WO2000011537A1 - Improvements in and relating to data communication - Google Patents
Improvements in and relating to data communication Download PDFInfo
- Publication number
- WO2000011537A1 WO2000011537A1 PCT/GB1999/002672 GB9902672W WO0011537A1 WO 2000011537 A1 WO2000011537 A1 WO 2000011537A1 GB 9902672 W GB9902672 W GB 9902672W WO 0011537 A1 WO0011537 A1 WO 0011537A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- input
- password
- data communication
- communication system
- signals
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
Definitions
- the present invention relates to data communication devices and methods, and to programs for executing such methods and carriers therefor.
- a method for password enhancing which method comprises the steps of entering a user password and irreversibly encrypting the user password.
- Preferred embodiments of the present invention provide for more secure password handling, by enhancing the password.
- the encryption comprises a hash operation.
- the method comprises the additional step of using an encrypted first stored key (NEPKEY) to encrypt the irreversibly encrypted user password (HASH) .
- NEPKEY an encrypted first stored key
- HASH irreversibly encrypted user password
- the first stored key is encrypted by a public key encryption algorithm.
- the method comprises the additional step of decrypting an encrypted second stored key (UPEK) using the decrypted first stored key (NEPKEY) .
- the second stored key is encrypted by a reversible algorithm.
- the result (HASH) of the irreversibly encrypted user password is encrypted using the second stored key (UPEK) as an encryption key.
- UEEK second stored key
- a data access method comprising the steps of producing an enhanced password according to the first aspect of the present invention, comparing the enhanced password with a password associated with the data, and permitting access to the data only if the enhanced password and the data password correspond.
- the data to be accessed may be any type, including a file, an application, a data record etc.
- a carrier comprising a program according to the third aspect of the invention.
- a data communication system comprising an input device for generating a plurality of input signals available from a set of input signals and a character generator configured to receive an input signal and generate an output signal comprising a plurality of signals from the set of input signals in which the output signal is different from the signal input to the character generator.
- the output signal is of a different length to the signal input to the character generator. More suitably, the output signal is longer than the signal input to the character generator.
- the system further comprises means for comparing the output signal with a stored password. More suitably, the comparison means further comprises means for outputting a signal dependent upon the correspondence of the output signal with the stored password.
- the input device comprises a keyboard.
- the set of available input signals comprises all or part of the character set of the keyboard.
- the system comprises a first input and a second input in which the character generator receives signals from the first input and does not receive signals from the second input.
- the first input is a local input device such as a keyboard or microphone and the second input is a remote based input device typically providing signals via a modem connection.
- the input signal comprises or corresponds to one of the set of input signals.
- the set of input signals comprises alphanumeric characters .
- a digital computer comprising a data communication system according to the fifth aspect of the invention.
- a data communication method comprising receiving an input signal available from a set of input signals, generating an output signal comprising a plurality of signals from the set of available input signals, in which the output signal is different from the input signal.
- the method further comprises the step of repeating the operation for a plurality of input signals.
- the output signals vary in length one from the other.
- the method according to the eighth aspect of the invention is modified according to the sixth aspect of the invention.
- Figure 1 is a schematic functional illustration of an embodiment of the present invention.
- Figure 2 is a functional flow diagram illustrating operation of a preferred embodiment of the present invention.
- Figure 3 is a diagram showing how data is stored according to the embodiment of the present invention described in relation to Figure 2.
- Figure 4 is a functional flow diagram of the operation of the character generating device of the present invention in another embodiment.
- an electronic digital computer 2 typically a personal computer (“PC") comprising a keyboard 4 connected via a data line 6 to a processor 8.
- PC personal computer
- a character generating device 10 On the data line 6 between keyboard 4 and processor 8 is a character generating device 10.
- the initials "CGD" are used for character generating device in this specification.
- Other input ports 12, 14 as also shown which may for instance, be from a modem.
- the character generating device 10 is configured to controllably modify the output of keystrokes from keyboard
- a password is requested to be input and the number of characters of an enhanced password is set.
- the input is "filtered” to recognise non-character codes such as CTRL and ⁇ SHIFT> so that these are not required in the user's password.
- a user password is entered from keyboard 4.
- the user password input be "BOB” .
- the user sets the enhanced password length to, say, 10 characters.
- ⁇ ENTER> key strike or typically for a WINDOWS (Registered Trade Mark) application, clicking the "OK” button
- the user password BOB is enhanced.
- Each CGD 10 contains a common key referred to as a NEPKEY.
- the CGD 10 uses a secret public key encryption algorithm with its own unique public key (the public key differs between CGD devices) to encrypt the NEPKEY, the result of which, referred to as Spk (NEPKEY) is stored on the PC hard drive.
- the NEPKEY itself is not known outside of the CGD 10.
- the CGD 10 creates a User Password Enchancer Encryption Key, referred to as UPEK, in a function called "GUPEK" .
- UPEK User Password Enchancer Encryption Key
- a UPEK is generated in the CGD 10 as a random number. It need not be a random number, the main requirement being it is not known outside of the CGD 10.
- Each CGD 10 has the same NEPKEY (or set of NEPKEYs as several may be used) , but a unique UPEK (or set thereof) .
- GUPEK is passed the Spk (NEPKEY) to be used to encrypt a new UPEK, how many new UPEK's are to within the set, and the location of the temporary resident program that can create UPEKs. It then passed the CGD 10 the encrypted NEPKEY (ie T NEPKEY (UPEK) , where T is a symmetric encryption algorithm) . As each new UPEK is created, according to the number to be generated, the CGD 10 encrypts it with the NEPKEY (ie TN EPKEY (UPEK) ) . When it has finished, the temporary resident program is unloaded from the CGD 10.
- NEPKEY NEPKEY
- the CGD 10 then adds the encrypted UPEKs to one block of data, with a header 102 containing how many UPEKs 104a, 104b are within the set, as shown in Figure 3 of the drawings that follow.
- the NEPKEY encrypted UPEK is saved on the hard drive. Thus the UPEK is not known outside of the CGD 10.
- the generation of the Spk (NEPKEY) and TN EPKEY (UPEK) are carried out in the set-up stage. There may be several UPEKs in a CGD 10.
- the input user password is hashed to generate an output of predictable length, in this case 16 bytes.
- the primary reason for the HASH operation is to produce an irreversible result .
- the encrypted NEPKEY is retrieved from the PC hard drive 16 and decrypted by the CGD 10 to obtain the NEPKEY.
- the NEPKEY encrypted UPEK is retrieved and decrypted by the
- the UPEK is encrypted by the HASH output from 100 and an enhanced password output of desired character length output.
- This enhanced password is stored, usually in the header portion of an application or document.
- the password enhancing application When access is sought to the application or document, the password enhancing application is activated and upon a user password being entered it is password enhanced as set out above, the result being compared with the password stored for the application or document. This comparison is carried out by the application itself, not by the CGD 10 that produces the enhanced password. As a modification the password checking can be carried out by the CGD 10 if it is loaded with appropriate software.
- the CGD 10 is configured so that it will only accept one user password per second.
- the gap between acceptable inputs for password enhancing can be varied to provide additional security.
- New NEPKEYs can be entered when required, preferably from a secure source so that the NEPKEY cannot be intercepted.
- the HASH operation output length can be varied as a matter of design device. Normally it will be 64 to 128 bytes.
- new NEPKEYs can be downloaded into the CGD 10 using a security protocol.
- the PC From a mode 200 in which the PC 2 is operating normally, an access is requested either to functions or data, the PC checks 202 to determine whether the function or data (say a file) is password protected. If not, the "NO" branch is followed and normal operation resumes with access permitted. If the function or data is password protected, the "YES" branch is followed and a suitable password is requested 204 and the character generating device is configured 206 to output additional characters according to a predetermined scheme.
- the device 10 may output "P7TTWR0".
- the actual output is substantially immaterial so long as it is in accordance with a predetermined relationship between the input key and output sequence from the device 10.
- the system determines if the password input is finished 212. This may be by detecting the input of a ⁇ ENTER> key, the length of input or some other characteristic . If the input is not finished, the system requires a further input keystroke. If the input is finished, the "YES” branch is followed and the input password is compared with a password in memory 214. If the password is correct, the "YES” branch is followed, the character generator is configured 216 so input passes normally access to the function or data is permitted and normal operation resumed. If the password is incorrect, the "NO" branch is followed and access is denied 218.
- the original password may also be input using this method and device.
- the user need never know or be concerned with the longer version of their password.
- keyboard keystrokes of "FRED" at the password request stage may generate : P7aTWR0X3NR?B2aR88CI9CcAB .
- the device and system is configured so that remote access to the PC 2 is not via the device 10 so that such remote access requires entry of the full (longer) password required by the processor. Accordingly, protection from external hacking is enhanced.
- the present invention can be embodied in hardware and/or software.
- the device is located in a keyboard.
- passwords may be of any signal or combination of signals and need not be “words” at all. While the present embodiment has been described for use on a PC, it will be appreciated that the present invention can equally be put into effect on other platforms, devices or equipment .
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU53811/99A AU5381199A (en) | 1998-08-20 | 1999-08-12 | Improvements in and relating to data communication |
JP2000566735A JP2002523941A (en) | 1998-08-20 | 1999-08-12 | Improvements in and related to data communication |
EP99939542A EP1105784A1 (en) | 1998-08-20 | 1999-08-12 | Improvements in and relating to data communication |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB9818186A GB9818186D0 (en) | 1998-08-20 | 1998-08-20 | Improvements in and relating to data communication |
GB9818186.0 | 1998-08-20 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000011537A1 true WO2000011537A1 (en) | 2000-03-02 |
Family
ID=10837586
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB1999/002672 WO2000011537A1 (en) | 1998-08-20 | 1999-08-12 | Improvements in and relating to data communication |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1105784A1 (en) |
JP (1) | JP2002523941A (en) |
AU (1) | AU5381199A (en) |
GB (1) | GB9818186D0 (en) |
WO (1) | WO2000011537A1 (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002082243A3 (en) * | 2001-04-05 | 2003-11-27 | Comodo Res Lab Ltd | Improvements in and relating to document verification |
US7596703B2 (en) * | 2003-03-21 | 2009-09-29 | Hitachi, Ltd. | Hidden data backup and retrieval for a secure device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0549511A1 (en) * | 1991-12-26 | 1993-06-30 | International Business Machines Corporation | Method and system for delaying the activation of inactivity security mechnanisms in a multimedia data processing system |
WO1995026085A1 (en) * | 1994-03-18 | 1995-09-28 | Innovonics, Inc. | Methods and apparatus for interfacing an encryption module with a personal computer |
US5677952A (en) * | 1993-12-06 | 1997-10-14 | International Business Machines Corporation | Method to protect information on a computer storage device |
EP0809171A1 (en) * | 1996-03-25 | 1997-11-26 | Schlumberger Technologies, Inc. | Apparatus and method to provide security for a keypad processor of a transaction terminal |
US5768373A (en) * | 1996-05-06 | 1998-06-16 | Symantec Corporation | Method for providing a secure non-reusable one-time password |
-
1998
- 1998-08-20 GB GB9818186A patent/GB9818186D0/en not_active Ceased
-
1999
- 1999-08-12 JP JP2000566735A patent/JP2002523941A/en active Pending
- 1999-08-12 EP EP99939542A patent/EP1105784A1/en not_active Ceased
- 1999-08-12 AU AU53811/99A patent/AU5381199A/en not_active Abandoned
- 1999-08-12 WO PCT/GB1999/002672 patent/WO2000011537A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0549511A1 (en) * | 1991-12-26 | 1993-06-30 | International Business Machines Corporation | Method and system for delaying the activation of inactivity security mechnanisms in a multimedia data processing system |
US5677952A (en) * | 1993-12-06 | 1997-10-14 | International Business Machines Corporation | Method to protect information on a computer storage device |
WO1995026085A1 (en) * | 1994-03-18 | 1995-09-28 | Innovonics, Inc. | Methods and apparatus for interfacing an encryption module with a personal computer |
EP0809171A1 (en) * | 1996-03-25 | 1997-11-26 | Schlumberger Technologies, Inc. | Apparatus and method to provide security for a keypad processor of a transaction terminal |
US5768373A (en) * | 1996-05-06 | 1998-06-16 | Symantec Corporation | Method for providing a secure non-reusable one-time password |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002082243A3 (en) * | 2001-04-05 | 2003-11-27 | Comodo Res Lab Ltd | Improvements in and relating to document verification |
US7596703B2 (en) * | 2003-03-21 | 2009-09-29 | Hitachi, Ltd. | Hidden data backup and retrieval for a secure device |
Also Published As
Publication number | Publication date |
---|---|
GB9818186D0 (en) | 1998-10-14 |
AU5381199A (en) | 2000-03-14 |
JP2002523941A (en) | 2002-07-30 |
EP1105784A1 (en) | 2001-06-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6044155A (en) | Method and system for securely archiving core data secrets | |
US8966276B2 (en) | System and method providing disconnected authentication | |
US20040101142A1 (en) | Method and system for an integrated protection system of data distributed processing in computer networks and system for carrying out said method | |
EP0976049B1 (en) | Method and apparatus for controlling access to encrypted data files in a computer system | |
US6339828B1 (en) | System for supporting secured log-in of multiple users into a plurality of computers using combined presentation of memorized password and transportable passport record | |
US6950523B1 (en) | Secure storage of private keys | |
US7702922B2 (en) | Physical encryption key system | |
AU2003203712B2 (en) | Methods for remotely changing a communications password | |
US20080025514A1 (en) | Systems And Methods For Root Certificate Update | |
US20020038429A1 (en) | Data integrity mechanisms for static and dynamic data | |
US7836310B1 (en) | Security system that uses indirect password-based encryption | |
JPH11306088A (en) | Ic card and ic card system | |
WO2000079368A1 (en) | Software smart card | |
CA2529064A1 (en) | System and method for controlling usage of software on computing devices | |
US7194762B2 (en) | Method of creating password list for remote authentication to services | |
EP1105784A1 (en) | Improvements in and relating to data communication | |
Dobreva et al. | A Comparative Analysis of HOTP and TOTP Authentication Algorithms. Which one to choose? | |
KR100243347B1 (en) | Computer password protection method | |
Weeks et al. | CCI-Based Web security: a design using PGP | |
US10970407B2 (en) | Processes and related apparatus for secure access control | |
Ferenc | Security of Encryption Procedures and Practical Implications of Building a Quantum Computer | |
Alfina et al. | Comparative Analysis of Encryption-Decryption Data Use the Symmetrical Key Algorithm of Bit Inserted Carrier (BIC) | |
WO2000011538A1 (en) | Improvements in and relating to access control | |
Gerberick | Cryptographic key management | |
KR101669770B1 (en) | Device for authenticating password and operating method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1999939542 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09763103 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 1999939542 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |