Showing papers on "Password strength published in 1997"

User authentication system for authenticating an authorized user of an IC card

Abstract: An user authentication system for authenticating a user using an IC card in conjunction with a portable terminal used to generate a one-time password and a server used to generate a corresponding one-time password for user authentication. The IC card contains a secret key for generating a one-time password and predetermined random numbers. The portable terminal contains a card receiver for receiving the IC card, a random number memory for reading and storing, and then deleting the random numbers of the IC card, a first password generator for generating a one-time password by the secret key of the IC card and the random number, a first random number changer for changing the random number stored in the random number memory into a predetermined value and storing the changed value in the random number storing portion, and a display for displaying the processed results of the terminal and the server. The server includes a secret key memory for storing a secret key and a random number, a second password generator for generating a one-time password, a second random number changer for storing a random number value identical to the random number value of the terminal, a password receiver for receiving the one-time password of the terminal, a password verifier for verifying the password to authenticate the user. As a result, it is possible to raise the security level by using a one-time password in which a different password is used each time a user is authenticated, and to save costs by generating a one-time password for various services with a single terminal.

Extended password key exchange protocols immune to dictionary attack

Abstract: Strong password methods verify even small passwords over a network without additional stored keys or certificates with the user, and without fear of network dictionary attack. We describe a new extension to further limit exposure to theft of a stored password-verifier, and apply it to several protocols including the Simple Password Exponential Key Exchange (SPEKE). Alice proves knowledge of a password C to Bob, who has a stored verifier S, where S=g/sup C/ mod p. They perform a SPEKE exchange based on the shared secret S to derive ephemeral shared key K/sub 1/. Bob chooses a random X and sends g/sup X/ mod p. Alice computes K=g/sup XC/ mod p, and proves knowledge of {K/sub 1/,K/sub 2/}. Bob verifies this result to confirm that Alice knows C. Implementation issues are summarized, showing the potential for improved performance over Bellovin and Merritt's comparably strong Augmented-Encrypted Key Exchange. These methods make the password a strong independent factor in authentication, and are suitable for both Internet and intranet use.

Plurality-factor security system

Abstract: The invention provides a method and system for simultaneously authenticating a user using two or more factors, such as both a password and a physical token or both a password and biometric information. The user presents a physical token including a storage device to a processor and attempts to log in using a first password; the processor includes a login service which receives the first password, accesses the storage device to transform the first password into a second password, and authenticates the second password using an operating system for the processor. The storage device includes encrypted information regarding the second password which can be relatively easily determined in response to the first password, but which cannot be relatively easily determined without the first password. The system or the storage device may also store information for biometric authentication of the user.

Enhanced password authentication through fuzzy logic

Abstract: The authors have developed a software methodology that improves security by using typing biometrics to reinforce password authentication mechanisms. Typing biometrics is the analysis of a user's keystroke patterns. Each user has a unique way of using the keyboard to enter a password; for example, each user types the characters that constitute the password at different speeds. The methodology employs fuzzy logic to measure the user's typing biometrics. This reinforcement is transparent-indiscernible to the users while they are entering the normal authentication.

Password control via the web

Abstract: A system and process for providing passwords from a client computer to different servers, databases and applications and other services accessed on and inter- or intra-net. A program storage device has a reference table having a listing of a plurality of services accessible on an inter- or intra-net, a real password associated with each of the services, a variable name for the real password used by each of the services to enter the real password associated therewith, and a virtual password corresponding to a desired group of the services and associated real passwords. A desired service listed on the desired group of services in the reference table is selected for access and the virtual password corresponding to the desired group of services is entered to begin access. The variable name for the real password associated with the desired service is found on the reference table, and the variable name for the real password is used to enter the real password for the desired service to gain access to the desired service. There is further provided a first virtual password corresponding to a first group of the services and associated real passwords and a second virtual password corresponding to a second group of the services and associated real passwords. The desired group of services may then be selected using the first or second virtual password.

Portable computer system having password control means for holding one or more passwords such that the passwords are unreadable by direct access from a main processor

Abstract: A portable computer system includes a keyboard for inputting at least a password, and a main CPU for controlling the system operation to perform a data processing. Particularly, the computer system further includes a password control section, holding one or more registered passwords as being unreadable by direct access from the main CPU, for allowing the main CPU to perform the data processing when a password identical to one of the registered passwords held therein is input by the keyboard.

Secure two-piece user authentication in a computer network

Abstract: A computer system incorporating a two-piece authentication procedure for securely providing user authentication over a network. In the disclosed embodiment of the invention, a user password is entered during a secure power-up procedure. The user password is encrypted by an external token or smart card that stores an encryption algorithm furnished with an encryption key that is unique or of limited production. A network password is thereby created. The network password is maintained in a secure memory space such as System Management Mode (SMM) memory. The network password is then encrypted and communicated over the network. The network password may be encrypted using the server's public key or another key that is known to the server. Optional node identification information is appended to the network password prior to communication over the network. Once received by the server, the encrypted network password is decrypted using the server's private key. A user verification process is then performed on the network password to determine which, if any, access privileges have been accorded the network user.

A method for providing a secure non-reusable one-time password

Abstract: The present invention is directed toward providing a secure method to access data when the user has lost or forgotten the user password (261). In accordance with the invention and in a system where decryption of an access key (232) will give access to data, two encrypted versions of the access key are created (236, 270). A first version (236) is formed using a key (264) formed with the user password. A second version (270) is formed using a public key (266) from a public-private key pair. Generally, data access can be had by decrypting the first encrypted version (236) of the access key (232) with the password key (264). However, if the password (261) is forgotten, access to data can be accomplished by decrypting the second encrypted version (270) of the access key (232) with the private key (280) from the public-private key pair. One embodiment of the invention requires the private key (280) to be stored at a remote site and for decryption using the private key to take place at the remote site. In this manner the user can gain access to data without significantly compromising the data security.

Systems, methods and computer program products that use an encrypted session for additional password verification

Abstract: Systems, methods and computer program products for two-party key authentication provide additional security against intruders that might gain access to the password database of a server. The client verifies his clear password over an encrypted channel, rather than merely verifying the encrypted password, prior to receiving secure traffic.

System and method for generating unique passwords

Abstract: A computerized method is provided for generating passwords for password controlled access points. Provided are a master password, an access password, and a user name. The master password, the service name, and the user name are combined using an irreversible function to generate a unique password. The function can be a one-way hash function. The combining can be performed by a browser of a client computer. A similar combining can also be used to generate a user name from the master password and the user's real name.

Method and apparatus for strengthening passwords for protection of computer systems

Abstract: A computer implemented method provides access to processes and data using strengthened password. During an initialization phase, an access code is stored in a memory of a computer system. The access code is an application of a one-way hash function to a concatenation of a password and a password supplement. The size of the password supplement is a fixed number of bits. During operation of the system, a user enters a password, and the one-way hash function is applied to concatenations of the password and possible values having the size of the password supplement to yield trial access codes. Access is granted when one of the trial access codes is identical to the stored access code.

Method and system for authentication over a distributed service to limit password compromise

Abstract: No more than one user at any one time is allowed to access a distributed service for each User ID and password. A user is allowed initial access to the distributed service with a password. The use of the distributed service is then restricted to the user upon entering the password plus a random factor created by the user. A user record is created as a unique recorded registration.

Securely generating a computer system password by utilizing an external encryption algorithm

Abstract: A method for generating system passwords derived from an external encryption algorithm and plain text user passwords entered during a secure power-on procedure. At some point during the secure power-up procedure, the computer system checks for the presence of an external token or smart card that is coupled to the computer through specialized hardware. The token or smart card is used to store an encryption algorithm furnished with an encryption key that is unique or of limited production. Following detection of the external token, the computer user is required to enter a user password. The user password is encrypted using the encryption algorithm contained in the external token, thereby creating a system password. The system password is then compared to a value stored in secure memory. If the two values match, the power-on sequence is completed and the user is allowed access to the computer system or individually secured resources. The two-piece nature of the authorization process requires the presence of both the user password and the external token in order to generate the system password.

Computer security system having a password recovery function which displays a password upon the input of an identification number

Abstract: A password recovery method to be used in a computer system including a BIOS ROM having a BIOS setup program and a CMOS memory for storing the BIOS setup information. The BIOS setup program provides a USER PASSWORD SETUP which allows users to set or change his or her own password. Further, the USER PASSWORD SETUP includes an input of at least one identification number before entering the first password. The identification number may include one of a users' resident registration number, system's registration number or serial number assigned to each computer by the manufacturer. If the user forgets or lose the password and incorrect passwords are repeatedly entered for a predetermined number of times, the BIOS program asks the user to enter the identification number. If the entered identification number is identical with the stored identification number, the program starts to encrypt the password stored in the CMOS memory. The resultant password encryption is displayed on a display monitor in an alphanumeric form. The encrypted password is referred to the manufacturer's service center, preferably by a telephone call. There, the encrypted password can be decoded and the password recovery performed. The recovered password is then referred back to the user.

IC card portable terminal apparatus

Abstract: Password identification information for identifying a password for key verification is set for each of a plurality of applications (F1, F2, ···). A current password storage unit for storing a password which has recently been input and the password identification information of the password is arranged. When one application is selected, password identification information corresponding to the application is verified with the password identification information stored in the current password storage unit. If the two password identification information match, key verification is performed using the password in the current password storage unit. With this operation, a plurality of data can be rad out by performing the password input operation once. One or two select keys are arranged in place of a ten-key pad. By repeating an operation using the select keys and the enter key, a password having a plurality of digits is input. Therefore, the password can be input using a minimum number of keys.

Method and system for providing password protection

Abstract: Access is granted to a portion of a computing system, such as to a configuration menu of a telephone system. In order to grant access, a password is received from a user. A variable password is also calculated. The variable password varies with time. For example, the variable password varies with a current date and with a time of day stored by the computing system. The password received from the user is compared with the calculated variable password. When the password received from the user is equal to the calculated variable password, access is granted.

Security and efficiency in authentication protocols resistant to password guessing attacks

Abstract: Cryptographic protocols for authentication and key exchange are necessary for secure communications. Most protocols have assumed that a strong secret for authentication should be shared between communicating participants in the light of a threat of dictionary attacks. But a user-chosen weak secret, i.e. password, is typically used for authentication. Since most users want to use an easily memorizable password, which tends to be easy to guess, several authentication protocols that protect such a weak secret from password guessing attacks, have been developed. However, those security-oriented protocols are more expensive in terms of the number of random numbers, cipher operations, and protocol steps than the previous protocols which are not resistant to guessing attacks. The authors propose new authentication and key exchange protocols, which are efficient considerably in protecting a poorly-chosen weak secret from guessing attacks.

A signature based password authentication method

Abstract: To prevent illegal access to a computer and its resources, most systems in the market use a password as the only means to ensure the user's identity. Although there are many password mechanisms proposed, most of them suffer from serious pitfalls associated with the tradeoff between memorizability and security. We propose an additional level of security to the current password mechanism by incorporating an online signature authentication method. The major advantages of the new method are that dynamic information of signing a signature is hidden from other users and the comparison process is made very efficient through the signature discretization process.

Security of a one-time signature

Abstract: Recently, Wu and Sung reported a one-time digital signature based on any one-way function in their article about password authentication. Owing to its general construction and potential applications, including the development of a one-time password scheme, in-depth security analysis is considered in the Letter. It is shown to suffer from a signature forgery problem.

IC card portable terminal apparatus and password verification method

Abstract: of EP0838789Password identification information for identifying a password for key verification is set for each of a plurality of applications (F1, F2, ...). A current password storage unit for storing a password which has recently been input and the password identification information of the password is arranged. When one application is selected, password identification information corresponding to the application is verified with the password identification information stored in the current password storage unit. If the two password identification information match, key verification is performed using the password in the current password storage unit. With this operation, a plurality of data can be rad out by performing the password input operation once. One or two select keys are arranged in place of a ten-key pad. By repeating an operation using the select keys and the enter key, a password having a plurality of digits is input. Therefore, the password can be input using a minimum number of keys.

Augmented encrypted key exchange using RSA encryption

Abstract: The augmented encrypted key exchange (A-EKE) uses a shared secret key for encryption. The A-EKE uses the hash of sender's password as the shared secret key. By using Simmon's attack the sender's password can be broken. If this is accomplished, the attacker is able to know the communicating parties session key used after authentication as well as in the authentication of the sender. Furthermore, using the broken session key and the password, the attacker can impersonate the real sender. To prevent this from happening, we propose a method to keep the session key and sender's password secret even if the attacker can break the shared secret key. This is accomplished by using RSA encryption. In our proposed scheme we use public keys which will be kept by the communicating parties and will be exchanged indirectly, i.e. instead of sending the whole public key the two parties will send the number which determines their public key, along with the shared key.

Guarding Computer Data

Abstract: How safe are your computer files or documents? Do you protect them from prying eyes or, worse, from hackers who try to steal or destroy the data? Considering the priceless nature of your information, safeguarding data should be high on your priority list. But that's easier said than done -- unless you know some software tricks. If you don't read on. The problem with security is that if it's too loose -- easy to violate, that is -- it's useless. If it's too tight, it'll be too difficult even for you to access. The goal is to have a security system that's just right: too hard for an outsider to gain entry but easy enough for you. EN GARDE! This article is about ways to design a just-right security system. It outlines the different levels of security for different functions so you can pick the ones that best serve your needs. Be advised, though, they are not designed to block the experienced hacker. At best, they will block the curious onlooker or the average computer user. These techniques include password protection, masking and information-change detection. Masking techniques include disguising files inside the computer, hiding ranges of information inside a file and making information appear unreadable or even invisible. Change-detection techniques include audit trails -- such as byte count, hash-control totals and formula-difference locators, all of which are explained later. It's important to understand that an effective security system should not rely on a single technique. The most effective strategy is to use security layering -- placing many walls between an unauthorized user and sensitive information. Many people use password protection, mistakenly thinking that it alone will keep most, if not all, intruders at bay. Passwords can be sidestepped by reloading the computer's operating system and application software. Let's look at each software application and see what security options are available and which ones meet your special needs. SPREADSHEET PROTECTION TECHNIQUES Of all types of applications, spreadsheet software offers the most built-n security features. Both Lotus 1-2-3 and Microsoft Excel contain essentially the same protection methods. At the simplest level, a password can block an intruder from opening or changing a file. Also, both programs have a number of features for hiding, filtering or otherwise masking information. Excel has a slight edge in the number of features for detecting changes -- so you'll know if an intruder has altered the file. Password protecting spreadsheets (in Excel they are called worksheets) is easy. One password prevents opening a file and is activated when saving a File. For Lotus, a user clicks on File, Save As, checks the With Password box and enters a password. In Excel, a user clicks on File, Save As and Options and enters a password. To allow another Lotus user to input over a certain range of data, a user first unprotects the range by clicking Style Protection. The user then specifies the range, and checks the Keep Data Unprotected box. Next, the user clicks on File, Protect, checks the Seal box and enters a password of up to 15 characters. Excel uses the same basic technique. The user must unprotect the input range by highlighting the range, clicking on Format, Protect and then clearing the Locked box. The user then pulls down the Tools menu, selects Protection, Worksheet Protection and enters an appropriate password. In addition, Excel users can render a file read only by entering a password in the Write Reservation box of the Save As panel. Lotus provides a similar feature for networked users. Spreadsheets provide excellent information-masking techniques. It takes only a few keystrokes for a user to hide rows, columns, cells, graphics and even entire spreadsheets. Another element of security is the intruder alarm: It lets you know if someone has gained admission to your file and changed it. …

Login manager for wave server

Abstract: PROBLEM TO BE SOLVED: To leave access history for every individual by embedding a one time password in the HTML page of user service dynamically generated in the case of an effective log in state. SOLUTION: A login manager demon searches a database and confirms a user ID and the registration of a password on a password management processing part. In the case of a registration user, a one-time password is generated by a one time password issue processing part then the user ID and the one-time password are related to each other and registered in an active matrix that is managed by a log in manager demon process to perform periodic check by an active list supervisory timer. The result is given to a process, a page processing function of a CGI processing part is carried out, maintaining a one time password in the case of the registered user, service is offered to an actual user and only the one time password is embedded in a hidden attribute of a HTML of a page to be returned and is returned.

Encryption communication system

Abstract: PROBLEM TO BE SOLVED: To prevent unauthorized use and leakage of data due to decoding of leaked encryption data by securing sophisticated data security in the case of data communication between computer networks or at a data card terminal so as to make illegal use of a data card or the like difficult. SOLUTION: A password generating start information generating program circuit 11 manages and generates information so that same information is not outputted again as password generating start information based on unforeseen information. A data terminal card device 2 uses a password generating program circuit 21 to generate a password based on the password generating start information from a host device 1. The password is fed to the host device 1, where the password is authenticated. When the password matches the password generated by the host device 1, the password is authenticated and communication of encryption data is attained. An encryption circuit 22 controls a plurality of encryption programs elaborately and timewise irregularly to generate encryption data. COPYRIGHT: (C)1998,JPO

Early detecting method for illegal use of password

Abstract: PROBLEM TO BE SOLVED: To detect the illegal use of a password in an early stage at that time by issuing the new password from a center computer every time of communication. SOLUTION: It is recognized whether an ID code is a registered one or not by the confirmation item (1) of the ID code at the beginning of communication. Then, the password is recognized by the confirmation item (2) of the password. Then, the new password is issued by the issuing item (3) of the new password. The reception of the password is confirmed and an original job is started by an original job item (4). The password is written by the issuing item of the password every time of communication. When the password is stolen and it is illegally used, the password is rewritten. Thus, when a just user is to use the password, the password is not matched and illegal use can be detected at an early stage.

Method and system for identifying the person in question at start of communication

Abstract: PROBLEM TO BE SOLVED: To identify the person in question at start of communication by using an encryption code whose decoding is difficult. SOLUTION: When a sender enters a password to a password generating terminal 2, the password generating terminal 2 calculates a function based on the entered password and a time to use the calculation result as the password and sends it to a recipient. The recipient calculates an encryption authentication code by the same algorithm as the sender side based on the password and the time as to all memberships managed by a password code authentication device 5 to generate an encryption authentication table 5-3. In the case that a password is received, it is collated with the code on the table 5-3 and when any coincident code is in existence, the person is identified to be the person in question, a communication acknowledgement signal is sent and the communication is started. COPYRIGHT: (C)1999,JPO

Method for providing secure access to an application of a networked system

Abstract: The method involves securing an application in a networked system, which uses a communication protocol, which anticipates the transmission of an unstructured password string in reference to the access security. An one-use password is formed by an initiator component of the application, and the password is copied onto the unstructured password string of the communication protocol. The unstructured password string is transmitted through the communication protocol to a reaction component of the application, which detects the one-use password contained in the received unstructured password string, and which performs an authentification of the initiator in response to the one-use password.