WO2000011538A1 - Improvements in and relating to access control - Google Patents

Improvements in and relating to access control Download PDF

Info

Publication number
WO2000011538A1
WO2000011538A1 PCT/GB1999/002673 GB9902673W WO0011538A1 WO 2000011538 A1 WO2000011538 A1 WO 2000011538A1 GB 9902673 W GB9902673 W GB 9902673W WO 0011538 A1 WO0011538 A1 WO 0011538A1
Authority
WO
WIPO (PCT)
Prior art keywords
password
combined
encrypted
code
controlling access
Prior art date
Application number
PCT/GB1999/002673
Other languages
French (fr)
Inventor
Melih Abdulhayoglu
Original Assignee
Comodo Technology Development Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=10837587&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO2000011538(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Comodo Technology Development Limited filed Critical Comodo Technology Development Limited
Priority to JP2000566736A priority Critical patent/JP2002523942A/en
Priority to AU53812/99A priority patent/AU5381299A/en
Priority to EP99939543A priority patent/EP1105785A1/en
Publication of WO2000011538A1 publication Critical patent/WO2000011538A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the present invention relates to access control devices and methods .
  • Password protection is often used to control access to data or software as a result of which considerable attention has been paid to the breaking of password protection.
  • the password may be user-selected or allocated in some other way.
  • the selected password is stored (102) at a memory location within the device.
  • the device then enters its normal operation (104) as part of which it determines as each access request is submitted whether this is a password protected access (106) . If it is not a password protected access, the "NO" branch is followed and normal operation resumes. If it is a password protected access, the "YES” branch is followed and a password is requested (108) .
  • the input password is compared (110) with the password stored at a memory location. If the input password is the same as the stored password (112) the
  • alerts or alarms may be activated.
  • a de-bug program can be run alongside the password protection.
  • the de-bug program can, upon entry of any password, follow the program to the memory location at which the correct password is stored for comparison purposes.
  • the de-bug program can then be used to copy the stored password from that memory location for correct entry.
  • the prior art method and corresponding device described above is vulnerable to attack and to the bypass of the password security even if the data is encrypted.
  • an access control device comprising means for receiving an input password, means for combining the input password with a pre-selected code thereby to produce a combined password, and means for decrypting encrypted code using the combined password.
  • the apparatus further comprises means for encrypting the combined password and the encrypted combined password is used for decryption.
  • a method of controlling access comprises the steps of receiving an input password, combining the input password with a predetermined code to produce a combined password, and decrypting encrypted code using the combined password.
  • the combined password is encrypted and the encrypted combined password is used for decrypting encrypted code.
  • the encrypted combined password is a key for decryption of the encrypted code.
  • the password is an alphanumeric string.
  • the code is an alphanumeric string.
  • the pre-stored access password comprises a pre-selected password combined with the predetermined code, which combination is encrypted.
  • the combined pre-selected password is encrypted according to the encryption algorithm used for the combined password.
  • the encryption is substantially unreversible (asymmetric) .
  • the encryption algorithm will be a public key algorithm.
  • a carrier comprising a computer program according to the third aspect of the invention.
  • Figure 1 is a representative flow diagram of a prior art access control method.
  • FIG. 2 is a representative functional flow diagram of an access control method according to the present invention.
  • a flow diagram illustrating a method according to the present invention, according to which method a corresponding device may operate.
  • a password is selected.
  • the password may be user-selected or chosen in some other way.
  • the selected password is then combined with (202) with a longer password string at pre-selected locations therewithin. This produces a combined password which is encoded (204) .
  • the encoding step will comprise a public key, substantially irreversible, encryption, but in theory could be as simple as carrying out an AND or XOR operation.
  • the encrypted combined password is used as an encryption key to encrypt data (206) which may be software. Notably, the encrypted combined password is not stored in any memory location. Following this the device enters normal operation (208) as part of which it checks (210) whether a requested data/software access is password protected. If the access is not password protected the "NO" branch is followed back to normal operation. Otherwise, the "YES" branch is followed and a request is made for a password to be input (212) . Upon input of a password, it is inserted into pre-selected locations of the predetermined string (214) . This is the same predetermined string with which the original password is combined (202) . This produces a combined password which is encrypted at (216) using the same encryption as at (204) .
  • the encrypted combined password is used as a decryption key to decrypt the encrypted data/software to which access is sought. Therefore only entry of a correct password will properly decrypt the data/software.
  • the password "FRED" may be entered by a user.
  • the selected password is combined with the string A7BX2Q66FEAR3YD at locations subsequent to characters 2, 6, 9 and 13 (by order). This produces (202) the following combined result: A7FBXS2RQ66EFEARD3YD.
  • the underlined letters are the password letters inserted at pre-selected points within the longer string. They are underlined for the purposes of explanation only.
  • the combined password is encrypted according to any encryption method.
  • a public key encryption is used but this need not be the case. This may result in an output as follows: 3XTAV278BAD99X.
  • the encrypted result need not be the same length as the combined password.
  • the encrypted combined password is then used as an encryption key to encrypt data or software.
  • password protected access is sought (210)
  • an input password is requested (212) .
  • an incorrect password is entered, for instance "MOUSE” it will be combined (214) with the pre-selected string at the preselected locations to give the following result A7MBXS20Q66UFEARS3YED.
  • This combined input password is then encrypted (216) according to the same encryption used at step (204) and used as a decryption key to decrypt the encrypted data. As the key is wrong the decryption will be inaccurate .
  • passwords any signal or combination of signals and need not be a word at all.
  • a device operating as set out above with reference to preferred embodiments of the invention may be embodied in computer software in a digital computer or otherwise, for instance on a carrier such as a floppy disk, compact disk or hard drive.

Abstract

The present invention provides an access control device comprising means for receiving an input password, means for combining the input password with a pre-selected code thereby to produce a combined password, and means for decrypting encrypted code using the combined password. A corresponding method, program and carrier are also disclosed.

Description

IMPROVEMENTS IN AND RELATING TO ACCESS CONTROL
Field of the Invention
The present invention relates to access control devices and methods .
Background to the Invention
Password protection is often used to control access to data or software as a result of which considerable attention has been paid to the breaking of password protection.
Referring to Figure 1 of the drawings that follow, there is shown a representative flow diagram of a prior art password protection method, according to which a corresponding device operates . In the Figures the abbreviation "PW" is used for "password".
At 100 a selected password is entered. The password may be user-selected or allocated in some other way.
The selected password is stored (102) at a memory location within the device. The device then enters its normal operation (104) as part of which it determines as each access request is submitted whether this is a password protected access (106) . If it is not a password protected access, the "NO" branch is followed and normal operation resumes. If it is a password protected access, the "YES" branch is followed and a password is requested (108) . Upon input of a password, the input password is compared (110) with the password stored at a memory location. If the input password is the same as the stored password (112) the
"YES" branch is followed and normal operation resumes
(104) . Otherwise, the "NO" branch is followed and access is denied (114) . As is well known in the art, instead of denying access upon the first input of an erroneous password, a further try or several further tries may be permitted up to a predetermined number of attempts with an incremented tamper count upon each failed password entry.
In addition to denying access, alerts or alarms may be activated.
In the method and corresponding device described above, since the usual implementation is upon a digital computer, a de-bug program can be run alongside the password protection. As part of which, the de-bug program can, upon entry of any password, follow the program to the memory location at which the correct password is stored for comparison purposes. The de-bug program can then be used to copy the stored password from that memory location for correct entry. In this way, the prior art method and corresponding device described above is vulnerable to attack and to the bypass of the password security even if the data is encrypted.
It is an aim of preferred embodiments of the present invention to obviate or overcome at least one disadvantage encountered in relation to the prior art, whether referred to herein or otherwise.
Summary of the Invention
According to the present invention in a first aspect there is provided an access control device comprising means for receiving an input password, means for combining the input password with a pre-selected code thereby to produce a combined password, and means for decrypting encrypted code using the combined password.
Suitably, the apparatus further comprises means for encrypting the combined password and the encrypted combined password is used for decryption.
According to the present invention in a second aspect, there is provided a method of controlling access, which method comprises the steps of receiving an input password, combining the input password with a predetermined code to produce a combined password, and decrypting encrypted code using the combined password.
Suitably, the combined password is encrypted and the encrypted combined password is used for decrypting encrypted code.
Suitably, the encrypted combined password is a key for decryption of the encrypted code.
Suitably, the password is an alphanumeric string. Suitably, the code is an alphanumeric string.
Suitably, the pre-stored access password comprises a pre-selected password combined with the predetermined code, which combination is encrypted.
Normally the combined pre-selected password is encrypted according to the encryption algorithm used for the combined password. Suitably, the encryption is substantially unreversible (asymmetric) . Typically, the encryption algorithm will be a public key algorithm.
According to the present invention in a third aspect; there is provided a computer program for executing the method of the second aspect of the invention.
According to the present invention in a fourth aspect, there is provided a carrier comprising a computer program according to the third aspect of the invention.
Brief Description of the Figures
The present invention will now be described, by way of example only, with reference to the drawings that follow; in which:
Figure 1 is a representative flow diagram of a prior art access control method.
Figure 2 is a representative functional flow diagram of an access control method according to the present invention.
Description of the Preferred Embodiments
Referring to Figure 2 of the drawings that follow, there is shown a flow diagram illustrating a method according to the present invention, according to which method a corresponding device may operate. At (200) a password is selected. As with the prior device and method, the password may be user-selected or chosen in some other way.
The selected password is then combined with (202) with a longer password string at pre-selected locations therewithin. This produces a combined password which is encoded (204) . Normally, the encoding step will comprise a public key, substantially irreversible, encryption, but in theory could be as simple as carrying out an AND or XOR operation.
The encrypted combined password is used as an encryption key to encrypt data (206) which may be software. Notably, the encrypted combined password is not stored in any memory location. Following this the device enters normal operation (208) as part of which it checks (210) whether a requested data/software access is password protected. If the access is not password protected the "NO" branch is followed back to normal operation. Otherwise, the "YES" branch is followed and a request is made for a password to be input (212) . Upon input of a password, it is inserted into pre-selected locations of the predetermined string (214) . This is the same predetermined string with which the original password is combined (202) . This produces a combined password which is encrypted at (216) using the same encryption as at (204) .
The encrypted combined password is used as a decryption key to decrypt the encrypted data/software to which access is sought. Therefore only entry of a correct password will properly decrypt the data/software. By way of example, therefore, at step (200) , the password "FRED" may be entered by a user. The selected password is combined with the string A7BX2Q66FEAR3YD at locations subsequent to characters 2, 6, 9 and 13 (by order). This produces (202) the following combined result: A7FBXS2RQ66EFEARD3YD. The underlined letters are the password letters inserted at pre-selected points within the longer string. They are underlined for the purposes of explanation only.
At step (204) , the combined password is encrypted according to any encryption method. Preferably, a public key encryption is used but this need not be the case. This may result in an output as follows: 3XTAV278BAD99X. The encrypted result need not be the same length as the combined password. The encrypted combined password is then used as an encryption key to encrypt data or software. If password protected access is sought (210) , an input password is requested (212) . Here, if an incorrect password is entered, for instance "MOUSE" it will be combined (214) with the pre-selected string at the preselected locations to give the following result A7MBXS20Q66UFEARS3YED. This combined input password is then encrypted (216) according to the same encryption used at step (204) and used as a decryption key to decrypt the encrypted data. As the key is wrong the decryption will be inaccurate .
In the case of the correct password "FRED" being input at (212) , it will be inserted at corresponding locations encrypted and will correspond to the key used for encryption. Thus when used as a decryption key it will accurately decrypt the data. Accordingly, neither the password to be used by the user nor the decryption key is not stored anywhere within the device. Thus, by inspection of the device running a for instance, de-bug program, an unauthorised user would not be able to gain access to the necessary password nor to the decryption key.
Although reference is made herein to "passwords" it will be appreciated that this could be any signal or combination of signals and need not be a word at all.
A device operating as set out above with reference to preferred embodiments of the invention may be embodied in computer software in a digital computer or otherwise, for instance on a carrier such as a floppy disk, compact disk or hard drive.
The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.
All of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of such features and/or steps are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) , may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise. Thus, unless expressly stated otherwise, each feature disclosed is one example only of a generic series of equivalent or similar features .
The invention is not restricted to the details of the foregoing embodiment (s) . The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings) , or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

Claims

Claims
1. An access control device comprising means for receiving an input password, means for combining the input password with a pre-selected code thereby to produce a combined password, and means for decrypting encrypted code using the combined password.
2. An access control device according to claim 1, in which the apparatus further comprises means for encrypting the combined password and the encrypted combined password is used for decryption.
3. A method of controlling access, which method comprises the steps of receiving an input password, combining the input password with a predetermined code to produce a combined password, and decrypting encrypted code using the combined password.
4. A method of controlling access according to claim 3, in which the combined password is encrypted and the encrypted combined password is used for decrypting encrypted code.
5. A method of controlling access according to claim 3 or claim 4, in which the encrypted combined password is a key for decryption of the encrypted code.
6. A method of controlling access according to any one of claims 3 to 5, in which the password is an alphanumeric string.
7. A method of controlling access according to claim 6, in which the code is an alphanumeric string.
8. A method of controlling access according to any preceding claim, in which the pre-stored access password comprises a pre-selected password combined with the -. predetermined code, which combination is encrypted.
9. A method of controlling access according to claim 8, in which the combined pre-selected password is encrypted according to the encryption algorithm used for the combined password.
10. A method of controlling access according to claim 9, in which the encryption is substantially unreversible
(asymmetric) .
11. A method of controlling access according to claim 10, in which the encryption algorithm will be a public key algorithm.
12. A computer program for carrying out the method of any one of claims 3 to 11.
13. A carrier comprising a computer program according to claim 12.
PCT/GB1999/002673 1998-08-20 1999-08-12 Improvements in and relating to access control WO2000011538A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2000566736A JP2002523942A (en) 1998-08-20 1999-08-12 Improved access management and improvements related to access management
AU53812/99A AU5381299A (en) 1998-08-20 1999-08-12 Improvements in and relating to access control
EP99939543A EP1105785A1 (en) 1998-08-20 1999-08-12 Improvements in and relating to access control

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB9818187.8 1998-08-20
GB9818187A GB9818187D0 (en) 1998-08-20 1998-08-20 Improvements in and relating to access control

Publications (1)

Publication Number Publication Date
WO2000011538A1 true WO2000011538A1 (en) 2000-03-02

Family

ID=10837587

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB1999/002673 WO2000011538A1 (en) 1998-08-20 1999-08-12 Improvements in and relating to access control

Country Status (5)

Country Link
EP (1) EP1105785A1 (en)
JP (1) JP2002523942A (en)
AU (1) AU5381299A (en)
GB (1) GB9818187D0 (en)
WO (1) WO2000011538A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016012191A1 (en) * 2016-10-12 2018-04-12 Uwe Zühlke Method for increasing the protection of password-protected computers and computer systems against hacker attacks

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485519A (en) * 1991-06-07 1996-01-16 Security Dynamics Technologies, Inc. Enhanced security for a secure token code
US5677952A (en) * 1993-12-06 1997-10-14 International Business Machines Corporation Method to protect information on a computer storage device
US5768373A (en) * 1996-05-06 1998-06-16 Symantec Corporation Method for providing a secure non-reusable one-time password

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485519A (en) * 1991-06-07 1996-01-16 Security Dynamics Technologies, Inc. Enhanced security for a secure token code
US5677952A (en) * 1993-12-06 1997-10-14 International Business Machines Corporation Method to protect information on a computer storage device
US5768373A (en) * 1996-05-06 1998-06-16 Symantec Corporation Method for providing a secure non-reusable one-time password

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016012191A1 (en) * 2016-10-12 2018-04-12 Uwe Zühlke Method for increasing the protection of password-protected computers and computer systems against hacker attacks

Also Published As

Publication number Publication date
AU5381299A (en) 2000-03-14
EP1105785A1 (en) 2001-06-13
GB9818187D0 (en) 1998-10-14
JP2002523942A (en) 2002-07-30

Similar Documents

Publication Publication Date Title
US9117095B2 (en) Data security for digital data storage
EP1325401B1 (en) System for protecting static and dynamic data against unauthorised manipulation
US7096370B1 (en) Data security for digital data storage
US9003177B2 (en) Data security for digital data storage
US8332652B2 (en) Computing device that securely runs authorized software
KR100334720B1 (en) Adapter Having Secure Function and Computer Secure System Using It
US20040101142A1 (en) Method and system for an integrated protection system of data distributed processing in computer networks and system for carrying out said method
US20080077807A1 (en) Computer Hard Disk Security
US20080320314A1 (en) Apparatus for writing data to a medium
KR100894466B1 (en) Information processing device, anti-tamper method, and anti-tamper program
WO2000017731A1 (en) Volatile key apparatus for safeguarding confidential data stored in a computer system memory
CN112069555B (en) Safe computer architecture based on double-hard-disk cold switching operation
KR20000029146A (en) Data encipherment apparatus and illegal alteration prevention system
US8347109B2 (en) Secure serial number generation
JPWO2006046484A1 (en) Authentication method
EP0962850A2 (en) A method for protecting embedded system software and embedded system
WO2000011538A1 (en) Improvements in and relating to access control
US20020029344A1 (en) System and method for decrypting encrypted computer program
WO2000011537A1 (en) Improvements in and relating to data communication
JP2001125714A (en) Keyboard device and password authenticating method using the same
CN117150482A (en) Equipment application safety protection method and virtual device
CN116975804A (en) Integrated circuit and intellectual property right core activation system and method with digital watermark
JPH05204514A (en) Secrecy protection system for automatic keyboard lock type computer system
JPS60124759A (en) File processing unit

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1999939543

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 09763102

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 1999939543

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWW Wipo information: withdrawn in national office

Ref document number: 1999939543

Country of ref document: EP