Browse Prior Art Database

Temporary Global Passwords

IP.com Disclosure Number: IPCOM000104201D
Original Publication Date: 1993-Mar-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 4 page(s) / 116K

Publishing Venue

IBM

Related People

Ogden, WR: AUTHOR

Abstract

A workable, reasonably secure single-logon facility is a common requirement. This requirement implies additional security (authentication) requirements; a single-logon function gives the user additional authority, therefore the user should be more rigorously identified. One solution to these requirements involves the use of a "temporary global password". This concept is explained here. Terminology used includes: NV/AS (NetView* Access Services, a front-end terminal controller product), RACF* (Resource Access Control Facility, a security subsystem), VTAM* (Virtual Terminal Access Method), CICS* TSO IMS (common mainframe applications). The Figure illustrates the relationships of components discussed below.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 47% of the total text.

Temporary Global Passwords

      A workable, reasonably secure single-logon facility is a common
requirement.  This requirement implies additional security
(authentication) requirements; a single-logon function gives the user
additional authority, therefore the user should be more rigorously
identified.  One solution to these requirements involves the use of a
"temporary global password".  This concept is explained here.
Terminology used includes:  NV/AS (NetView* Access Services, a
front-end terminal controller product), RACF* (Resource Access
Control Facility, a security subsystem), VTAM* (Virtual Terminal
Access Method), CICS* TSO IMS (common mainframe applications).  The
Figure illustrates the relationships of components discussed below.

      A key problem with single-logon functions is the management of
passwords.  Each major application (such as IBM's TSO, CICS, IMS, and
so forth) verifies a user's identity with a password check.
Passwords are usually kept in the RACF database (or an equivalent
security database).  The RACF program (or equivalent) is called to
perform the password check when the user logs onto an application.
Within a given mainframe, the RACF password is normally the same for
all applications.  Multiple mainframes may have different passwords
for a given user.  The user must remember and manage all different
passwords.  (An attempt may be made to keep them all set to the same
password, but this is difficult to practice.)  The challenge for a
single-logon function is to automatically and transparently log the
user onto a selected application without asking the user to provide
his password for that particular application.

      A common solution uses "recorded logons" which work well within
a single mainframe (or a single "security domain") but which do not
work well when multiple (remote) mainframes are involved.

Another solution is as follows:

1.  The user's terminal (assumed to be an IBM* 3270-type, but not
    limited to this) is connected to a front-end terminal manager in

    the mainframe.  IBM's NV/AS product is used in this example, but
    the concept may be extended to any similar product.

2.  The user's single-logon action is with NV/AS.  The user manually
    logs onto NV/AS.  Since a single-logon function is being
    provided, it is appropriate to require additional authentication
    (beyond a simple password) for this logon.  IBM document
    GG24-3712 ("Single-Logon and Secondary Authentication with NV/AS
    1.3 and RACF") describes an additional authentication method
    using a one-time password token.

3.  After the logon to NV/AS is complete, a new password is computed
    (by an extension to NV/AS) for the user.  This "temporary global
    password" has the following characteristics:

    o   It is unknown to the user, who never sees it.
    o   It is computed, not assigned.
    o   The computation involves the charac...