Spoofing protection for secure-element identifiers
US-2016286391-A1 · Sep 29, 2016 · US
Distributed password verification
US9876783B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9876783-B2 |
| Application number | US-201514977690-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 22, 2015 |
| Priority date | Dec 22, 2015 |
| Publication date | Jan 23, 2018 |
| Grant date | Jan 23, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Distribution of verification of passwords for electronic account. Password verification is distributed (divided) across multiple entities to reduce potential exposure in the event of a server exposure.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: creating a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein: the first set of client identifiers includes: a first hashed password for the client, and a first username for the client, and the first token is encrypted; transmitting the first token from the first server to the client; adding, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames; deleting the first token and the first set of client identifiers from the first server; receiving, on the first server, a second token and a second set of client identifiers for the client, wherein: the second token is encrypted, the second token is equivalent to the first token, and the second set of client identifiers includes: a second hashed password, and a second username; decrypting the second token using a decryption key to reveal the first set of client identifiers; comparing the second hashed password to the first hashed password from the second token to verify an identity of the client; determining that the second username does not appear in the honeychecker registry; and denying, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access; wherein: at least comparing the second hashed password to the first hashed password from the second token is performed by computer software running on computer hardware. 2. The method of claim 1 , further comprising: logging the second username to an authentication log. 3. The method of claim 1 , wherein creating the first token is further based, at least in part, on a device identifier for a device used by the client. 4. A computer program product comprising: a computer readable storage medium having stored thereon: first instructions executable by a device to cause the device to create a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein: the first set of client identifiers includes: a first hashed password for the client, and a first username for the client, and the first token is encrypted; second instructions executable by a device to cause the device to transmit the first token from the first server to the client; third instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames; fourth instructions executable by a device to cause the device to delete the first token and the first set of client identifiers from the first server; fifth instructions executable by a device to cause the device to receive, on a second first server, the token and a second set of client identifiers for the client, wherein: the second token is encrypted, the second token is equivalent to the first token, and the second set of client identifiers includes: a second hashed password, and a second username; sixth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers; and seventh instructions executable by a device to cause the device to compare the second hashed password to the first hashed password from the second token to verify an identity of the client; eighth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry; and ninth instructions executable by a device to cause the device to deny, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access. 5. The computer program product of claim 4 , further comprising: tenth instructions executable by a device to cause the device to log the second username to an authentication log. 6. The computer program product of claim 4 , wherein first instructions to create the first token are further based, at least in part, on a device identifier for a device used by the client. 7. A computer system comprising: a processor set; and a computer readable storage medium; wherein: the processor set is structured, located, connected, and/or programmed to execute instructions stored on the computer readable storage medium; and the instructions include: first instructions executable by a device to cause the device to create a first token on a first server based, at least in part, on a first set of client identifiers for a client and an encryption key, wherein: the first set of client identifiers includes: a first hashed password for the client, and a first username for the client, and the first token is encrypted; second instructions executable by a device to cause the device to transmit the first token from the first server to the client; third instructions executable by a device to cause the device to add, to a honeychecker registry on a second server, the first username, wherein the honeychecker registry is a list of valid usernames; fourth instructions executable by a device to cause the device to delete the first token and the first set of client identifiers from the first server; fifth instructions executable by a device to cause the device to receive, on a second first server, the token and a second set of client identifiers for the client, wherein: the second token is encrypted, the second token is equivalent to the first token, and the second set of client identifiers includes: a second hashed password, and a second username; sixth instructions executable by a device to cause the device to decrypt the second token using a decryption key to reveal the first set of client identifiers; and seventh instructions executable by a device to cause the device to compare the second hashed password to the first hashed password from the second token to verify an identity of the client; eighth instructions executable by a device to cause the device to determine that the second username does not appear in the honeychecker registry; and ninth instructions executable by a device to cause the device to deny, to the client, responsive to determining that the second username does not appear in the honeychecker registry, access to the account to prevent an unauthorized access. 8. The computer system of claim 7 , further comprising: tenth instructions executable by a device to cause the device to log the second username to an authentication log. 9. The computer system of claim 7 , wherein first instructions to create the first token are further based, at least in part, on a device identifier for a device used by the client.
Assignees
Inventors
Classifications
with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys · CPC title
the encryption apparatus using shift registers or memories for block-wise {or stream} coding, e.g. DES systems {or RC4; Hash functions; Pseudorandom sequence generators} · CPC title
- H04L63/083Primary
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
including means for verifying the identity or authority of a user of the system {or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials} · CPC title
for supporting key management in a packet data network (cryptographic mechanisms or cryptographic arrangements for key management H04L9/08) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9876783B2 cover?
- Distribution of verification of passwords for electronic account. Password verification is distributed (divided) across multiple entities to reduce potential exposure in the event of a server exposure.
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 23 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 11 related publications on this page (citations in our corpus or others sharing the same primary CPC).