Browse Prior Art Database

Improved password based solution for authentication and authorization

IP.com Disclosure Number: IPCOM000236935D
Original Publication Date: 2014-May-22
Included in the Prior Art Database: 2014-May-22
Document File: 4 page(s) / 250K

Publishing Venue

Linux Defenders

Related People

ulf Björkengren: AUTHOR

Abstract

Using passwords is the most common solution to providing security in situations like e. g. card payments in shops or at the web, and many other similar situations. It is however well known that there are weaknesses in this solution, with most of them depending on that the passwords are not complex enough, mainly due to the user inconvenience with using complex passwords. An existing solution to this problem is for the user to have a protected password database1, containing all his passwords. It is then enough to remember the password to unlock the database. There are however problems with this solution also, e.g. that the password protecting the database is not strong enough in cases where an attacker gets access to the database. Or that the attacker can intercept the database password when entered for unlocking, etc. A better solution can be implemented if the user is in possession of a device implementing a Trusted Platform Module2 (TPM). The end point requesting password verification could then set up a secure channel directly with the database management end point running in the TPM, and the sensitive password data would not have to be exposed unprotected at any point. However, this solution does not easily map onto the existing legacy solutions where the user typically inputs the password by keying it in at an input device, into an input field in the UI. Upgrading all legacy hardware to support this would be excessively expensive. The idea proposed will provide improved secure password handling that is possible to map onto legacy hardware and procedures, only requiring a secure domain for the user password database management and moderate modifications of the legacy software.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 26% of the total text.

Page 01 of 4

Improved password based solution for authentication and authorization

Problem formulation

Using passwords is the most common solution to providing security in situations like e. g. card payments in shops or at the web, and many other similar situations. It is however well known that there are weaknesses in this solution, with most of them depending on that the passwords are not complex enough, mainly due to the user inconvenience with using complex passwords.

An existing solution to this problem is for the user to have a protected password database1, containing all his passwords. It is then enough to remember the password to unlock the database. There are however problems with this solution also, e.g. that the password protecting the database is not strong enough in cases where an attacker gets access to the database. Or that the attacker can intercept the database password when entered for unlocking, etc.

A better solution can be implemented if the user is in possession of a device implementing a Trusted Platform Module2 (TPM). The end point requesting password verification could then set up a secure channel directly with the database management end point running in the TPM, and the sensitive password data would not have to be exposed unprotected at any point. However, this solution does not easily map onto the existing legacy solutions where the user typically inputs the password by keying it in at an input device, into an input field in the UI. Upgrading all legacy hardware to support this would be excessively expensive.

The idea proposed will provide improved secure password handling that is possible to map onto legacy hardware and procedures, only requiring a secure domain for the user password database management and moderate modifications of the legacy software.

Basic solution

The basic principle behind the idea is that the end point requesting verification starts with generating a humanly readable challenge3, which is presented to the user. The user then forwards this challenge to the password manager running in a secure domain, which combines it with the password from the database, inputs the combined data to a non-reversible function, transforms the result into a humanly readable string, and returns it to the user. The user then returns this string to the verifying end point as the response to the challenge, which compares it to the string that itself has computed following the same procedures. If the two strings match, then this is proof that the user is in possession of the permanent password.

Detailed solution

The idea involves the following entities: the password requesting endpoint (PRE), the password user interface node (PUIN), the user (USER), and the secure password database manager (SPDM), see figure 1 below. The typical partitioning of the PRE, PUIN, and SPDM entities are that the PRE is on a remote location, while the PUIN and SPDM are in the local proximity of the USER. The PUIN and SPDM can be part of the s...