Browse Prior Art Database

Method of pwd content verification from personal info perspective in SaaS environment

IP.com Disclosure Number: IPCOM000238683D
Publication Date: 2014-Sep-11
Document File: 3 page(s) / 34K

Publishing Venue

The IP.com Prior Art Database

Abstract

Article describes the new service of password verification against the personal/sensitive information which preserves the security policies during communication between client and server.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 51% of the total text.

Page 01 of 3

Method of pwd content verification from personal info perspective in SaaS environment

Many applications/web pages/services requires setting up user id and password in order to properly manage the privileges and privacy of users. There is a lot of guides how the strong password should look like (i.e. it should contain letters, numbers, capital letters etc). Quite common practise is that users pick up as a password some meaningful words/dates/numbers from the past. This is causing that password is much easier to break - number of options to check even with brute force approach decrease drastically.

Idea describes below is about service (i.e. SaaS) which allows to validate the password against huge set of words - personal/sensitive information. It also allows to preserve security policies thanks to proposed homomorphic encryption. Due to fact of using encryption, server is proceeding with calculations, but does not know the data behind the encryption. What we want to protect by this disclosure is method of password verification, which can be safely separated from the user system (so i.e. can be provided as a Software as a Service), and provided by based on


1. collected user's Sensitive/Personal Information in form of hashed dictionary


2. sources of the dictionary (browser cache)

3. mechanism of trigrams in order to minimize set of words comparison


4. homomorphic (in respect to Levenshtein distance) encryption mechanism

Algorithm:

1. User provides the password 2. System creates the dictionary of hashed* words with user's personal info (like names, IDs numbers, dates from past etc).

3. System creates the set of trigrams from the password and hash them with the same method

4. Bigrams and trigrams are compared to dictionary content, words which have more than one hit are compared to whole password

5. If any of dictionary words is too close to pwd using Levenshtein distance, pwd is not accepted as a secure one with proper information displayed to user


*Hashing need to be one which preserves the Levenshtein distance (homomorphic encryption). One can imagine the simplest example of it as function which is changing the letter to next one K-times within given order.

Let's go into details of above approach:

Ad 1. User provides the password

During the account/access creation user is asked to provide the password. Example: User try to setup a pwd: clement1ne

1


Page 02 of 3

Ad 2. System creates the dictionary of hashed* words with user's personal info (like names, IDs numbers, dates from past etc).

The sources for personal information could be:

· personal information gathered by the employer about the employee (like name, surname, address, date of birth etc.) (if accessible)

· addres...