公开(公告)号：GB2541586A

公开(公告)日：2017-02-22

申请号：GB201619635

申请日：2015-05-19

Applicant: IBM

Inventor： JAN LEONHARD CAMENISCH ,  ANJA LEHMANN ,  GREGORY NEVEN

IPC: H04L9/08 ,  G06F21/30 ,  G06F21/31 ,  G06F21/40 ,  H04L9/32

Abstract: Apparatus and methods are provided for use in multi-server authentication of user passwords. A password authentication system 1 includes an access control server 2 for communication with user computers 3 via a network 4. The access control server 2 controls access by the user computers 3 to a resource 5 in dependence on authentication of user passwords associated with respective user IDs. The system 1 further includes a plurality n of authentication servers 6, storing respective secret values, for communication with the access control server 2 via the network 4. For each user ID, the access control server 2 stores a first ciphertext produced by encrypting the user password associated with that ID using a predetermined algorithm dependent on the secret values of the authentication servers 6. The access control server 2 and authentication servers 6 are adapted such that, in response to receipt from a user computer 3 of a user ID and an input password, the access control server 2 communicates with a plurality k≤ n of the authentication servers 6 implement a password authentication protocol, requiring use by the k authentication servers of their respective secret values, in which a second ciphertext is produced by encrypting the input password using said predetermined algorithm and the access control server 2 uses the first and second ciphertexts to determine whether the input password equals the user password for the received user ID. If so, the access control server 2 permits the user computer 3 access to the resource 5.

公开(公告)号：GB2530726B

公开(公告)日：2016-11-02

申请号：GB201416888

申请日：2014-09-25

Applicant: IBM

Inventor： JAN LEONHARD CAMENISCH ,  YOSSI GILAD ,  ANJA LEHMANN ,  ZOLTAN ARNOLD NAGY ,  GREGORY NEVEN

IPC: G06F21/41 ,  G06F21/33 ,  H04L9/08 ,  H04L9/32 ,  H04L29/06

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1≤n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2≤t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T≤t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

公开(公告)号：GB2527603B

公开(公告)日：2016-08-10

申请号：GB201411510

申请日：2014-06-27

Applicant: IBM

Inventor： JAN LEONHARD CAMENISCH ,  ANJA LEHMANN ,  GREGORY NEVEN ,  STEPHAN KRENN

IPC: H04L9/32