Distributed password verification

US 9,876,783 B2
Filed: 12/22/2015
Issued: 01/23/2018
Est. Priority Date: 12/22/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

creating a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein;

the first set of client identifiers includes;

a first hashed password for the client, anda first username for the client, andthe first token is encrypted;

transmitting the first token from the first server to the client;

adding, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames;

deleting the first token and the first set of client identifiers from the first server;

receiving, on the first server, a second token and a second set of client identifiers for the client, wherein;

the second token is encrypted,the second token is equivalent to the first token, andthe second set of client identifiers includes;

a second hashed password, anda second username;

decrypting the second token using a decryption key to reveal the first set of client identifiers;

comparing the second hashed password to the first hashed password from the second token to verify an identity of the client;

determining that the second username does not appear in the honeychecker registry; and

denying, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access;

wherein;

at least comparing the second hashed password to the first hashed password from the second token is performed by computer software running on computer hardware.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Distribution of verification of passwords for electronic account. Password verification is distributed (divided) across multiple entities to reduce potential exposure in the event of a server exposure.

Citations

9 Claims

1. A method comprising:
- creating a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein;
  
  the first set of client identifiers includes;
  
  a first hashed password for the client, anda first username for the client, andthe first token is encrypted;
  
  transmitting the first token from the first server to the client;
  
  adding, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames;
  
  deleting the first token and the first set of client identifiers from the first server;
  
  receiving, on the first server, a second token and a second set of client identifiers for the client, wherein;
  
  the second token is encrypted,the second token is equivalent to the first token, andthe second set of client identifiers includes;
  
  a second hashed password, anda second username;
  
  decrypting the second token using a decryption key to reveal the first set of client identifiers;
  
  comparing the second hashed password to the first hashed password from the second token to verify an identity of the client;
  
  determining that the second username does not appear in the honeychecker registry; and
  
  denying, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access;
  
  wherein;
  
  at least comparing the second hashed password to the first hashed password from the second token is performed by computer software running on computer hardware.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - logging the second username to an authentication log.
  - 3. The method of claim 1, wherein creating the first token is further based, at least in part, on a device identifier for a device used by the client.

4. A computer program product comprising:
- a computer readable storage medium having stored thereon;
  
  first instructions executable by a device to cause the device to create a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein;
  
  the first set of client identifiers includes;
  
  a first hashed password for the client, anda first username for the client, andthe first token is encrypted;
  
  second instructions executable by a device to cause the device to transmit the first token from the first server to the client;
  
  third instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames;
  
  fourth instructions executable by a device to cause the device to delete the first token and the first set of client identifiers from the first server;
  
  fifth instructions executable by a device to cause the device to receive, on a second first server, the token and a second set of client identifiers for the client, wherein;
  
  the second token is encrypted,the second token is equivalent to the first token, andthe second set of client identifiers includes;
  
  a second hashed password, anda second username;
  
  sixth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers; and
  
  seventh instructions executable by a device to cause the device to compare the second hashed password to the first hashed password from the second token to verify an identity of the client;
  
  eighth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry; and
  
  ninth instructions executable by a device to cause the device to deny, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access.
- View Dependent Claims (5, 6)
- - 5. The computer program product of claim 4, further comprising:
    - tenth instructions executable by a device to cause the device to log the second username to an authentication log.
  - 6. The computer program product of claim 4, wherein first instructions to create the first token are further based, at least in part, on a device identifier for a device used by the client.

7. A computer system comprising:
- a processor set; and
  
  a computer readable storage medium;
  
  wherein;
  
  the processor set is structured, located, connected, and/or programmed to execute instructions stored on the computer readable storage medium; and
  
  the instructions include;
  
  first instructions executable by a device to cause the device to create a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein;
  
  the first set of client identifiers includes;
  
  a first hashed password for the client, and
  
  a first username for the client, andthe first token is encrypted;
  
  second instructions executable by a device to cause the device to transmit the first token from the first server to the client;
  
  third instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames;
  
  fourth instructions executable by a device to cause the device to delete the first token and the first set of client identifiers from the first server;
  
  fifth instructions executable by a device to cause the device to receive, on a second first server, the token and a second set of client identifiers for the client, wherein;
  
  the second token is encrypted,the second token is equivalent to the first token, andthe second set of client identifiers includes;
  
  a second hashed password, and
  
  a second username;
  
  sixth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers; and
  
  seventh instructions executable by a device to cause the device to compare the second hashed password to the first hashed password from the second token to verify an identity of the client;
  
  eighth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry; and
  
  ninth instructions executable by a device to cause the device to deny, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access.
- View Dependent Claims (8, 9)
- - 8. The computer system of claim 7, further comprising:
    - tenth instructions executable by a device to cause the device to log the second username to an authentication log.
  - 9. The computer system of claim 7, wherein first instructions to create the first token are further based, at least in part, on a device identifier for a device used by the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Koved, Lawrence, Taban, Gelareh
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/977,690
Publication Number

US 20170180347A1
Time in Patent Office

763 Days
Field of Search

713171
US Class Current
CPC Class Codes

G06F 21/31   User authentication

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/0876   based on the identity of th...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

H04L 67/01   Protocols

H04L 67/55   Push-based network services

H04L 9/06   the encryption apparatus us...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/0844   with user authentication or...

H04L 9/0847   involving identity based en...

H04L 9/32   including means for verifyi...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

H04L 9/3236   using cryptographic hash fu...

Distributed password verification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed password verification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links