An aspect of the invention relates generally to a method for a cross system secure logon in a target system and to a secure logon system.
An aspect of the invention relates further to an operating system, a computer system, a data processing program, and a computer program product.
Many systems require a logon or login procedure before granting access to the system or applications running on the system. One example of a common logon procedure may require a user input, i.e. a password, which may be transferred by a hash function into a hash key. The hash key may then be compared with the hash key of the correct password, which might have been stored by the system or application. If the generated hash key matches the stored hash key, the user may be logged on, i.e. access may be granted. Otherwise the logon fails and the access may be rejected.
US 2002/0087890 A1, incorporated herein by reference in its entirety, discloses a method including receiving input data. The method also includes determining if a salt value exists, and generating a salt value and storing the salt value in a table entry if the salt value does not exist. The method further provides for retrieving the salt value from the table entry if the salt value exists and generating a hash from the salt value and the input data. The method also provides for generating a password from the hash and returning the password to an application to gain entry to the application.
US 2008/0120504 A1, incorporated herein by reference in its entirety, discloses a system and method for authenticating a client device by an authentication device. The client device user is assigned a personal identification number (PIN) generated by the authentication device. The user provides the PIN and a password to the client device from which the client device generates a symmetric key and further generates a public/private key pair. The private key is encrypted using the symmetric key and stored in encrypted form only. The public key and a message authentication code, generated from the PIN are provided to the authentication device, which stores the public key. Subsequently, when the user seeks to be authenticated, the user enters a password at the client device, which is used to generate a symmetric key to decrypt the encrypted private key. A message to the authentication device is signed using the resultant value. The authentication device uses the public key to verify the signature of the message.
Standard logon procedures are considered confident because the used hash functions may be irreversible in the sense that neither a formula nor an algorithm exists to calculate the argument of the hash function (password) from the hash key. However, an attacker can use exhaustive search techniques to find the correct password. Thus, either he probes possible passwords against the logon procedure or—if the attacker knows the hash key—he applies the hash function to possible passwords and compares the result with the hash key. The amount of valid passwords is huge and it might be usually impossible to probe all sequences of characters that form a valid password. However, in reality most users assign a password that has some special characteristics like limited in length, a real language word or a slight modification of it. Based on this observation, an attacker can build a dictionary containing some million words that are likely to be used as a password and probe only those words. One further issue is that many users use the same password for multiple systems and applications. That means that, if an attacker knows the plain text password, he may try to use the password to logon to a system or an application other than that he has hacked, and very likely he may be successful. Thus, the weakest system may govern the safety of many systems.
Thus, there may be a need for an improved method for a secure logon in a target system.