Field of the Invention
The present invention generally relates to securely generating, storing, using, and distributing user passwords. More specifically, a secure CPU (Central Processing Unit) architecture provides a mechanism whereby a password can be securely generated and used in a protected CPU environment and cryptographically protected whenever it is outside the protected CPU environment, including during transit and during storage in a memory or other storage device.
Description of the Related Art
Since the 1970's, computer scientists have recognized the importance of providing strong cryptographic protection for the passwords that are used to access a computer system. In a paper published in the Communications of the ACM in 1979, for example, Robert Morris and Ken Thompson describe how Unix systems use encrypted passwords and never store passwords “in the clear”. This approach has been used since the mid-1970's to provide strong protection for the passwords used on Unix-based systems.
But “in the clear” passwords can still be stolen by various means, e.g., by keystroke-loggers or “memory scraping” malware that an adversary manages to install on a user's personal computer, or by other means such as a phishing or spear-phishing attack in which a user is tricked into entering his credentials into a system controlled by an adversary.
One way of dealing with the problem of stolen passwords is to use a one-time password system. In a one-time password system, a password is valid for only a single login session and a different password is required for each subsequent login. Thus, if an adversary manages to capture the password that a user uses to login to a system, the adversary will still not be able to gain access to the system by re-using the password.
But a one-time password system introduces an additional security challenge since users and the systems they access require a continuous stream of one-time passwords and this stream of passwords and the information used to generate this stream of passwords must be protected.