Browse Prior Art Database

Method of Authenticated Password or Passphrase Changing

IP.com Disclosure Number: IPCOM000106480D
Original Publication Date: 1993-Nov-01
Included in the Prior Art Database: 2005-Mar-21
Document File: 6 page(s) / 289K

Publishing Venue

IBM

Related People

Johnson, DB: AUTHOR [+3]

Abstract

In a distributed computing environment, a user at one computing node may request services located at another computing node connected to the users node through a communication network. It is often desirable or mandatory that the service or operation to be executed by the node that receives the request be afforded only to a select set of requesting users. Many techniques for solving the problem of authenticating requests to a serving node rely on the use of a secret such as a key or password, knowledge of which is shared by the user and the serving (or access granting) node. It is highly desirable in such a system for a user to be able to periodically change this secret information by submitting a request to the access granting node to change the secret value to a new value chosen by the user.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 18% of the total text.

Method of Authenticated Password or Passphrase Changing

      In a distributed computing environment, a user at one computing
node may request services located at another computing node connected
to the users node through a communication network.  It is often
desirable or mandatory that the service or operation to be executed
by the node that receives the request be afforded only to a select
set of requesting users.  Many techniques for solving the problem of
authenticating requests to a serving node rely on the use of a secret
such as a key or password, knowledge of which is shared by the user
and the serving (or access granting) node.  It is highly desirable in
such a system for a user to be able to periodically change this
secret information by submitting a request to the access granting
node to change the secret value to a new value chosen by the user.
The term passphrase which is used in this discussion refers to an
extension of the password concept that allows a text string that
includes space characters to be used as a password and that is
typically longer than a password.  As a passphrase allows a longer
string than a typical password and multiple words instead of a single
word, a passphrase may be memorable and still contain significant
variability.  As the passphrase may make sense, it will likely be
easier to remember than a password that would contain the same
variability as the passphrase.  This disclosure will refer to the
user's password, passphrase or key as a passphrase since passwords
and keys can be considered as subsets of the possible values for a
passphrase and the method described here will handle all possible
values in the same way i.e., as a passphrase.  Through the use of a
passphrase, the user is able to achieve sufficient variability in the
derived key to ensure security, as defined by an installation or
organization.

      Disclosed is a method for authenticating and implementing a
passphrase change request from a user in a distributed environment
where the user's change request must pass across a public or private
communication network to reach a node where knowledge of the
passphrase is required to enforce an access control scheme.  The
passphrase changing mechanism described here can be extended to other
access control schemes, as long as the scheme allows the passwords or
passphrases to be stored as cryptographic keys at the access granting
computing node.  This method has the following important
characteristics:

1.  The actual value of the user's new passphrase does not have to be
    transmitted in the user's request.  Instead, a cryptographically
    derived form of the new passphrase is included in the request and
    is deciphered at the access granting node where the passphrase
    information must be stored.  The user's actual passphrase is
    concealed and is therefore protected from unauthorized disclosure
    by interception or eavesdropping when it passes acr...