Browse Prior Art Database

Storage of passwords encrypted with a public key to allow for password recovery Disclosure Number: IPCOM000240996D
Publication Date: 2015-Mar-17
Document File: 1 page(s) / 32K

Publishing Venue

The Prior Art Database


A method to allow recovery of passwords stored in a directory for the purposes of directory migration

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 1

Storage of passwords encrypted with a public key to allow for password recovery

When migrating from one user repository to another, it is impossible to migrate passwords where these are stored (at the source repository) using a non-reversible function which is not supported by the destination repository. Storage of passwords in this way is common practice in order to prevent repository administrators (or others who gain direct access to the repository data) from acquiring user passwords.

    One known solution to this problem is to set up functionality within the destination repository (or within the applications using it) so that, for a period after migration, presented passwords are validated against the source repository and then populated into the destination repository. This solution is only possible where the required functionality can be introduced and is often complex to implement. It also requires that the source and destination repositories are run in parallel for some period of time.

    An additional solution is required which protects password data in a repository during normal use while still allowing for a complete migration of password data when required.

    Solution: Passwords are stored in two forms. The first form is created using a non-reversible function (this is standard practice). The second form is created by encrypting the password with a public key.

    The private key associated with the public key is securely stored in escrow (with a level of security appropriate for the passwords it protects).

    In normal operation, password validation is performed (in the normal way) using the non-r...