1. Statement of the Technical Field
The present invention relates to the security of confidential information, and more particularly to the security of a credential store with a lockbox.
2. Description of the Related Art
Security of confidential information remains a vital concern for any entity that stores sensitive information or transmits it across both secure and insecure networks alike. Many systems employ a credential store to identify and authenticate specific users of a system and control that specific user's access to certain applications, files and other sensitive data.
One way to secure confidential information, such as credential files, is through cryptography. The purpose of cryptography is to make data storage and transmission secure. Security is achieved by means of encryption, that is, converting a clear-text message (plain text) into a data stream that looks like a meaningless and random sequence of bits (cipher text). A cryptographic algorithm, also known as cipher, is a mathematical function that uses plain text as the input and produces cipher text as the output (and vice versa). All modern ciphers use keys together with plain text as the input to produce cipher text. A key is a value that works with a cryptographic algorithm to produce a specific cipher text. The same or a different key is supplied to the decryption function to recover plain text from cipher text.
There are a number of techniques used to encrypt and decrypt credential stores with passwords. The most common approach for symmetric encryption involves the one-way hashing of a known password (possibly with or without a “salt”). In general, hashing is the process of producing hash values for accessing data or for security. A hash value (or simply hash), also called a message digest, is a number of a fixed length that is generated from a string of text of arbitrary length. Typically, the hash is substantially smaller than the text itself. A “salted” hash can add greater security to a credential store by attaching a random value—the so called salt—to each password and only then computing the hash over the password and salt.
As mentioned above, credential store security and confidentially are normally provided through the use of cryptology, where an encryption key is derived from a password via a Password Based Key Derivation Function (PBKDF). In some environments, the same password is also used for other purposes, such as authentication to other services unrelated to the credential store, and a mechanism can be used to synchronize all of these disparate passwords with a single value.
Unfortunately, if a system administrator changes the “master” password and tells that password to the user, the user will be unable to access his credential store with the new password, since the credential store is still encrypted using a key derived from the old password. A common practice today is to prompt the user to enter the old password, but this level of user interaction is unacceptable in some environments.