WO2013097887A1 - A secure method for resetting authentication data lost or mislaid by a user back to their default values - Google Patents

A secure method for resetting authentication data lost or mislaid by a user back to their default values Download PDF

Info

Publication number
WO2013097887A1
WO2013097887A1 PCT/EP2011/074106 EP2011074106W WO2013097887A1 WO 2013097887 A1 WO2013097887 A1 WO 2013097887A1 EP 2011074106 W EP2011074106 W EP 2011074106W WO 2013097887 A1 WO2013097887 A1 WO 2013097887A1
Authority
WO
WIPO (PCT)
Prior art keywords
ied
password
key
recovery
recovery password
Prior art date
Application number
PCT/EP2011/074106
Other languages
French (fr)
Inventor
Stephen Thompson
Original Assignee
Alstom Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alstom Technology Ltd filed Critical Alstom Technology Ltd
Priority to PCT/EP2011/074106 priority Critical patent/WO2013097887A1/en
Publication of WO2013097887A1 publication Critical patent/WO2013097887A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the invention relates to the field of industrial process control, specifically authorisation mechanisms for substation monitoring equipment.
  • Intelligent equipments that are designed to perform control and/or monitoring of industrial plants —such as, for example, substation installations - should be protected from unauthorised access by requiring a user to enter a password to gain access.
  • the password may be accompanied by a username, but this is not relevant. Indeed the password is the important object as it should be known only to the authorised user(s) and manager (s) who need access to the equipment (or, more specifically, access to the system of the equipment) or who supervise its operation .
  • Intelligent equipment may, on delivery, have preset "default" passwords that should then be configured with the customer' s own choice of passwords during installation and commissioning.
  • the equipment may support facilities to allow a manager to add a new user and to assign a password at user creation time.
  • IED intelligent electronic device
  • access levels say 4, each of which is accessed by means of entering an 8 character password into the IED, where each access level requires a different password, the lowest level allowing some read access whilst the highest level permitting full read and write access to all features.
  • the usual recovery means would be to use the highest access level to reset the mislaid password back to a known value. But what would happen if it is the highest level password that has been mislaid? There is no higher level that can be used to reset the password and the lower access levels do not permit modification of the higher level passwords.
  • certain equipment may not have individual users: effectively all user share the same access account and may only have a small number of passwords controlling different access levels and may not support the concept of a supervisor password that will allow access to the equipment in such circumstances, so once the passwords have been forgotten the access to the equipment becomes impossible .
  • Such a means is usually a "backdoor" password, unknown to the user but known to the equipment manufacturer, which allows the user to regain access and reset the configurable passwords.
  • a "backdoor” password may be a fixed value or may be linked to some property of the equipment - such as a serial number which itself is fixed and thus results in the "backdoor” password also being fixed.
  • This "backdoor" password may be supplied by the equipment provider to the user in situations where the main access password bas been mislaid, or may be contained in documentation accompanying the equipment.
  • the relationship between the serial number and the "backdoor” password is one which is secret to the vendor and may be based on some hashing algorithm or transformation that creates the "backdoor” password from the serial number. However, the same serial number will always produce the same password.
  • the fact that the "backdoor” password is fixed is a vulnerability as, once known, the "backdoor” password allows recurrent access to the equipment and can not be changed or disabled. This is against best-practices policy that requires passwords to be changed on a regular basis.
  • a "backdoor" password may be tied to a specific piece of equipment through a property of the equipment, such as a serial number, and if it is possible to guess the relationship between the serial number and the "backdoor” password, then other equipment from the same provider that uses the same scheme will become vulnerable .
  • the present invention advantageously provides a method of resetting back to their default values a user' s passwords for accessing an intelligent electronic device (IED), the method comprising the steps of:
  • step d) (i) generating, by the IED, a recovery password by applying an algorithm to the random recovery password key and the identifier of the IED, the algorithm being identical to the one used in step d) ;
  • the method according to the present invention have additional properties that prevent it from being a vulnerability once known and provide a secure and reliable means for access to be made available to the IED during certain necessary periods whilst preventing it becoming a fixed, and therefore vulnerable, means of accessing the IED.
  • Such a method offer a secure means to recover from a situation where a customer has forgotten his password (s) but without any of the inherent risks associated with a fixed "backdoor” password.
  • the recovery password obtained through the method of the present invention has three new properties that ensure that it does not have the same weaknesses and risks as the "backdoor" password:
  • the recovery password will never be the same twice, as it is based on some variable or random feature inherent to the equipment that ensures that it is changed after every use.
  • the recovery password is time-limited and use-limited. Indeed, it will be valid only for a certain period once known and will permit only one login during that period. Once the time-period and/or login limit has expired, then the recovery password will be invalidated. - the recovery password has a precise and specific role, which is to allow the recovery of the normal user password. Access to other functions of the equipment is not a part of the recovery password' s authorisation level.
  • step a) may comprise submitting a pre ⁇ set key to the IED.
  • step a) may comprises a read access of the IED performed by the user.
  • generating the random recovery password key in step b) may be done by using a random or pseudo-random function, a time-based mechanism or an event counter.
  • step b) may further include displaying, by the IED, the random recovery password key to the user.
  • the method may further comprise, between step d) and step e) , supplying, by the IED provider, the IED provider generated recovery password to the user.
  • the same random recovery key may be submitted more than once to the IED if the time-limit has not expired.
  • the IED resets the recovery password and invalidates the random recovery key.
  • the recovery password key is thus a one-time key.
  • the IED identifier may comprise a serial number of the IED.
  • the IED provider may be a vendor of the IED, a manufacturer of the IED or a manager of the IED.
  • Figure 1 is a process diagram showing the steps for the normal recovery password acquisition and use
  • Figure 2 is a process diagram showing the steps for the recovery password use after validity timeout ;
  • Figure 3 is a process diagram showing the steps for the normal recovery password acquisition and use in case of key re-read and when there is no login limit .
  • variable attribute of the password is based on a "key" that the IED itself generates. Every time the key changes, the password will change too.
  • This mechanism is further supplemented by using an algorithm that creates a password from the key and an IED identifier (for example the IED serial number) , such that the relationship between the password, on one hand, and the key and the serial number, on the other hand, cannot easily be derived from.
  • an IED identifier for example the IED serial number
  • the "key”, together with the IED identifier, ensure that the recovery password is both secure and unique to the equipment for which it applies. Moreover, in order for the user to obtain the recovery password, he must supply both the IED identifier and the key to the provider (for example, a vendor, a manufacturer or a manager) .
  • the provider for example, a vendor, a manufacturer or a manager
  • the key for the recovery password (“recovery password key”) is generated by the equipment on user request.
  • the key may be generated when the user first reads the invalidated recovery password key (i.e. the previous valid recovery password that has been invalidated during the operation of the resetting method) , but any other method appropriate to the equipment may be used to generate such a key, e.g. pseudo-random function, time-based mechanism or even a simple event counter.
  • the invalidated recovery password key i.e. the previous valid recovery password that has been invalidated during the operation of the resetting method
  • any other method appropriate to the equipment may be used to generate such a key, e.g. pseudo-random function, time-based mechanism or even a simple event counter.
  • the access to the invalidated recovery password key should not require a password to be entered as it should always be available for reading.
  • the access to the invalidated key is only possible through the physical user interface of the equipment and not through any serial or network based communications interfaces.
  • the length of the key should be appropriate to the capability of the equipment. Typically a key of 16 characters should provide sufficient variability to minimise the incidence of the same password being generated from more than one key.
  • the key could be any 16 characters from the full ASCII character set, but limitations in equipment display may make it impractical to display every possible ASCII character. Confusion too over upper and lower case letters may also be a hindrance. In that case, the generated key may only contain upper case letters, which makes it easier for the user to convey the key to the provider and avoids any confusion over misread letters or poorly displayed non-alpha-numeric characters .
  • a timer is started when the key is first generated which limits how long the key (and hence the password) is valid for.
  • the timer can be any period but is typically in the order of hours or days. Indeed, this is to provide sufficient time to allow the user to contact the provider, for the provider to perform the operations to generate the recovery password from the supplied key and identifier and then provide the password to the user. All of these activities may take some hours to perform depending on calendar and geographical considerations.
  • the key is only intended to permit a one-time password use, it becomes invalid once the password is actually used.
  • a new key is generated on the next request of a random recovery password key to the IED, for example on the next read access performed by the user.
  • the recovery password is generated through an algorithm that performs a transformation on the identifier (e.g. serial number) and recovery password key, ideally one that ensures that no two keys will produce the same password.
  • the algorithm may be a hashing algorithm.
  • the algorithm exists in an executable form with the provider, allowing generation of the recovery password when requested by the user, and also in an executable form within the IED. This is to allow the IED to generate the same password which it then uses to match against the entered password.
  • the password so generated is composed of any characters supported by the equipment password scheme. Thus if the password scheme supports alpha characters in either case plus numeric characters, then the recovery password should be expected to contain an apparently random selection of upper and lower case letters and some numbers.
  • the reason for having to use the recovery password is to recover from a situation where the user's own passwords (or the highest level one anyway) have been forgotten or mislaid. Therefore, the role that the recovery password should have is to allow the reset of the passwords back to some known value and no more!
  • the recovery password will, on entry, result in the equipment resetting all passwords back to their default values (the values they had when the equipment was delivered) , which are preserved by the equipment.
  • the recovery password does not change the current access level of the user; it is a special case which is recognised by the equipment on entry and the user passwords are then reset.
  • Figure 1 illustrates an example of the sequence of events that take place in order for the user to request, obtain and use the recovery password.
  • Figure 2 illustrates the situation where, for whatever reason, there is considerable delay between the user reading the recovery password key and entering the recovery password.
  • the actions of requesting and receiving the recovery password may occur before or after the validity timer expires and are not significant, only the period of time between first reading the key and subsequent entry of the recovery password are important. Because the key is invalid at the time that the recovery password is entered, the IED does not generate its own copy of the recovery password to compare against the entered password and so the password entry fails.
  • Figure 3 illustrates the situation where the user re-reads the key from the IED.
  • the IED does not generate a new key nor does it restart the validity timer. It merely displays the same key again.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

A method of resetting a user' s passwords for accessing an intelligent electronic device (IED) back to their default values in case of lost or mislaid authentication data by the user. This method generates a random key that is used to generate a unique, time-limited, use-limited and role-limited password.

Description

A SECURE METHOD FOR RESETTING AUTHENTICATION DATA LOST OR MISLAID BY A USER BACK TO THEIR DEFAULT VALUES
DESCRIPTION
TECHNICAL FIELD
The invention relates to the field of industrial process control, specifically authorisation mechanisms for substation monitoring equipment.
STATE OF THE PRIOR ART
Intelligent equipments that are designed to perform control and/or monitoring of industrial plants — such as, for example, substation installations - should be protected from unauthorised access by requiring a user to enter a password to gain access.
The password may be accompanied by a username, but this is not relevant. Indeed the password is the important object as it should be known only to the authorised user(s) and manager (s) who need access to the equipment (or, more specifically, access to the system of the equipment) or who supervise its operation .
Intelligent equipment may, on delivery, have preset "default" passwords that should then be configured with the customer' s own choice of passwords during installation and commissioning. Alternatively the equipment may support facilities to allow a manager to add a new user and to assign a password at user creation time.
However, the protection of substations and control equipments from unauthorised use by means of user configured passwords has a drawback, as occasionally a user may forget or mislay the configured passwords and thus render the equipment unmanageable.
Indeed, consider an intelligent electronic device (IED) that provides a number of access levels, say 4, each of which is accessed by means of entering an 8 character password into the IED, where each access level requires a different password, the lowest level allowing some read access whilst the highest level permitting full read and write access to all features. If the password for any one level is mislaid then the usual recovery means would be to use the highest access level to reset the mislaid password back to a known value. But what would happen if it is the highest level password that has been mislaid? There is no higher level that can be used to reset the password and the lower access levels do not permit modification of the higher level passwords.
This risk is ever present in an environment where the writing down of a password is discouraged and the access to the equipment is infrequent (and thus the use of the password is infrequent) preventing the "remembering" of the password through regular use.
Furthermore, certain equipment may not have individual users: effectively all user share the same access account and may only have a small number of passwords controlling different access levels and may not support the concept of a supervisor password that will allow access to the equipment in such circumstances, so once the passwords have been forgotten the access to the equipment becomes impossible .
If we also add the fact that good security practices dictate that passwords should be regularly changed at intervals of not more than 12 months, the risk of losing all access to the equipment is all the more increased.
For all these reasons, a means is needed to allow a user to re-gain access to the equipment whilst maintaining the security of the equipment.
Such a means is usually a "backdoor" password, unknown to the user but known to the equipment manufacturer, which allows the user to regain access and reset the configurable passwords.
A "backdoor" password may be a fixed value or may be linked to some property of the equipment - such as a serial number which itself is fixed and thus results in the "backdoor" password also being fixed.
This "backdoor" password may be supplied by the equipment provider to the user in situations where the main access password bas been mislaid, or may be contained in documentation accompanying the equipment.
If the "backdoor" password is linked to the equipment via its serial number, then the user must supply the serial number to the vendor who then provides the relevant "backdoor" password to the user.
The relationship between the serial number and the "backdoor" password is one which is secret to the vendor and may be based on some hashing algorithm or transformation that creates the "backdoor" password from the serial number. However, the same serial number will always produce the same password.
In the end, the fact that the "backdoor" password is fixed is a vulnerability as, once known, the "backdoor" password allows recurrent access to the equipment and can not be changed or disabled. This is against best-practices policy that requires passwords to be changed on a regular basis.
The presence of such a "backdoor" password is a vulnerability and may introduce a new risk whilst it is trying to mitigate the first risk.
Furthermore, besides the fact that the "backdoor" password is a fixed value that allows recurrent access to the equipment once known, a "backdoor" password is a risk for several other reasons .
Firstly, as a "backdoor" password is designed to allow a customer to be able to change other passwords without knowing what they are, then it is reasonable to expect that the level of access provided by the "backdoor" password is very high, possibly even higher than that given by the normal user passwords.
Secondly, once the user knows the "backdoor" password, he could continue using it even in normal operation instead of his usual passwords, depending on the access level of the "backdoor" password, and this introduces the problem of accidental (or deliberate) modification of equipment state or data by the user through having more access (privilege) than he needs for the job function (role) . Thirdly, if the "backdoor" password is a "standard" one used by an equipment provider, then it means that other identical equipments supplied by the same provider are also now accessible by anyone who knows the "backdoor" password. Alternatively, if a "backdoor" password may be tied to a specific piece of equipment through a property of the equipment, such as a serial number, and if it is possible to guess the relationship between the serial number and the "backdoor" password, then other equipment from the same provider that uses the same scheme will become vulnerable .
For all these reasons, the provision of a "backdoor" password is becoming more and more unacceptable in plant based equipment and some industries are introducing guidelines and standards that positively forbid the presence of "backdoor" passwords .
There is therefore a need for a secure method of accessing a password protected device in case of lost or mislaid password, which obviates the need to use a fixed "backdoor" password.
SUMMARY OF THE INVENTION
Accordingly, the present invention advantageously provides a method of resetting back to their default values a user' s passwords for accessing an intelligent electronic device (IED), the method comprising the steps of:
a) requesting a random recovery password key to the IED; b) generating, by the IED, the random recovery password key and starting a key validity timer;
c) requesting a recovery password to an IED provider by submitting the random recovery password key and an identifier of the IED to said IED provider;
d) generating, by the IED provider, the recovery password by applying an algorithm (e.g. a hashing algorithm) to the random recovery password key and the identifier supplied to the IED provider;
e) submitting the recovery password to the
IED;
f) verifying the state of the validity timer;
g) if the validity timer has expired, then invalidating the random recovery key and terminating the method; and
if the validity timer has not expired, then :
(i) generating, by the IED, a recovery password by applying an algorithm to the random recovery password key and the identifier of the IED, the algorithm being identical to the one used in step d) ;
(ii) comparing the IED submitted recovery password of step e) and the IED generated recovery password of step (i); and
(iii) if the IED submitted recovery password and the IED generated recovery password match, then resetting, by the IED, passwords back to their default values; and else (i.e. if the IED submitted recovery password and the IED generated recovery password do not match, then) , invalidating, by the IED, the random recovery password key, stopping the validity timer and terminating the method.
Comparatively with the use of a "backdoor" password in the prior art, the method according to the present invention have additional properties that prevent it from being a vulnerability once known and provide a secure and reliable means for access to be made available to the IED during certain necessary periods whilst preventing it becoming a fixed, and therefore vulnerable, means of accessing the IED.
Such a method offer a secure means to recover from a situation where a customer has forgotten his password (s) but without any of the inherent risks associated with a fixed "backdoor" password. The recovery password obtained through the method of the present invention has three new properties that ensure that it does not have the same weaknesses and risks as the "backdoor" password:
- the recovery password will never be the same twice, as it is based on some variable or random feature inherent to the equipment that ensures that it is changed after every use.
- the recovery password is time-limited and use-limited. Indeed, it will be valid only for a certain period once known and will permit only one login during that period. Once the time-period and/or login limit has expired, then the recovery password will be invalidated. - the recovery password has a precise and specific role, which is to allow the recovery of the normal user password. Access to other functions of the equipment is not a part of the recovery password' s authorisation level.
According to a first possible variant of the invention, step a) may comprise submitting a pre¬ set key to the IED.
According to another possible variant of the invention, step a) may comprises a read access of the IED performed by the user.
Advantageously, generating the random recovery password key in step b) may be done by using a random or pseudo-random function, a time-based mechanism or an event counter.
Advantageously, step b) may further include displaying, by the IED, the random recovery password key to the user.
Advantageously, the method may further comprise, between step d) and step e) , supplying, by the IED provider, the IED provider generated recovery password to the user.
The same random recovery key may be submitted more than once to the IED if the time-limit has not expired.
However, in a possible variant of the method according to the invention, it is also possible to limit the possibility to submit the key to only one try. In that case, if the same random recovery key is submitted more than once to the IED and the validity timer has not expired, then the IED resets the recovery password and invalidates the random recovery key. The recovery password key is thus a one-time key.
Advantageously, the IED identifier may comprise a serial number of the IED.
Advantageously, the IED provider may be a vendor of the IED, a manufacturer of the IED or a manager of the IED.
These and other advantages of the method according to the invention will be made more evident by reference to the figures.
BRIEF DESCRIPTION OF THE FIGURES
A more complete appreciation of the invention and many of the attendant advantages will become apparent with reference to the following detailed description, particularly when considered in conjunction with the accompanying drawings, in which:
Figure 1 is a process diagram showing the steps for the normal recovery password acquisition and use;
Figure 2 is a process diagram showing the steps for the recovery password use after validity timeout ;
Figure 3 is a process diagram showing the steps for the normal recovery password acquisition and use in case of key re-read and when there is no login limit . DE TAILED DESCRIPTION OF PREFERRED EMBODIMENTS OF THE INVENTION
Variable Password Principle
The variable attribute of the password is based on a "key" that the IED itself generates. Every time the key changes, the password will change too.
This mechanism is further supplemented by using an algorithm that creates a password from the key and an IED identifier (for example the IED serial number) , such that the relationship between the password, on one hand, and the key and the serial number, on the other hand, cannot easily be derived from.
The "key", together with the IED identifier, ensure that the recovery password is both secure and unique to the equipment for which it applies. Moreover, in order for the user to obtain the recovery password, he must supply both the IED identifier and the key to the provider (for example, a vendor, a manufacturer or a manager) .
Key generation
The key for the recovery password ("recovery password key") is generated by the equipment on user request.
For instance, the key may be generated when the user first reads the invalidated recovery password key (i.e. the previous valid recovery password that has been invalidated during the operation of the resetting method) , but any other method appropriate to the equipment may be used to generate such a key, e.g. pseudo-random function, time-based mechanism or even a simple event counter.
The access to the invalidated recovery password key should not require a password to be entered as it should always be available for reading.
Advantageously, the access to the invalidated key is only possible through the physical user interface of the equipment and not through any serial or network based communications interfaces.
The length of the key should be appropriate to the capability of the equipment. Typically a key of 16 characters should provide sufficient variability to minimise the incidence of the same password being generated from more than one key.
The key could be any 16 characters from the full ASCII character set, but limitations in equipment display may make it impractical to display every possible ASCII character. Confusion too over upper and lower case letters may also be a hindrance. In that case, the generated key may only contain upper case letters, which makes it easier for the user to convey the key to the provider and avoids any confusion over misread letters or poorly displayed non-alpha-numeric characters .
Key validity
Once the key has been generated, it remains valid until any one of a number of events occur:
- the time-limit for key validity expires. A timer is started when the key is first generated which limits how long the key (and hence the password) is valid for. The timer can be any period but is typically in the order of hours or days. Indeed, this is to provide sufficient time to allow the user to contact the provider, for the provider to perform the operations to generate the recovery password from the supplied key and identifier and then provide the password to the user. All of these activities may take some hours to perform depending on calendar and geographical considerations.
Once the timer has elapsed - and the recovery password has not been entered — then the key is invalidated.
- the password that is based on the current valid recovery password key is entered by the user before the end of the time-limit.
Because the key is only intended to permit a one-time password use, it becomes invalid once the password is actually used.
- as most equipments are power-cycled, they will not have functionality to maintain the expiry timer over a power-cycle and so a power-cycle event is treated as though the timer had expired and the key is invalidated on power-up.
If the key is invalidated then a new key is generated on the next request of a random recovery password key to the IED, for example on the next read access performed by the user.
Password Generation
The recovery password is generated through an algorithm that performs a transformation on the identifier (e.g. serial number) and recovery password key, ideally one that ensures that no two keys will produce the same password.
The algorithm may be a hashing algorithm. The algorithm exists in an executable form with the provider, allowing generation of the recovery password when requested by the user, and also in an executable form within the IED. This is to allow the IED to generate the same password which it then uses to match against the entered password. The password so generated is composed of any characters supported by the equipment password scheme. Thus if the password scheme supports alpha characters in either case plus numeric characters, then the recovery password should be expected to contain an apparently random selection of upper and lower case letters and some numbers.
Recovery key role
The reason for having to use the recovery password is to recover from a situation where the user's own passwords (or the highest level one anyway) have been forgotten or mislaid. Therefore, the role that the recovery password should have is to allow the reset of the passwords back to some known value and no more!
Accordingly, the recovery password will, on entry, result in the equipment resetting all passwords back to their default values (the values they had when the equipment was delivered) , which are preserved by the equipment. The recovery password does not change the current access level of the user; it is a special case which is recognised by the equipment on entry and the user passwords are then reset.
As described earlier, entry of the recovery password will invalidate the key so it will not be possible to use the same recovery password again at a later date. Operation
Figure 1 illustrates an example of the sequence of events that take place in order for the user to request, obtain and use the recovery password.
This is the normally expected sequence of events in which the user reads the recovery password key from the IED, supplies it and the IED serial number to the vendor, the vendor returns the recovery password that is generated by that key/serial number combination and finally the user enters the password to cause the IED to reset the stored passwords.
Figure 2 illustrates the situation where, for whatever reason, there is considerable delay between the user reading the recovery password key and entering the recovery password. The actions of requesting and receiving the recovery password may occur before or after the validity timer expires and are not significant, only the period of time between first reading the key and subsequent entry of the recovery password are important. Because the key is invalid at the time that the recovery password is entered, the IED does not generate its own copy of the recovery password to compare against the entered password and so the password entry fails.
Figure 3 illustrates the situation where the user re-reads the key from the IED. In this case, because the key is not invalid, having been newly generated on the previous read, the IED does not generate a new key nor does it restart the validity timer. It merely displays the same key again.

Claims

1. A method of resetting back to their default values a user' s passwords for accessing an intelligent electronic device (IED), the method comprising the steps of:
a) requesting a random recovery password key to the IED;
b) generating, by the IED, the random recovery password key and starting a key validity timer;
c) requesting a recovery password to an IED provider by submitting the random recovery password key and an identifier of the IED to said IED provider;
d) generating, by the IED provider, the recovery password by applying an algorithm to the random recovery password key and the identifier supplied to the IED provider;
e) submitting the recovery password to the IED;
f) verifying the state of the validity timer;
g) if the validity timer has expired, then invalidating the random recovery key and terminating the method; and
if the validity timer has not expired, then :
(i) generating, by the IED, a recovery password by applying an algorithm to the random recovery password key and the identifier of the IED, the algorithm being identical to the one used in step d) ;
(ii) comparing the IED submitted recovery password of step e) and the IED generated recovery password of step (i); and
(iii) if the IED submitted recovery password and the IED generated recovery password match, then resetting, by the IED, passwords back to their default values; and
else, invalidating, by the IED, the random recovery password key, stopping the validity timer and terminating the method.
2. The method of claim 1, wherein step a) comprises submitting a pre-set key to the IED.
3. The method of claim 1, wherein step a) comprises a read access of the IED performed by the user .
4. The method of claim 1, wherein generating the random recovery password key in step b) is done by using a random or pseudo-random function, a time-based mechanism or an event counter.
5 . The method of claim 1, wherein step b) further includes displaying, by the IED, the random recovery password key to the user.
6. The method of claim 1, further comprising, between step d) and step e) , supplying, by the IED provider, the IED provider generated recovery password to the user.
7. The method of claim 1, wherein, if the same random recovery key is submitted more than once to the IED and the validity timer has not expired, then the IED resets recovery password and invalidates the random recovery key.
8. The method of claim 1, wherein the IED identifier comprises a serial number of the IED.
9. The method of claim 1, wherein the IED provider is a vendor of the IED, a manufacturer of the IED or a manager of the IED.
PCT/EP2011/074106 2011-12-27 2011-12-27 A secure method for resetting authentication data lost or mislaid by a user back to their default values WO2013097887A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/074106 WO2013097887A1 (en) 2011-12-27 2011-12-27 A secure method for resetting authentication data lost or mislaid by a user back to their default values

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/074106 WO2013097887A1 (en) 2011-12-27 2011-12-27 A secure method for resetting authentication data lost or mislaid by a user back to their default values

Publications (1)

Publication Number Publication Date
WO2013097887A1 true WO2013097887A1 (en) 2013-07-04

Family

ID=45470547

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/074106 WO2013097887A1 (en) 2011-12-27 2011-12-27 A secure method for resetting authentication data lost or mislaid by a user back to their default values

Country Status (1)

Country Link
WO (1) WO2013097887A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015177656A1 (en) * 2014-05-19 2015-11-26 Abb Technology Ltd. Method for allowing a configuration change of an intelligent electronic device of a power system
US10154026B2 (en) 2013-10-15 2018-12-11 Microsoft Technology Licensing, Llc Secure remote modification of device credentials using device-generated credentials

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030061520A1 (en) * 2001-09-21 2003-03-27 Zellers Mark H. Method and system to securely change a password in a distributed computing system
US6871286B1 (en) * 1999-07-29 2005-03-22 Hewlett-Packard Development Company, L.P. Method and apparatus for resetting passwords in a computer system
US20050175201A1 (en) * 2004-02-06 2005-08-11 Herman Barry S. Secure key reset using encryption

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6871286B1 (en) * 1999-07-29 2005-03-22 Hewlett-Packard Development Company, L.P. Method and apparatus for resetting passwords in a computer system
US20030061520A1 (en) * 2001-09-21 2003-03-27 Zellers Mark H. Method and system to securely change a password in a distributed computing system
US20050175201A1 (en) * 2004-02-06 2005-08-11 Herman Barry S. Secure key reset using encryption

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10154026B2 (en) 2013-10-15 2018-12-11 Microsoft Technology Licensing, Llc Secure remote modification of device credentials using device-generated credentials
WO2015177656A1 (en) * 2014-05-19 2015-11-26 Abb Technology Ltd. Method for allowing a configuration change of an intelligent electronic device of a power system
CN106796256A (en) * 2014-05-19 2017-05-31 Abb瑞士股份有限公司 Method for allowing the configuration change of the intelligent electronic device of power system
US10366225B2 (en) 2014-05-19 2019-07-30 Abb Schweiz Ag Method for allowing a configuration change of an intelligent electronic device of a power system
CN106796256B (en) * 2014-05-19 2020-02-21 Abb瑞士股份有限公司 Method for allowing configuration change of intelligent electronic device of power system

Similar Documents

Publication Publication Date Title
US8984291B2 (en) Access to a computing environment by computing devices
US20040181696A1 (en) Temporary password login
US9117082B2 (en) Authentications integrated into a boot code image
US7992005B2 (en) Providing pattern based user password access
CN103902862B (en) A kind of mobile device management method, apparatus and a kind of mobile equipment
US8272040B2 (en) Preventing inadvertent lock-out during password entry dialog
CN105844139B (en) The system and method for improving user account access security
CN102693380A (en) Password authentication method
CN109690541B (en) Forced failure of random password
US20060037073A1 (en) PIN recovery in a smart card
EP2239679A1 (en) A method and a system for controlling the use of an electronic device
US20140059671A1 (en) Device identification for externalizing password from device coupled with user control of external password service
EP2894891B1 (en) Mobile token
WO2007095265A2 (en) Method and system for providing a one time password to work in conjunction with a browser
CN103326991A (en) Method for password encrypted storage and password authentication
CN113221095A (en) Application program protection method and device, electronic equipment and storage medium
WO2013097887A1 (en) A secure method for resetting authentication data lost or mislaid by a user back to their default values
US11109231B2 (en) Method and device providing secure vendor service access
US20180150621A1 (en) Provision of at least one password
WO2021015711A1 (en) Automatic password expiration based on password integrity
CN105262770A (en) Method for managing account password
US11397802B2 (en) Systems and methods for user authentication in non-network-connected devices
JP3662511B2 (en) Card settlement terminal device and power-on method for card settlement terminal device
EP2479696A1 (en) Data security
US9870452B1 (en) Assigning new passcodes to electronic devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11807696

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11807696

Country of ref document: EP

Kind code of ref document: A1