Password hardening system using password shares distributed across multiple servers

US 9,305,161 B1
Filed: 06/24/2013
Issued: 04/05/2016
Est. Priority Date: 06/24/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password;

intercepting in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and

providing from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password;

wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by;

providing one or more simulated authentication entity responses based on the user password to the client; and

providing one or more simulated client messages based on the hardened surrogate password to the authentication entity;

wherein providing the second set of one or more communications to the authentication entity comprises;

verifying correctness of first authentication information in the first set of one or more communications under the user password;

computing second authentication information based on the hardened surrogate password;

modifying the first set of one or more communications to include the second authentication information; and

providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and

wherein the storing, intercepting and providing are implemented by at least one processing platform comprising at least one processing device.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A password hardening system is arranged between one or more clients and a domain controller or other authentication entity. The password hardening system comprises a plurality of servers configured to store in a distributed manner respective shares of at least one of a hardened surrogate password and a corresponding user password. The password hardening system is configured to intercept a first set of one or more communications based at least in part on the user password and directed to an authentication entity external to the password hardening system, and to provide to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password. The password hardening system may be configured to serve as a proxy between an authenticating client and the authentication entity.

37 Citations

View as Search Results

20 Claims

1. A method comprising:
- storing in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password;
  
  intercepting in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and
  
  providing from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password;
  
  wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by;
  
  providing one or more simulated authentication entity responses based on the user password to the client; and
  
  providing one or more simulated client messages based on the hardened surrogate password to the authentication entity;
  
  wherein providing the second set of one or more communications to the authentication entity comprises;
  
  verifying correctness of first authentication information in the first set of one or more communications under the user password;
  
  computing second authentication information based on the hardened surrogate password;
  
  modifying the first set of one or more communications to include the second authentication information; and
  
  providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and
  
  wherein the storing, intercepting and providing are implemented by at least one processing platform comprising at least one processing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 20)
- - 2. The method of claim 1 wherein the authentication entity external to the password hardening system comprises a domain controller configured to process the authentication attempt using an active directory service.
  - 3. The method of claim 1 wherein said storing comprises:
    - storing in the plurality of servers respective shares of the hardened surrogate password; and
      
      storing in the plurality of servers respective shares of the corresponding user password.
  - 4. The method of claim 1 further comprising:
    - authenticating the client using the authentication protocol based at least in part on the user password; and
      
      if the authentication of the client is successful, reconstructing the hardened surrogate password from its shares stored on the respective servers, and carrying out the authentication protocol with the authentication entity on behalf of the client using the one or more simulated client messages, wherein the one or more simulated client messages use the hardened surrogate password in place of the user password.
  - 5. The method of claim 1 wherein the password hardening system serves as a proxy between an authenticating client and the authentication entity for at least a portion of an authentication session.
  - 6. The method of claim 1 further comprising:
    - identifying in the intercepted first set of communications the first authentication information based at least in part on the user password; and
      
      performing an authentication operation using the identified authentication information prior to providing the second set of one or more communications to the authentication entity.
  - 7. The method of claim 6 wherein the identified authentication information comprises the user password itself.
  - 8. The method of claim 1 wherein the password hardening system simulates the authentication protocol with the client using the user password and the one or more simulated authentication entity responses and wherein the password hardening system simulates the authentication protocol with the authentication entity using the hardened surrogate password and the one or more simulated client messages, such that from a viewpoint of the client the authentication protocol is carried out using the user password and from a viewpoint of the authentication entity the authentication protocol is carried out using the hardened surrogate password.
  - 9. The method of claim 1 wherein storing respective shares of at least one of the hardened surrogate password and the corresponding user password comprises storing said shares such that the shares are obscured in respective chaff sets on the respective servers.
  - 10. The method of claim 1 wherein storing respective shares of at least one of the hardened surrogate password and the corresponding user password comprises storing information generated as a function of the password and a one-time pad on one of the servers and storing the one-time pad on another one of the servers.
  - 11. The method of claim 1 wherein intercepting the first set of one or more communications comprises intercepting at least one communication associated with an authentication session initiated by the client and directed from the client to the authentication entity in conjunction with an authentication attempt.
  - 12. The method of claim 11 wherein said at least one communication comprises an authentication session initiation message.
  - 13. The method of claim 12 wherein the authentication session initiation message comprises a request message of the form SV=(c=enc_κ
    - _user[τ
      
      ],τ
      
      ), where c is a user ciphertext, enc is a symmetric-key encryption function, κ
      
      _useris a user secret derived by hashing the user password, and τ
      
      is a timestamp.
  - 14. The method of claim 13 further comprising:
    - verifying the correctness of c under the user password; and
      
      computing c*=enc_κ_user_*[τ
      
      ], where κ
      
      _user* is derived from the hardened surrogate password;
      
      wherein providing the second set of one or more communications comprises forwarding a modified request message SV*=(c*,τ
      
      ) to the authentication entity.
  - 15. The method of claim 14 further comprising:
    - receiving in the password hardening system from the authentication entity in response to the modified request message a reply message containing a ticket encrypted under the hardened surrogate password;
      
      decrypting the ticket using the hardened surrogate password;
      
      re-encrypting the ticket under the user password; and
      
      sending the re-encrypted ticket to the client.
  - 16. A processing device comprising a hardware processor coupled to a memory and configured to perform the method of claim 1.
  - 20. The method of claim 1 wherein modifying the first set of one or more communications to include the second authentication information comprises replacing the first authentication information with the second authentication information.

17. A computer program product comprising a non-transitory processor-readable storage medium having embodied therein one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the at least one processing device:
- to store in a distributed manner across a plurality of servers of a password hardening system respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password;
  
  to intercept in the password hardening system a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system; and
  
  to provide from the password hardening system to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password;
  
  wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by;
  
  providing one or more simulated authentication entity responses based on the user password to the client; and
  
  providing one or more simulated client messages based on the hardened surrogate password to the authentication entity; and
  
  wherein providing the second set of one or more communications to the authentication entity comprises;
  
  verifying correctness of first authentication information in the first set of one or more communications under the user password;
  
  computing second authentication information based on the hardened surrogate password;
  
  modifying the first set of one or more communications to include the second authentication information; and
  
  providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications.

18. An apparatus comprising:
- a password hardening system comprising a plurality of servers configured to store in a distributed manner respective shares of at least one of a hardened surrogate password and a corresponding user password, the hardened surrogate password exhibiting a higher level of security against compromise relative to the user password;
  
  wherein the password hardening system is configured to intercept a first set of one or more communications based at least in part on the user password from a client and directed to an authentication entity external to the password hardening system, and to provide to the authentication entity in place of at least a portion of the intercepted first set of one or more communications a second set of one or more communications based at least in part on the hardened surrogate password;
  
  wherein the password hardening system simulates an authentication protocol between the authentication entity and the client by;
  
  providing one or more simulated authentication entity responses based on the user password to the client; and
  
  providing one or more simulated client messages based on the hardened surrogate password to the authentication entity;
  
  wherein the password hardening system is configured to provide the second set of one or more communications to the authentication entity by;
  
  verifying correctness of first authentication information in the first set of one or more communications under the user password;
  
  computing second authentication information based on the hardened surrogate password;
  
  modifying the first set of one or more communications to include the second authentication information; and
  
  providing the modified first set of one or more communications to the authentication entity as the second set of one or more communications; and
  
  wherein the password hardening system is implemented using at least one processing device comprising a hardware processor coupled to a memory.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18 wherein the password hardening system is configured to serve as a proxy between an authenticating client and the authentication entity for at least a portion of an authentication session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Juels, Ari, Ray, Kenneth D., Richards, Gareth
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen

Application Number

US13/925,289
Time in Patent Office

1,016 Days
Field of Search

713/193, 713/171, 713/182, 713/18, 713/183
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/46   by designing passwords or c...

H04L 2463/062   applying encryption of the ...

H04L 63/083   using passwords cryptograph...

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

Password hardening system using password shares distributed across multiple servers

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Password hardening system using password shares distributed across multiple servers

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links