WO2005045550A2 - Password recovery system and method - Google Patents

Password recovery system and method Download PDF

Info

Publication number
WO2005045550A2
WO2005045550A2 PCT/GB2004/004612 GB2004004612W WO2005045550A2 WO 2005045550 A2 WO2005045550 A2 WO 2005045550A2 GB 2004004612 W GB2004004612 W GB 2004004612W WO 2005045550 A2 WO2005045550 A2 WO 2005045550A2
Authority
WO
WIPO (PCT)
Prior art keywords
computer system
data
recovery
computer
encrypted
Prior art date
Application number
PCT/GB2004/004612
Other languages
French (fr)
Other versions
WO2005045550A3 (en
Inventor
Bernard Parsons
Original Assignee
Becrypt Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Becrypt Limited filed Critical Becrypt Limited
Publication of WO2005045550A2 publication Critical patent/WO2005045550A2/en
Publication of WO2005045550A3 publication Critical patent/WO2005045550A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2131Lost password, e.g. recovery of lost or forgotten passwords

Definitions

  • the present invention relates to a peer assisted challenge/response system and method for computer password recovery.
  • Access control security for computer systems is commonly implemented using passwords.
  • a password In order for a password to provide a satisfactory level of security, it should not be associated with the user or be a simple word that can easily be guessed.
  • Security policies regarding password complexity and expiration vary between organisations. However, one problem is common to all password-based systems — when a password is lost or forgotten, a recovery mechanism is needed.
  • Challenge/response is commonly used for computer password recovery.
  • Passwords, or codes to bypass password systems or similar are held by, or registered with, a central system. If a user forgets his or her password, he or she contacts a help-desk at the central system. The help-desk authenticates the user or computer using information held about them and then provides a recovery code to the user. The recovery code allows a user to regain access to a locked machine and have their password reset.
  • the authentication data and recovery code is exchanged over an un-trusted communication channel, such as a public telephone system
  • an un-trusted communication channel such as a public telephone system
  • the authentication data and/or recovery codes may be intercepted by unauthorised individuals.
  • the data may then be used by such parties to attempt to gain unauthorised access to the computer system.
  • the risks of communicating such data over un-trusted communication channels are such that many organisations prohibit the use of such channels during password recovery. Whilst such a policy may be acceptable to organisations operating over a single site or those having secure communication channels easily available, most organisations, particularly where users are members of the public accessing the system from a remote site, do not such luxuries available and are forced to use un-trusted communications channels.
  • the present invention seeks to provide a method and system in which un-trusted communication channels can be used during password recovery without compromising security.
  • a password recovery system for recovering access to a first computer system
  • the password recovery system including a data repository storing data associated with the first computer system and a second computer system and/or their users, the data repository being arranged to accept authentication data from the first computer system or its user and verify the data in dependence on the stored data, wherein upon verification, the data repository is arranged to provide encrypted recovery data to said second computer system, the encrypted recovery data being decryptable by said second computer system, the recovery data including data for recovering access to said first computer system.
  • Each of the first and second computer systems are preferably protected using an encryption key, each computer system being arranged to encrypt the encryption key in dependence on a password of the user of the respective computer system and store the encrypted encryption key, the respective computer system being arranged to decrypt the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
  • the system further comprises a recovery application further comprising a recovery application on each of the first and second computer systems, the data repository storing the encryption key for each computer system encrypted in dependence on encryption data, the recovery application storing said encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the respective computer system's encryption key encrypted in dependence on encryption data.
  • the encrypted recovery data preferably comprises said recovery data further encrypted in dependence on the encryption key for the second computer system.
  • the encryption data may comprise pseudo-random data.
  • a method of password recovery for one of a number of computer system comprising: storing, remotely of said computer systems, data associated with the number of computer systems and or their respective users; accepting a first request for password recovery for a first one of said number of computer systems from the user of said first computer system; verifying said first request in dependence on said stored data; accepting a second request for password recovery for the first computer systems from a second one of said number of computer systems; encrypting recovery data for the first computer system using stored data associated with said second computer system; communicating the encrypted recovery data to the second computer system; decrypting the encrypted recovery data at the second computer system; and, applying the recovery data to the first computer system to permit password recovery.
  • the method further comprises: protecting said first and second computer systems using respective encryption keys; encrypting the respective encryption key at the respective computer system in dependence on a password of the user of the respective computer system; storing the encrypted encryption key in the respective computer system; and, decrypting the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
  • the method may further comprise: storing, remotely of said computer systems, the encryption key for each computer system encrypted in dependence on encryption data; storing in each computer system the respective encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the first computer system's encryption key encrypted in dependence on the first computer's encryption data.
  • the step of encrypting recovery data may comprise further encrypting said recovery data in dependence on the encryption key for the second computer system.
  • the present invention has been designed to assist with secure password recovery.
  • a password recovery mechanism is required where computer users have forgotten their computer password, and are subsequently denied access to a computer as a result of a security product or mechanism protecting the computer.
  • the security product would typically be providing encryption of data on the user's computer and include a user authentication mechanism.
  • Figure 1 is a schematic diagram of a password recovery system according to an embodiment of the present invention
  • Figure 2 is a schematic diagram illustrating the password recovery system of Figure 1 in operation.
  • Figure 1 is a schematic diagram of a password recovery system according to an embodiment of the present invention.
  • the password recovery system includes a first computer system 10, a second computer system 20, and a recovery system 40.
  • the first and second computer systems are registered with the recovery system 40 and are arranged to communicate with the recovery system 40 over an un-trusted communications channel 30.
  • data about the user(s) of the respective systems and/or data on the systems themselves is recorded in a repository 50.
  • a recovery application is also enabled on the respective systems 10, 20.
  • an encryption key (preferably a different key for each system) is associated with the respective computer system that allows the user's password to be bypassed and/or changed.
  • the encryption key is encrypted using pseudo-random data generated for each respective computer system 10, 20 and the encrypted encryption key is stored in the computer system's recovery application.
  • the pseudo-random data is stored in the data repository.
  • the recovery application may be software that is installed during registration, hardware that is installed or some combination of the two (such as a BIOS feature).
  • Figure 2 is a schematic diagram illustrating the password recovery system of Figure 1 in operation.
  • Password recovery of a first computer system 10 registered with the recovery system 40 requires the use of a second computer system 20 that has also been registered, such as a second laptop, to be involved in the password recovery process.
  • a user (user A) with a protected computer system 10 is locked out of the computer as a result of forgetting their password, they are required to locate a second user (user B) in possession of a computer system 20 protected by the same password recovery system.
  • step 100 user A contacts the recovery system 40 at which both computers 10, 20 are registered, and .provides information relating to their identity and/or data on the computer system 10.
  • step 110 user B accesses their own computer system 20, and runs the recovery application. Via the recovery application, user B interacts with the recovery system 40, providing information relating to their identity and/or data on their computer system 20.
  • step 120 as and when the recovery system 40 has authenticated the users and/or their computer systems 10, 20 in dependence on the data stored in the repository, it provides an encrypted recovery code to user B.
  • the recovery code preferably comprises the pseudo-random data stored for the first computer system 10.
  • the recovery code is encrypted using encryption data associated with the second computer system 20.
  • the recovery application running on User B's computer system 20 Upon receipt of the encrypted recovery code, the recovery application running on User B's computer system 20 is able to decrypt the recovery code which can then be entered into User A's computer system 10 via the recovery application on user A's computer system 10 in step 130.
  • the encrypted encryption key can be decrypted and the encryption key can then be accessed allowing subsequent access to the computer system 10 by User A and/or password change.
  • an encryption key (DK A ) used to protect a first computer is encrypted using a key encryption key (KKA) derived from the user's password.
  • the encrypted DK A (EDK A I) is stored on the computer.
  • Successful decryption of EDKAI occurs during normal user authentication.
  • a second encrypted copy of the DK A is stored within the data repository, such as a database, accessible to the help desk.
  • a second encrypted key (EDK A 2) is encrypted using some pseudo-random data (PRD) stored on the computer.
  • the database includes data relating to the computer and/or user to which an EDK A 2 belongs.
  • Password recovery entails the transmission of EDKA2, allowing software on the locked machine to recover DK A using PRD.
  • a second computer or computer system is involved.
  • An application run by the help-desk encrypts the recovery data using the data encryption key of the second computer DK ⁇ .
  • DK ⁇ data encryption key of the second computer
  • only the second computer can access the recovery data for the first computer.
  • unencrypted recovery data can only be obtained by use of a second computer, which itself must have been authenticated by entering a valid password to permit access to the data encryption key.
  • the data repository may be arranged to only communicate with authenticated systems, in this manner an authenticated system must act as communication intermediary for the unauthenticated computer system.
  • EDKA2 may be manually entered into the first machine, from which DK A may be recovered through PRD.
  • the PRD is randomly generated at the first computer each time a recovery code is required.
  • An encrypted version of PRD would be communicated to the data repository which would decrypt it and then encode it with DK A and re-encrypt the result using a key for the second, authenticated, computer.
  • the version of DKA that eventually arrives for use in recovering the first computer will be dependent on PRD.
  • the recovery code will only work once and the next time a recovery code is requested, the first computer will generate a different PRD and only accept a version of DK A that has been encoded using the new PRD.

Abstract

A password recovery system and method for recovering access to a first computer system is disclosed. The password recovery system includes a data repository storing data associated with the first computer system and a second computer system and/or their users, the data repository being arranged to accept authentication data from the first computer system or its user and verify the data in dependence on the stored data, wherein upon verification, the data repository is arranged to provide encrypted recovery data to said second computer system, the encrypted recovery data being decryptable by said second computer system, the recovery data including data for recovering access to said first computer system.

Description

PASSWORD RECOVERY SYSTEM AND METHOD
Field of the Invention The present invention relates to a peer assisted challenge/response system and method for computer password recovery.
Background to the Invention
Access control security for computer systems is commonly implemented using passwords. In order for a password to provide a satisfactory level of security, it should not be associated with the user or be a simple word that can easily be guessed. Security policies regarding password complexity and expiration vary between organisations. However, one problem is common to all password-based systems — when a password is lost or forgotten, a recovery mechanism is needed.
One common mechanism that is used is known as challenge/response. Challenge/response is commonly used for computer password recovery. Passwords, or codes to bypass password systems or similar, are held by, or registered with, a central system. If a user forgets his or her password, he or she contacts a help-desk at the central system. The help-desk authenticates the user or computer using information held about them and then provides a recovery code to the user. The recovery code allows a user to regain access to a locked machine and have their password reset.
Where the authentication data and recovery code is exchanged over an un-trusted communication channel, such as a public telephone system, there is a risk that the authentication data and/or recovery codes may be intercepted by unauthorised individuals. The data may then be used by such parties to attempt to gain unauthorised access to the computer system. The risks of communicating such data over un-trusted communication channels are such that many organisations prohibit the use of such channels during password recovery. Whilst such a policy may be acceptable to organisations operating over a single site or those having secure communication channels easily available, most organisations, particularly where users are members of the public accessing the system from a remote site, do not such luxuries available and are forced to use un-trusted communications channels.
Statement of Invention The present invention seeks to provide a method and system in which un-trusted communication channels can be used during password recovery without compromising security.
According to an aspect of the present invention, there is provided a password recovery system for recovering access to a first computer system, the password recovery system including a data repository storing data associated with the first computer system and a second computer system and/or their users, the data repository being arranged to accept authentication data from the first computer system or its user and verify the data in dependence on the stored data, wherein upon verification, the data repository is arranged to provide encrypted recovery data to said second computer system, the encrypted recovery data being decryptable by said second computer system, the recovery data including data for recovering access to said first computer system.
Each of the first and second computer systems are preferably protected using an encryption key, each computer system being arranged to encrypt the encryption key in dependence on a password of the user of the respective computer system and store the encrypted encryption key, the respective computer system being arranged to decrypt the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
Preferably, the system further comprises a recovery application further comprising a recovery application on each of the first and second computer systems, the data repository storing the encryption key for each computer system encrypted in dependence on encryption data, the recovery application storing said encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the respective computer system's encryption key encrypted in dependence on encryption data. The encrypted recovery data preferably comprises said recovery data further encrypted in dependence on the encryption key for the second computer system.
The encryption data may comprise pseudo-random data.
According to another aspect of the present invention, there is provided a method of password recovery for one of a number of computer system comprising: storing, remotely of said computer systems, data associated with the number of computer systems and or their respective users; accepting a first request for password recovery for a first one of said number of computer systems from the user of said first computer system; verifying said first request in dependence on said stored data; accepting a second request for password recovery for the first computer systems from a second one of said number of computer systems; encrypting recovery data for the first computer system using stored data associated with said second computer system; communicating the encrypted recovery data to the second computer system; decrypting the encrypted recovery data at the second computer system; and, applying the recovery data to the first computer system to permit password recovery.
Preferably the method further comprises: protecting said first and second computer systems using respective encryption keys; encrypting the respective encryption key at the respective computer system in dependence on a password of the user of the respective computer system; storing the encrypted encryption key in the respective computer system; and, decrypting the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
The method may further comprise: storing, remotely of said computer systems, the encryption key for each computer system encrypted in dependence on encryption data; storing in each computer system the respective encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the first computer system's encryption key encrypted in dependence on the first computer's encryption data.
The step of encrypting recovery data may comprise further encrypting said recovery data in dependence on the encryption key for the second computer system.
It will be appreciated that the present invention may be implemented in hardware, software or some combination of the two.
The present invention has been designed to assist with secure password recovery. A password recovery mechanism is required where computer users have forgotten their computer password, and are subsequently denied access to a computer as a result of a security product or mechanism protecting the computer. The security product would typically be providing encryption of data on the user's computer and include a user authentication mechanism.
Brief Description of the Drawings Embodiments of the present invention will now be described in detail, by way of example only, with reference to the accompanying drawings in which: Figure 1 is a schematic diagram of a password recovery system according to an embodiment of the present invention; and, Figure 2 is a schematic diagram illustrating the password recovery system of Figure 1 in operation.
Detailed Description
Figure 1 is a schematic diagram of a password recovery system according to an embodiment of the present invention.
The password recovery system includes a first computer system 10, a second computer system 20, and a recovery system 40. The first and second computer systems are registered with the recovery system 40 and are arranged to communicate with the recovery system 40 over an un-trusted communications channel 30. During registration of the computer systems 10, 20, data about the user(s) of the respective systems and/or data on the systems themselves is recorded in a repository 50. A recovery application is also enabled on the respective systems 10, 20.
For each computer system 10, 20, an encryption key (preferably a different key for each system) is associated with the respective computer system that allows the user's password to be bypassed and/or changed. The encryption key is encrypted using pseudo-random data generated for each respective computer system 10, 20 and the encrypted encryption key is stored in the computer system's recovery application. The pseudo-random data is stored in the data repository.
The recovery application may be software that is installed during registration, hardware that is installed or some combination of the two (such as a BIOS feature).
Figure 2 is a schematic diagram illustrating the password recovery system of Figure 1 in operation.
Password recovery of a first computer system 10 registered with the recovery system 40 requires the use of a second computer system 20 that has also been registered, such as a second laptop, to be involved in the password recovery process. When a user (user A) with a protected computer system 10 is locked out of the computer as a result of forgetting their password, they are required to locate a second user (user B) in possession of a computer system 20 protected by the same password recovery system.
In step 100, user A contacts the recovery system 40 at which both computers 10, 20 are registered, and .provides information relating to their identity and/or data on the computer system 10. In step 110, user B accesses their own computer system 20, and runs the recovery application. Via the recovery application, user B interacts with the recovery system 40, providing information relating to their identity and/or data on their computer system 20. In step 120, as and when the recovery system 40 has authenticated the users and/or their computer systems 10, 20 in dependence on the data stored in the repository, it provides an encrypted recovery code to user B. The recovery code preferably comprises the pseudo-random data stored for the first computer system 10. The recovery code is encrypted using encryption data associated with the second computer system 20. Upon receipt of the encrypted recovery code, the recovery application running on User B's computer system 20 is able to decrypt the recovery code which can then be entered into User A's computer system 10 via the recovery application on user A's computer system 10 in step 130. Upon entry of the code, the encrypted encryption key can be decrypted and the encryption key can then be accessed allowing subsequent access to the computer system 10 by User A and/or password change.
In a preferred embodiment, during security product installation, an encryption key (DKA) used to protect a first computer is encrypted using a key encryption key (KKA) derived from the user's password. The encrypted DKA (EDKAI) is stored on the computer. Successful decryption of EDKAI occurs during normal user authentication. For the purpose of password recovery, a second encrypted copy of the DKA is stored within the data repository, such as a database, accessible to the help desk. A second encrypted key (EDKA2) is encrypted using some pseudo-random data (PRD) stored on the computer.
The database includes data relating to the computer and/or user to which an EDKA2 belongs.
Password recovery entails the transmission of EDKA2, allowing software on the locked machine to recover DKA using PRD.
In a preferred embodiment of the present invention, a second computer or computer system is involved. An application run by the help-desk encrypts the recovery data using the data encryption key of the second computer DKβ. In this manner, only the second computer can access the recovery data for the first computer. In this way, even if a computer is stolen and/or the user is impersonated, unencrypted recovery data can only be obtained by use of a second computer, which itself must have been authenticated by entering a valid password to permit access to the data encryption key.
In one embodiment, the data repository may be arranged to only communicate with authenticated systems, in this manner an authenticated system must act as communication intermediary for the unauthenticated computer system.
Following user authentication on the second computer DKB is accessible to the recovery application on the computer, allowing for the recovery of EDKA2.
EDKA2 may be manually entered into the first machine, from which DKA may be recovered through PRD.
Preferably, the PRD is randomly generated at the first computer each time a recovery code is required. An encrypted version of PRD would be communicated to the data repository which would decrypt it and then encode it with DKA and re-encrypt the result using a key for the second, authenticated, computer. In this manner, the version of DKA that eventually arrives for use in recovering the first computer will be dependent on PRD. This means that the recovery code will only work once and the next time a recovery code is requested, the first computer will generate a different PRD and only accept a version of DKA that has been encoded using the new PRD.

Claims

Claims
1. A password recovery system for recovering access to a first computer system, the password recovery system including a data repository storing data associated with the first computer system and a second computer system and/or their users, the data repository being arranged to accept authentication data from the first computer system or its user and verify the data in dependence on the stored data, wherein upon verification, the data repository is arranged to provide encrypted recovery data to said second computer system, the encrypted recovery data being decryptable by said second computer system, the recovery data including data for recovering access to said first computer system.
2. A system according to claim 1, wherein each of the first and second computer systems are protected using an encryption key, each computer system being arranged to encrypt the encryption key in dependence on a password of the user of the respective computer system and store the encrypted encryption key, the respective computer system being arranged to decrypt the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
3. A system according to claim 2, further comprising a recovery application further comprising a recovery application on each of the first and second computer systems, the data repository storing the encryption key for each computer system encrypted in dependence on encryption data, the recovery application storing said encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the respective computer system's encryption key encrypted in dependence on encryption data.
4. A system according to claim 3, wherein the encrypted recovery data comprises said recovery data further encrypted in dependence on the encryption key for the second computer system.
5. A system according to claim 3 or 4, wherein the encryption data comprises pseudo-random data.
6. A method of password recovery for one of a number of computer system comprising: storing, remotely of said computer systems, data associated with the number of* computer systems and/or their respective users; accepting a first request for password recovery for a first one of said number of computer systems from the user of said first computer system; verifying said first request in dependence on said stored data; accepting a second request for password recovery for the first computer systems from a second one of said number of computer systems; encrypting recovery data for the first computer system using stored data associated with said second computer system; communicating the encrypted recovery data to the second computer system; decrypting the encrypted recovery data at the second computer system; and, applying the recovery data to the first computer system to permit password recovery.
7. A method according to claim 6, further comprising: protecting said first and second computer systems using respective encryption keys; encrypting the respective encryption key at the respective computer system in dependence on a password of the user of the respective computer system; storing the encrypted encryption key in the respective computer system; and, decrypting the encrypted encryption key upon authentication of the user via said password to allow access to said encryption key and to said computer system.
8. A method according to claim 7, further comprising: storing, remotely of said computer systems, the encryption key for each computer system encrypted in dependence on encryption data; storing in each computer system the respective encryption data for the respective computer system, wherein the recovery data for the first computer system comprises the first computer system's encryption key encrypted in dependence on the first computer's encryption data.
9. A method according to claim 8, wherein the step of encrypting recovery data comprises further encrypting said recovery data in dependence on the encryption key for the second computer system.
10. A computer program comprising computer program code means for performing all of the steps of any of claims 6 to 9 when run on a computer.
11. A computer program as claimed in claim 10 embodied on a computer readable medium.
PCT/GB2004/004612 2003-10-29 2004-10-29 Password recovery system and method WO2005045550A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0325252A GB0325252D0 (en) 2003-10-29 2003-10-29 Password recovery system and method
GB0325252.5 2003-10-29

Publications (2)

Publication Number Publication Date
WO2005045550A2 true WO2005045550A2 (en) 2005-05-19
WO2005045550A3 WO2005045550A3 (en) 2009-05-07

Family

ID=29725586

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2004/004612 WO2005045550A2 (en) 2003-10-29 2004-10-29 Password recovery system and method

Country Status (2)

Country Link
GB (1) GB0325252D0 (en)
WO (1) WO2005045550A2 (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008043009A1 (en) * 2006-10-04 2008-04-10 Microsoft Corporation Character position-based password recovery
EP2629227A1 (en) * 2012-02-15 2013-08-21 Research In Motion Limited Key management on device for perimeters
US8544084B2 (en) 2002-08-19 2013-09-24 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
USRE44746E1 (en) 2004-04-30 2014-02-04 Blackberry Limited System and method for handling data transfers
US8656016B1 (en) 2012-10-24 2014-02-18 Blackberry Limited Managing application execution and data access on a device
US8799227B2 (en) 2011-11-11 2014-08-05 Blackberry Limited Presenting metadata from multiple perimeters
US8856879B2 (en) 2009-05-14 2014-10-07 Microsoft Corporation Social authentication for account recovery
US8893219B2 (en) 2012-02-17 2014-11-18 Blackberry Limited Certificate management method based on connectivity and policy
US8898756B2 (en) 2012-11-21 2014-11-25 Applied Research Works, Inc. System and method for password recovery
US8931045B2 (en) 2012-02-16 2015-01-06 Blackberry Limited Method and apparatus for management of multiple grouped resources on device
US8972762B2 (en) 2012-07-11 2015-03-03 Blackberry Limited Computing devices and methods for resetting inactivity timers on computing devices
US9047451B2 (en) 2010-09-24 2015-06-02 Blackberry Limited Method and apparatus for differentiated access control
US9077622B2 (en) 2012-02-16 2015-07-07 Blackberry Limited Method and apparatus for automatic VPN login on interface selection
US9075955B2 (en) 2012-10-24 2015-07-07 Blackberry Limited Managing permission settings applied to applications
US9094194B2 (en) * 2006-04-18 2015-07-28 International Business Machines Corporation Method and system for automating the recovery of a credential store when a user has forgotten their password using a temporary key pair created based on a new password provided by the user
US9124431B2 (en) 2009-05-14 2015-09-01 Microsoft Technology Licensing, Llc Evidence-based dynamic scoring to limit guesses in knowledge-based authentication
US9137668B2 (en) 2004-02-26 2015-09-15 Blackberry Limited Computing device with environment aware features
US9147085B2 (en) 2010-09-24 2015-09-29 Blackberry Limited Method for establishing a plurality of modes of operation on a mobile device
US9161226B2 (en) 2011-10-17 2015-10-13 Blackberry Limited Associating services to perimeters
US9225727B2 (en) 2010-11-15 2015-12-29 Blackberry Limited Data source based application sandboxing
EP2919413A4 (en) * 2012-11-09 2016-01-06 Zte Corp Data security verification method and device
US9262604B2 (en) 2012-02-01 2016-02-16 Blackberry Limited Method and system for locking an electronic device
US9282099B2 (en) 2005-06-29 2016-03-08 Blackberry Limited System and method for privilege management and revocation
US9306948B2 (en) 2012-02-16 2016-04-05 Blackberry Limited Method and apparatus for separation of connection data by perimeter type
US9369466B2 (en) 2012-06-21 2016-06-14 Blackberry Limited Managing use of network resources
US9378394B2 (en) 2010-09-24 2016-06-28 Blackberry Limited Method and apparatus for differentiated access control
US9386451B2 (en) 2013-01-29 2016-07-05 Blackberry Limited Managing application access to certificates and keys
US9426145B2 (en) 2012-02-17 2016-08-23 Blackberry Limited Designation of classes for certificates and keys
US9497220B2 (en) 2011-10-17 2016-11-15 Blackberry Limited Dynamically generating perimeters
US9698975B2 (en) 2012-02-15 2017-07-04 Blackberry Limited Key management on device for perimeters
US9967055B2 (en) 2011-08-08 2018-05-08 Blackberry Limited System and method to increase link adaptation performance with multi-level feedback
US10848520B2 (en) 2011-11-10 2020-11-24 Blackberry Limited Managing access to resources
US11163862B2 (en) 2018-05-16 2021-11-02 International Business Machines Corporation Authentication of users based on snapshots thereof taken in corresponding acquisition conditions

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1059761A1 (en) * 1999-06-11 2000-12-13 International Computers Limited Cryptographic key, or other secret material, recovery
US6229894B1 (en) * 1997-07-14 2001-05-08 Entrust Technologies, Ltd. Method and apparatus for access to user-specific encryption information
US6360322B1 (en) * 1998-09-28 2002-03-19 Symantec Corporation Automatic recovery of forgotten passwords
US20030188201A1 (en) * 2002-03-28 2003-10-02 International Business Machines Corporation Method and system for securing access to passwords in a computing network environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6229894B1 (en) * 1997-07-14 2001-05-08 Entrust Technologies, Ltd. Method and apparatus for access to user-specific encryption information
US6360322B1 (en) * 1998-09-28 2002-03-19 Symantec Corporation Automatic recovery of forgotten passwords
EP1059761A1 (en) * 1999-06-11 2000-12-13 International Computers Limited Cryptographic key, or other secret material, recovery
US20030188201A1 (en) * 2002-03-28 2003-10-02 International Business Machines Corporation Method and system for securing access to passwords in a computing network environment

Cited By (58)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8893266B2 (en) 2002-08-19 2014-11-18 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US9998466B2 (en) 2002-08-19 2018-06-12 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US9391992B2 (en) 2002-08-19 2016-07-12 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US8544084B2 (en) 2002-08-19 2013-09-24 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US10015168B2 (en) 2002-08-19 2018-07-03 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US10298584B2 (en) 2002-08-19 2019-05-21 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US8661531B2 (en) 2002-08-19 2014-02-25 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US10999282B2 (en) 2002-08-19 2021-05-04 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US9137668B2 (en) 2004-02-26 2015-09-15 Blackberry Limited Computing device with environment aware features
USRE48679E1 (en) 2004-04-30 2021-08-10 Blackberry Limited System and method for handling data transfers
USRE46083E1 (en) 2004-04-30 2016-07-26 Blackberry Limited System and method for handling data transfers
USRE44746E1 (en) 2004-04-30 2014-02-04 Blackberry Limited System and method for handling data transfers
USRE49721E1 (en) 2004-04-30 2023-11-07 Blackberry Limited System and method for handling data transfers
US10515195B2 (en) 2005-06-29 2019-12-24 Blackberry Limited Privilege management and revocation
US9282099B2 (en) 2005-06-29 2016-03-08 Blackberry Limited System and method for privilege management and revocation
US9734308B2 (en) 2005-06-29 2017-08-15 Blackberry Limited Privilege management and revocation
US9094194B2 (en) * 2006-04-18 2015-07-28 International Business Machines Corporation Method and system for automating the recovery of a credential store when a user has forgotten their password using a temporary key pair created based on a new password provided by the user
US7831836B2 (en) 2006-10-04 2010-11-09 Microsoft Corporation Character position-based password recovery
WO2008043009A1 (en) * 2006-10-04 2008-04-10 Microsoft Corporation Character position-based password recovery
US10013728B2 (en) 2009-05-14 2018-07-03 Microsoft Technology Licensing, Llc Social authentication for account recovery
US9124431B2 (en) 2009-05-14 2015-09-01 Microsoft Technology Licensing, Llc Evidence-based dynamic scoring to limit guesses in knowledge-based authentication
US8856879B2 (en) 2009-05-14 2014-10-07 Microsoft Corporation Social authentication for account recovery
US9147085B2 (en) 2010-09-24 2015-09-29 Blackberry Limited Method for establishing a plurality of modes of operation on a mobile device
US9378394B2 (en) 2010-09-24 2016-06-28 Blackberry Limited Method and apparatus for differentiated access control
US10318764B2 (en) 2010-09-24 2019-06-11 Blackberry Limited Method and apparatus for differentiated access control
US9531731B2 (en) 2010-09-24 2016-12-27 Blackberry Limited Method for establishing a plurality of modes of operation on a mobile device
US9519765B2 (en) 2010-09-24 2016-12-13 Blackberry Limited Method and apparatus for differentiated access control
US9047451B2 (en) 2010-09-24 2015-06-02 Blackberry Limited Method and apparatus for differentiated access control
US9225727B2 (en) 2010-11-15 2015-12-29 Blackberry Limited Data source based application sandboxing
US9967055B2 (en) 2011-08-08 2018-05-08 Blackberry Limited System and method to increase link adaptation performance with multi-level feedback
US10735964B2 (en) 2011-10-17 2020-08-04 Blackberry Limited Associating services to perimeters
US9402184B2 (en) 2011-10-17 2016-07-26 Blackberry Limited Associating services to perimeters
US9497220B2 (en) 2011-10-17 2016-11-15 Blackberry Limited Dynamically generating perimeters
US9161226B2 (en) 2011-10-17 2015-10-13 Blackberry Limited Associating services to perimeters
US10848520B2 (en) 2011-11-10 2020-11-24 Blackberry Limited Managing access to resources
US8799227B2 (en) 2011-11-11 2014-08-05 Blackberry Limited Presenting metadata from multiple perimeters
US9720915B2 (en) 2011-11-11 2017-08-01 Blackberry Limited Presenting metadata from multiple perimeters
US9262604B2 (en) 2012-02-01 2016-02-16 Blackberry Limited Method and system for locking an electronic device
US9698975B2 (en) 2012-02-15 2017-07-04 Blackberry Limited Key management on device for perimeters
EP2629227A1 (en) * 2012-02-15 2013-08-21 Research In Motion Limited Key management on device for perimeters
US8931045B2 (en) 2012-02-16 2015-01-06 Blackberry Limited Method and apparatus for management of multiple grouped resources on device
US9306948B2 (en) 2012-02-16 2016-04-05 Blackberry Limited Method and apparatus for separation of connection data by perimeter type
US9077622B2 (en) 2012-02-16 2015-07-07 Blackberry Limited Method and apparatus for automatic VPN login on interface selection
US9294470B2 (en) 2012-02-17 2016-03-22 Blackberry Limited Certificate management method based on connectivity and policy
US9426145B2 (en) 2012-02-17 2016-08-23 Blackberry Limited Designation of classes for certificates and keys
US8893219B2 (en) 2012-02-17 2014-11-18 Blackberry Limited Certificate management method based on connectivity and policy
US9369466B2 (en) 2012-06-21 2016-06-14 Blackberry Limited Managing use of network resources
US11032283B2 (en) 2012-06-21 2021-06-08 Blackberry Limited Managing use of network resources
US8972762B2 (en) 2012-07-11 2015-03-03 Blackberry Limited Computing devices and methods for resetting inactivity timers on computing devices
US9075955B2 (en) 2012-10-24 2015-07-07 Blackberry Limited Managing permission settings applied to applications
US9065771B2 (en) 2012-10-24 2015-06-23 Blackberry Limited Managing application execution and data access on a device
US8656016B1 (en) 2012-10-24 2014-02-18 Blackberry Limited Managing application execution and data access on a device
EP2919413A4 (en) * 2012-11-09 2016-01-06 Zte Corp Data security verification method and device
US8898756B2 (en) 2012-11-21 2014-11-25 Applied Research Works, Inc. System and method for password recovery
US9940447B2 (en) 2013-01-29 2018-04-10 Blackberry Limited Managing application access to certificates and keys
US10460086B2 (en) 2013-01-29 2019-10-29 Blackberry Limited Managing application access to certificates and keys
US9386451B2 (en) 2013-01-29 2016-07-05 Blackberry Limited Managing application access to certificates and keys
US11163862B2 (en) 2018-05-16 2021-11-02 International Business Machines Corporation Authentication of users based on snapshots thereof taken in corresponding acquisition conditions

Also Published As

Publication number Publication date
GB0325252D0 (en) 2003-12-03
WO2005045550A3 (en) 2009-05-07

Similar Documents

Publication Publication Date Title
WO2005045550A2 (en) Password recovery system and method
JP4615601B2 (en) Computer security system and computer security method
EP0636259B1 (en) Cryptographic data security in a secured computer system
US7178025B2 (en) Access system utilizing multiple factor identification and authentication
US5425102A (en) Computer security apparatus with password hints
US5590199A (en) Electronic information network user authentication and authorization system
CN103561034B (en) A kind of secure file shared system
US6480958B1 (en) Single-use passwords for smart paper interfaces
US9246887B1 (en) Method and apparatus for securing confidential data for a user in a computer
EP2156354B1 (en) Method and system for preventing impersonation of a computer system user
US20100250937A1 (en) Method And System For Securely Caching Authentication Elements
US20040117636A1 (en) System, method and apparatus for secure two-tier backup and retrieval of authentication information
EP2339777A2 (en) Method of authenticating a user to use a system
JPH11212922A (en) Password management and recovery system
CA2251193A1 (en) Method and apparatus for encoding and recovering keys
US10623400B2 (en) Method and device for credential and data protection
JP2900869B2 (en) Database search system and database protection method
WO2018142291A1 (en) Identity verification
US11509649B2 (en) Exclusive self-escrow method and apparatus
US11316658B2 (en) System and method for securing a database by scrambling data
CN109284615B (en) Mobile equipment digital resource safety management method
TW201818288A (en) Key sharing system and method thereof wherein a mobile device is used as the key sharing system
JP2001268067A (en) Key recovery method and key management system
KR101386606B1 (en) Method for controlling backup storage
EP1946478B1 (en) Recovery of encrypted data from a secure storage device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase