable by a device to cause the device to create a first token on a first server based on;
an encryption key,a device identifier for a device used by the client, andthe first set of client identifiers for the client;
fourth instructions executable by a device to cause the device to transmit the first token from the first server to the client;
fifth instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the username for the client, wherein the honeychecker registry is a list of valid usernames;
sixth instructions executable by a device to cause the device to delete the first token from the first server;
seventh instructions executable by a device to cause the device to delete the first set of client identifiers from the first server;
eighth instructions executable by a device to cause the device to receive, on the first server, a second token, wherein;
the second token is encrypted, andthe second token is equivalent to the first token;
ninth instructions executable by a device to cause the device to receive, on the first server, a second set of client identifiers for the client, wherein the second set of client identifiers includes;
a second username,a second hashed password, anda second hashed server identifier;
tenth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers;
eleventh instructions executable by a device to cause the device to verify the second token with a comparison of;
the second hashed server identifier, andthe first hashed server identifier in the second token;
twelfth instructions executable by a device to cause the device to validate an identity of the client with a comparison of;
the second hashed password, andthe first hashed password for the client in the second token;
thirteenth instructions executable by a device to cause the device to log the second username to an authentication log;
fourteenth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry;
fifteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, deny, to the client, access to the account to prevent an unauthorized access;
sixteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, lock the account to prevent a future unauthorized access;
seventeenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, determine the first server is compromised; and
eighteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine the first server is compromised, transmit an alert to the client that the first server is compromised.
1 Assignment
0 Petitions
Accused Products
Abstract
Distribution of verification of passwords for electronic account. Password verification is distributed (divided) across multiple entities to reduce potential exposure in the event of a server exposure.
69 Citations
1 Claim
-
1. A computer system for distributed password verification to prevent unauthorized access to an account, the computer program product comprising:
-
a processor set; and a computer readable storage medium; wherein; the processor set is structured, located, connected, and/or programmed to execute instructions stored on the computer readable storage medium; and the instructions include; first instructions executable by a device to cause the device to receive, from a client, a first set of client identifiers for the client, wherein the first set of client identifiers includes; a first username for the client, a first hashed password for the client, and a first hashed server identifier; second instructions executable by a device to cause the device to create an account for the client based on the username for the client; third instructions executable by a device to cause the device to create a first token on a first server based on; an encryption key, a device identifier for a device used by the client, and the first set of client identifiers for the client; fourth instructions executable by a device to cause the device to transmit the first token from the first server to the client; fifth instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the username for the client, wherein the honeychecker registry is a list of valid usernames; sixth instructions executable by a device to cause the device to delete the first token from the first server; seventh instructions executable by a device to cause the device to delete the first set of client identifiers from the first server; eighth instructions executable by a device to cause the device to receive, on the first server, a second token, wherein; the second token is encrypted, and the second token is equivalent to the first token; ninth instructions executable by a device to cause the device to receive, on the first server, a second set of client identifiers for the client, wherein the second set of client identifiers includes; a second username, a second hashed password, and a second hashed server identifier; tenth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers; eleventh instructions executable by a device to cause the device to verify the second token with a comparison of; the second hashed server identifier, and the first hashed server identifier in the second token; twelfth instructions executable by a device to cause the device to validate an identity of the client with a comparison of; the second hashed password, and the first hashed password for the client in the second token; thirteenth instructions executable by a device to cause the device to log the second username to an authentication log; fourteenth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry; fifteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, deny, to the client, access to the account to prevent an unauthorized access; sixteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, lock the account to prevent a future unauthorized access; seventeenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine that the second username does not appear in the honeychecker registry, determine the first server is compromised; and eighteenth instructions executable by a device to cause the device to, responsive to fourteenth instructions to determine the first server is compromised, transmit an alert to the client that the first server is compromised.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsKoved, Lawrence, Taban, Gelareh
-
Primary Examiner(s)Armouche, Hadi
-
Assistant Examiner(s)Zarrineh, Shahriar
-
Application NumberUS15/344,729Time in Patent Office162 DaysField of Search713171US Class CurrentCPC Class CodesG06F 21/31 User authenticationH04L 63/06 for supporting key manageme...H04L 63/083 using passwords cryptograph...H04L 63/0876 based on the identity of th...H04L 63/101 Access control lists [ACL]H04L 63/102 Entity profilesH04L 63/123 received data contents, e.g...H04L 67/01 ProtocolsH04L 67/55 Push-based network servicesH04L 9/06 the encryption apparatus us...H04L 9/0838 Key agreement, i.e. key est...H04L 9/0841 involving Diffie-Hellman or...H04L 9/0844 with user authentication or...H04L 9/0847 involving identity based en...H04L 9/32 including means for verifyi...H04L 9/3226 using a predetermined code,...H04L 9/3234 involving additional secure...H04L 9/3236 using cryptographic hash fu...
