IT202000029357A1 - METHOD, SYSTEM, DEVICE AND USE FOR THE PROTECTION OF A USER ACCOUNT WITH A VARIABLE PASSWORD FOR EACH ACCOUNT BUT IMMUTABLE FOR THE USER - Google Patents

Description

METHOD, SYSTEM, DEVICE AND USE FOR THE PROTECTION OF A USER ACCOUNT WITH A VARIABLE PASSWORD FOR EACH ACCOUNT BUT IMMUTABLE FOR THE USER

Technical sector

The invention generally relates to a system and method for protecting a user account, and more specifically to the generation and conservation of random passwords, variable for each type of application and/or system but immutable for the user, so that the same password is easy to remember and difficult to guess.

In a computer system, access to resources reserved for a specific user requires preliminary security measures such as the identification and authentication of the user himself who connects to the system to use these resources. Only once the? User ? been identified and authenticated, ? You can authorize a user to use system resources.

Generally within computer systems, the user's identifier, called ?username? or ?username?, allows to identify but not to guarantee that whoever connects has the right to use it. Username not ? un?confidential information, even if not always ? publish. Often ? the person's name; today ? frequently the e-mail address or similar information. To authenticate a person or a system ? You need to use a procedure called authentication that relies on three distinct types of secret or unique information: something you know, such as your password; something you?: a biometric feature; something you have: a key or other characteristic object. The use of all three types of information for authentication? well known in everyday life, especially the case of the ?password?, a secret that is known only to that person or to the system which, in addition to the ?username?, allows to identify and authenticate whoever wants to connect to a specific resource of the computer system.

State of art

The security of password authentication relies on the fact that it must be known only to the user: the ideal scenario? that of a person who keeps the password in mind, does not communicate it to anyone nor? he writes it on any medium, both paper and electronic. At the same time, the password, to be easily usable and secure, should meet two requirements: it should be easy to remember and difficult to guess.

Unfortunately, as we well know, this theoretical model does not work in practice for many reasons. The first ? that we are not very good at creating passwords that are difficult to guess, on the contrary from periodic statistics it appears that passwords such as ?12345?, ?qwerty?, password=username, etc. are always used a lot. This is also why? c?? a clear dichotomy between ?easy to remember? and ?difficult to guess?: normally there? that ? easy to remember ? also easy to guess!

To this ? necessary to add the practical problem of managing a high number of credentials: Today each of us must remember dozens of credentials, used in both personal and professional fields. An easy fix? use the same password for all users, but this involves the serious risk that, once the password of a user has been stolen, an attacker can access all the users used by the same person, both in the workplace and in private. To combat the tendency to use the same password in multiple accounts, ? It is common policy to force periodic password changes and require a certain complexity, i.e. minimum length and presence of letters, numbers, punctuation characters, etc. The situation ? worsened to such an extent that, for any user, password management ? practically the opposite of what it should be; passwords often turn out to be: hard to remember and easy for an attacker to guess! All of this also led NIST in 2017 to revise its credential management guidelines, removing the periodic password change requirement and updating the complexity requirement.

In order to improve password management, the aim is to reduce the number of credentials that each person has to manage and make them more efficient. simple password management. In the corporate environment, in fact, there are solutions that allow you to integrate all corporate applications into a single corporate authentication domain (for example managed with an LDAP server, Microsoft Active Directory, etc.) and/or extend Single-Sign-On (SSO) to all (or almost all) applications and/or add, for administrative users or for accessing applications with particular security requirements, an additional authentication factor Multi Factor Authentication ? MFA/2FA.

Among the multi-factor authentication systems, the most? used are those based on biometrics, such as fingerprints, public-private key systems, systems based on OTP codes, authentications based on ?App Authenticator?. Lately ? A new model called ?Security Keys? has been standardized. These last solutions mentioned above are based on the authentication system on ?something that is ?? and on ?something you have?. Despite the? biometric authentication could be more? comfortable and functional in a multi-factor system, ? it is also important to note that when, for example, the user logs in to the device, for example the smartphone, he does not log in to remote services but actually logs in locally to the device and if the result is ? positive (i.e. unlocks the phone with the fingerprint) transfers it to the app which in turn transmits the message remotely. Therefore, in this case the remote authentication takes place with ?something you have?, i.e. the smartphone and the addition of the fingerprint? only the certainty that the smartphone? in the possession of the legitimate owner associated with the user remotely. Again, the impact on privacy could be devastating and is? for this reason the biometric data are collected and maintained by special hardware components on the user's device and are not managed by a central system. From this example it is further evident that if you do not ? having the authentication system based on the paradigm with ?something you have? what can? be for example a smartphone, an OTP token or other, there could be limitations or even the lack of access to some services due to the fact that you do not? in possession at that moment of? the object in question, or just because? for example the battery of the smartphone? download or why? ? The OTP token has been lost. It seems evident that basing services only on this authentication factor could be inconvenient and lead to unavailability problems? of services. The new standard ?Security Keys? introduces greater security and fills some gaps but always provides that the user must bring with him? the device.

Remaining on the subject of ?something that is known?, ? known that the management of personal passwords, including those that a person uses for corporate computer systems, ? definitely more complex. Applications for credential management, Password Wallets or Password Managers, even online, have been on the market for years. These tools are very useful and basically allow you to manage a large number of credentials by remembering only one, the one to access the Password Manager itself. This could simplify management even though they are not very practical to use, but inevitably in fact they present a large vulnerability? for security, in fact if we consider that the master password for access to the wallet ? easy to guess and is compromised or stolen inevitably you have access to all other passwords and therefore to the various services associated with the various accounts.

Another known solution that is spreading above all in the context of services provided by the Public Administration? the one based on Federated Identity Management (FIM), which allows an organization ? l?Identity Provider ? to register, identify and authenticate users by ensuring that this authentication is also recognized as valid by other organizations. Does the Identity Provider guarantee other organizations the identity? and the validity? authentication of the user so that no further registration and authentication is required. Indeed, the Identity Provider proves to the Federated web service that the authentication ? valid by sending recognized cryptographic tokens. There are a few cryptographic protocols that allow you to do this, including SAML, OpenID, Oauth, WS-Federation, etc. For example, in Italy, the Public Identity System? Digital (SPID) is based on the SAMLv2 protocol. Note how Federated access typically covers the user?s identification and authentication phases, while authorization remains the responsibility of each organization and application. Federation between organizations therefore makes it possible to standardize and simplify access to web services, reducing the number of credentials that the end user has to manage. goes for? also taking into account another important aspect, which concerns user privacy: an Identity Provider tracks the accesses of its users to all Federated organizations and applications, and ? therefore important that this information, which could lead to a monitoring of the activities? of people, are managed in full respect of privacy.

The question ?US10805284B2 Federated login for password vault? proposes a solution for password management in a federation context. Another solution is based on the concept of changing the password when the system detects a non-fraudulent access ?US2020210565A1 system and method of changing the password of an account record under a threat of unlawful access to user data.

Another solution ?US10042999B2 Methods and apparatus to manage password security? instead, it proposes to measure the robustness or risk and then notify the user that it is not? safe.

In the use of the authentication system based on ?something you know? the main problem ? that of having secrets that are easy to remember and difficult to guess, possibly considering that each secret associated with each user?s account is different.

The ?CN111294201A Password memory? provides a device, based similarly to the standard OTP (One time password), which allows you to generate secure passwords in mode? random and when they need to ask for them without posing the problem for people to remember them.

The object of the present invention generally relates to a system and a method for protecting a user's account, and more? specifically to the generation and storage of random passwords, variable for each type of application but immutable for the user, so that the same password is easy to remember and impossible to guess.

?TPM? Trusted Platform Module (TPM) technology ? designed to provide hardware-based security-related functions. A TPM chip? a secure cryptoprocessor designed to perform cryptographic operations. Does the chip include more? physical security mechanisms to make it resistant to tampering and malicious software is not ? capable of tampering with the security features of the TPM. Some of the key benefits of using TPM technology are as follows: Generate, store, and limit the use of cryptographic keys; Uses TPM technology for platform device authentication using the TPM's unique RSA key, which is burned to itself; Do you help ensure the integrity? of the platform by detecting and archiving the security measurements. The most TPM functions? common are used for the measurements of the integrity? of the system and for the creation and use of keys. During the boot process of a system, loaded boot code (including firmware and operating system components) can be measured and recorded in the TPM. Integrity measurements? can be used as evidence that a system has booted and to ensure that a TPM-based key has only been used when ? The correct software was used to boot the system. TPM-based keys can be configured in several ways. One option is to make a TPM-based key unavailable outside the TPM. This ? useful for mitigating phishing attacks why? prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If there are too many incorrect authorization guesses, the TPM will activate? the logic of attack of the dictionary and will prevent? further hypotheses of authorization value.

?ARM? ? a family of reduced instruction set computing (RISC) architectures for computer processors, configured for various environments. Arm Holdings develops the architecture and licenses it to other companies, who design their own products that implement one of those architectures, including systems on chips (SoCs) and systems on modules (SoMs) that incorporate memory, interfaces, radios , etc. It also designs cores that implement this instruction set and licenses these designs to a number of companies that incorporate these core designs into their own products.

?SoC? A system on a chip (SoC) ? an integrated circuit (also known as a "chip") that integrates all or most of the components of a computer or other electronic system.

These components almost always include a drive? of central processing unit (CPU), memory, input/output ports and secondary memory, all on a single substrate or microchip, about the size of a coin. Can? contain digital, analog, mixed-signal, and often radio frequency signal processing functions (otherwise it is considered just an application processor).

?Salt? In cryptography, a salt ? a random piece of data used as additional input to a one-way function that hashes the data, a password, or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored as clear text on a system, but over time additional safeguards have been developed to protect a user's password against being read by the system. A salt? one of those methods. A new salt is generated randomly for each password. In a typical setup, the salt and the password (or its version after key extension) are concatenated and processed with a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. Hashing allows for subsequent authentication without retaining and thereby risking exposure of the plaintext password in the event that the authentication data store is compromised.

?hash? A hash function? any non-invertible function commonly called one-way that can? be used to map data of arbitrary size to values of fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. Hash functions and associated hash tables are used in data storage and retrieval applications to access data in a nearly constant and low time per retrieval and storage space ? only slightly more than the total space required for the data or records themselves. The hashing ? a computationally and storage-efficient form of data access that avoids the nonlinear access time of ordered and unordered lists and structured trees, and the often exponential storage requirements of direct access to key state spaces large or variable in length.

?Phishing? fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising itself as an entity reliable in an electronic communication. Typically done through email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information into a fake website that matches the look and feel of the legitimate site. Phishing ? an example of social engineering techniques used to trick users. Users are attracted to communications that purport to come from trusted parties such as social websites, auction sites, banks, colleagues/executives, online payment processors or IT administrators.

?URI? In computer science, the Uniform Resource Identifier (acronym URI) ? a sequence of characters that universally and uniquely identifies a resource. Examples of URIs are: a web address (URL), a document, an image, a file, a service, an e-mail address, the ISBN of a book, a telephone number.

?User agent? In computer science a user agent ? an application installed on a user's computer that connects to a server process. Examples of user agents are web browsers, media players, and client programs (Mail User Agents) such as Outlook, Eudora, Thunderbird, Pine, and Elm. Today's deadline? used primarily to refer to clients accessing the World Wide Web. In addition to browsers, web user agents can include search engine crawlers, mobile phones, screen readers, and braille browsers used by blind people. When Internet users visit a website, a string of text ? usually sent to identify the user agent to the server. This is part of the HTTP request, prefixed with "Useragent:" or "User-Agent:" and typically includes information such as client application name, version, operating system, and language. Bots also often include the owner's web address and email so that the site administrator can contact him. The user agent string ? one of the criteria by which some bots can be excluded from some pages using the robots.txt file. This allows webmasters, who feel that parts of their site (or all of their site) shouldn't be included in the data collected by a particular bot or that particular bot is using too much bandwidth, to block access to pages.

?Password Manager? A password manager ? a computer program that allows users to store, generate and manage their personal passwords for online services. A password manager helps generate and recover strong passwords, potentially by storing those passwords in an encrypted database or calculating them on demand. Types of password managers include: locally installed software applications, online services accessed via website portals, locally accessed hardware devices that act as keys. Depending on the type of password manager used and the features? offered by its developers, the encrypted database is stored locally on the user's device or remotely stored via an online file hosting service. Password managers typically require a user to generate and remember a "master" password to unlock and access any information stored in their databases. Many password management applications offer functionality? additional that improve both the comfort? that security, such as the storage of credit card and frequent flyer information, and features? autofill.

DESCRIPTION

In one embodiment of the present invention, ? provided a method for protecting a user account with a variable password for each account but immutable for the user. The method ? performed by at least one computer and loaded into a RAM type memory, which for the creation of each account includes the following phases:

? automatic generation of a random password string using an automatic random password algorithm;

? automatic generation of a random salt string using an automatic random hash algorithm;

? manual entry by a user of an immutable password that is easy to remember;

? the concatenation of the immutable password with said random password and with said salt;

? the association of said concatenation with a specific username of a specific account.

In one embodiment of the method, the algorithms for generating random passwords and salts include the implementation of cryptographic hashing functions.

In one embodiment of the method, the generation of the salt involves the concatenation of multiple? cascading cryptographic hash functions.

In one embodiment of the method, the generation of the salt, possibly concatenated, comprises the implementation of the algorithm SHA 256 and SHA 384 and/or SHA 384 and SHA 512.

In one embodiment of the method, entering the user password comprises entering at least four types of characters, wherein at least one character ? uppercase type, at least one ? of lowercase type, at least one ? a special character, at least one ? a number and that the generation of the automatic random password string includes the definition of the minimum length and the maximum length, preferably from 50 to 100 and the selection of the type of character preferably between uppercase and lowercase letters, special characters and numbers and that the generation of the random salt string includes the selection of the minimum length and the maximum length preferably from 50 to 100 and the selection of the character type preferably between uppercase and lowercase letters, special characters and numbers.

In one embodiment of the method, the concatenation comprises the transposition of the characters of the user password according to a predefined sequence between the characters of the random password and/or the random salt and/or the transposition of the characters of the salt according to a predefined sequence between the characters of the random password and that possibly said sequence includes the dynamic definition of the transposition of a hundred number of characters according to the input received from the user in the phase of inserting the user password and more? precisely the reception of the number in correspondence with the insertion of the character type number.

In one embodiment of the method, for defining the transposition of a hundred characters of said predefined sequence, it comprises the calculation of a specific mathematical function which receives as input the number from the user in the phase of entering the user password and/or the length of the concatenated string.

In one embodiment of the method, the random password and/or salt comprise the step of memorization on a non-volatile memory medium and that optionally said random password and salt comprise the encryption step before being memorized by means of a symmetric and/or asymmetric encryption system.

In one embodiment of the method, the generation of a runtime secret key for the symmetric cryptographic system comprises the following steps:

? user authentication according to the fingerprint-based scheme;

? the generation of a hash in real time through an algorithm which implements a cryptographic hash function which foresees as input the positive result of said fingerprint-based authentication;

? possibly, the derivation of a key through a key derivation algorithm which provides as input the hash generated in real time, a secret and random seed and a pre-established number of interactions.

In one embodiment of the method, the derivation algorithm comprises the implementation of the PBKDF2 algorithm, having as input a random and secret seed, generated by an at least 256-bit SHA algorithm, a number of iterations equal to at least 1000 and that the cryptographic hash function provides for the implementation of the SHA-2 algorithm and that said algorithm includes at least a 256-bit version of SHA-2.

In one embodiment of the method, does the authentication procedure comprise either the authentication scheme based on something one has and/or the authentication scheme based on something one has? alternative to the system based on the fingerprint. Eg, ? You can protect your account with two-step verification, where two-step verification (also known as two-factor authentication) adds an extra layer of security to your account. With two-step verification to access an account in two you can? use: something that is, for example the face; something you have, such as your phone or a token, a small device to show that the person who is accessing ? the owner or an app that allows you to create verification codes that you can use only once by entering the verification code on the login screen to verify your identity.

In one embodiment of the method, the asymmetric cryptographic system comprises key generation by means of the FIDO2 security key-based standard.

In one embodiment of the method, in an authentication step with an authentication server comprising the establishment of an encrypted connection session on a communication channel between an endpoint of a user and said authentication server, the following steps are provided :

? manual entry of the username by a user in the input form defined for the username;

? automatic prefilling of an automatically generated random password and salt;

? manual entry of an immutable user password in the input form defined for the user space;

? concatenation of said user password with said password and random salts and that possibly the concatenation includes the transposition;

? calculation of the hash for the concatenated string by the endpoint;

? transmission of the concatenated string hash and/or of the username and from the endpoint to the server;

? receipt of the concatenated string hash and/or username from the server; ? comparison between said calculated hash and the concatenated string hash previously stored on the server during user account registration.

In one embodiment of the method, the user account registration phase comprises the definition of a specific username, the storage of the hash of a concatenated string in the authentication server associated with a specific user profile comprising at least the personal data.

In one embodiment of the method, wherein the step of authentication with an authentication server comprising the establishment of an encrypted connection session of a communication channel between a user's endpoint and an authentication server, provides the following phases:

? manual entry of the username by a user;

? transmission of the username to said server;

? receipt of the user and retransmission to the user of an encrypted string containing the concatenation of a random password and salt and which possibly said concatenation includes the transposition of the characters of the random password and salt associated with the username of the specific account;

? receipt of said encrypted string by the user?s endpoint;

? decryption of the concatenated string by the user?s endpoint;

? random password detection versus random salt;

? transmission of the positive confirmation regarding the activity? discovery to the server;

? enable userspace input form and prefilled form input by server;

? automatic prefilling of automatically generated random password and random salt for the specific account;

? manual entry of the immutable user password in the input form defined for the user space;

? concatenation of said user password with said random passwords and salts, and that possibly, the concatenation step also includes the transposition step;

? computation of the concatenated string hash by the endpoint;

? transmission of the concatenated string hash and/or username from the endpoint to the server;

? receiving the hash of the concatenated string and/or username from the server; ? comparison between said calculated hash and the concatenated string hash previously stored on the server during user account registration.

In one embodiment of the method, wherein the detection step is characterized in that it comprises the comparison between the random password stored in the user's endpoint with the string received from the server and that possibly said comparison comprises, for the reverse transposition, the calculation according to a deterministic distribution function and/or the count of characters of the random password stored in the user?s endpoint with the received string possibly considering the translation of a certain pre-established number in the count.

In one embodiment of the method, wherein the negative confirmation in the detection step comprises:

? the automatic abort of the session by the user?s endpoint in relation to the encrypted connection regarding the communication channel between the user?s endpoint and the authentication server;

? a notification and/or an on-screen warning message to inform the user of a phishing attempt.

In one embodiment of the method, establishing an encrypted connection session of a communication channel between a user's endpoint and an authentication server comprises the implementation of the Transport Layer Security (TLS) version 1.3 protocol.

In one embodiment of the method, the detection step comprises comparing the URI and/or URL address of the authentication server with the URI and/or URL address associated with the username of a user profile of a specific account stored in the ?user?endpoint and/or possibly the comparison of the user agent of a user?s browser stored and transmitted by the server during registration with the user agent of a browser associated with the username of a user profile of a specific account stored in the ?user?endpoint . In one embodiment of the method, for checking the URI address and/or URL ? implementation and/or integration with the Sender Policy Framework (SPF) protocol is foreseen.

In one embodiment of the method, ? the direct implementation in an endpoint of the local authentication and/or unlocking phase of the device is envisaged, where, as seen previously, the operations performed by the authentication server, in this embodiment are implemented directly in said endpoint.

In one embodiment of the method, ? foreseen implementation in a system including integration, possibly with the Application Platform Interface (API) methodology, with all company applications in a single company Authentication Domain (for example managed with an LDAP server, Microsoft Active Directory, etc.) and/or integration with Single-Sign-On (SSO) to all applications and/or services based on Federated Identity Management (FIM) and/or with systems based on SAML, SAMLv2, OpenID, Oauth, WS-Federation protocols etc.

In another embodiment of the method, ? Is it possible to combine and/or limit the said methods in one or more? embodiments according to any form of the present invention.

In one embodiment of the present invention, ? provided a device for the protection of a user account with a variable password for each account but immutable for the user. The device, comprising a hardware module with fingerprint sensor, which said hardware module comprises a ROM and/or EPROM having a firmware, said device comprises a chip which implements one or more? cryptographic hash functions and a key derivation function and that said chip comprises at least one flash memory, possibly of the embedded type, which in response to authentication with the user's fingerprint? capable of performing a method of any one of the embodiments of the present invention.

In one embodiment of the device, the firmware ? a Unified Extensible Firmware Interface (UEFI) possibly run in mode? secure boot.

In one embodiment of the device, the ROM and/or EPROM comprises a smartcard circuit and the secret seed of the key derivation algorithm ? stored in said smartcard circuit and/or storing the encrypted random password and/or the encrypted random salt and/or the hash of the encrypted string comprising the concatenation of the user password, the random password and the random salt possibly transposed between them.

In one embodiment of the device, the same ? made with an architecture of the System on Chip (SoC) and/or Advanced RISC Machine (ARM) type and that possibly said device includes a Trusted Platform Module (TPM).

In one embodiment of the present invention, ? foreseen the use of the device for the protection of a user account with a variable password for each account but immutable for the user, able to be integrated in a mouse and/or in a smartphone and/or in a keyboard for personal computers and /or in a tablet and/or in a personal computer and/or in an external and/or removable medium and/or in any endpoint.

In another embodiment of the device, ? the implementation, by means of said device according to any embodiment, of at least one method of the present invention according to any embodiment is envisaged.

In one embodiment of the present invention, ? provided a system for the protection of a user account with a variable password for each account but immutable for the user. The system comprising a user endpoint having at least one processor and a memory of the RAM type, comprising an authentication server comprising at least one processor, a memory of the RAM type and at least one connection with a database, which said endpoint and server are interconnected for means of a local network and/or remotely possibly in VPN and that the connection session between the endpoint and the server comprises an encrypted communication channel, that said endpoint comprises the device according to the preceding claims, that said endpoint comprises a non-volatile memory medium in which ? memorized, in mode? encrypted, random password automatically generated for a specific account, which in said server? stored a concatenated string hash comprising the concatenation, possibly transposed, of a user? password, an automatically generated random password and an automatically generated random salt, in said server ? stored an encrypted string relating to said password and random salt, characterized by the fact of implementing the following method for user authentication:

? manual entry of usernames by a user;

? transmission of the username to said server by the user?s endpoint; ? receipt of the username and transmission by the server to the user of the encrypted string containing random password and salt associated with the specific username of said account;

? receipt of the encrypted string by the user;

? decryption of the encrypted string;

? random password detection versus salt;

? confirmation of the detection and transmission of the confirmation to the server by the user endpoint;

? enable the userspace input form and the precompiled input form by the server;

? automatic pre-filling of the automatically generated random password and salt associated with the username of that specific account; ? manual entry of the immutable user password by the user in the input form defined for the user space;

? concatenation of said user password with the password and random salts and that possibly said concatenation also includes the transposition; ? string hash computation concatenated from user endpoint;

? transmission of the concatenated string hash and/or username to the server;

? receipt of username and concatenated string hash;

? comparison between said calculated hash and the concatenated string hash previously stored on the server during account registration.

In one embodiment of the system, the method is implemented and integrated in whole or in part with common browser software and/or common password manager software and/or with the combination of common browser software and common password manager software.

In one embodiment of the system, ? foreseen integration with third party applications and services possibly with the Application Platform Interface (API) methodology including all company applications in a single company Authentication Domain (for example managed with an LDAP server, Microsoft Active Directory, etc.) and/or the? integration with Single-Sign-On (SSO) to all applications and/or services based on Federated Identity Management (FIM) and/or with systems based on SAML, SAMLv2, OpenID, Oauth, WS-Federation protocols etc.

In another embodiment of the system of the present invention, ? the implementation, by means of the system according to any embodiment, of at least one method of the present invention according to any embodiment is envisaged.

These and other features and advantages of the present invention described will become apparent in light of the following description of some of the exemplary embodiments of the present invention.

The invention, what? as a mode? preferred usage, and further objects and advantages thereof, will be better understood by referring to the following detailed description of exemplary embodiments when read in conjunction with the accompanying drawings, wherein:

FIGURE 1 ? an example diagram of a system for the protection of a user account with variable password for each account but immutable for the user in which pu? be implemented in an embodiment of the present invention;

FIGURE.2 ? an example block diagram illustrating the operational elements of a method for protecting a user account with a variable password for each account but immutable for the user in which it can? be implemented in an embodiment of the present invention.

In FIG. 1 , the system (700) comprising a user endpoint (100) having at least one processor (105) and a RAM type memory (110) where ? running browser software (135) and password manager software (140) implementing a symmetric encryption system based on the 256-bit AES standard, said endpoint comprising a device (120) having a hardware module with fingerprint sensor (125 ) and a SoC-type chip (130) which implements the cryptographic hash function using the 256-bit SHA-2 algorithm and a key derivation function using the PBKDF2 algorithm and which said chip includes an embedded flash memory , that said endpoint comprises a non-volatile memory medium (150) in which ? memorized, in mode? encrypted using the secret key at runtime, the random password automatically generated by the password manager (140) for a specific account, that said system comprises an authentication server (500) having a processor (505), a RAM type memory (510 ) and that the said server ? locally interconnected with a database (550) where ? the hash of a concatenated string obtained during registration of the user's account and the encrypted concatenated string containing the random password and salt generated during registration are stored; said endpoint and said server are remotely interconnected by means of an internet network and that the connection session between the endpoint and the server includes a communication channel encrypted with the TLS 1.3 protocol (600), which in the memory (510 ) of said server ? in execution a page of the service of a web portal relative to authentication (515) where a user via said endpoint with the browser (135) carries out an authentication procedure to the portal according to the method of which in FIG.2:

? insertion (10) of usernames by a user;

? transmission (11) of the username to said server by the user?s endpoint;

? receipt of the username and transmission (12) by the server to the user of the encrypted string containing the password and random salts associated with the username of that specific account;

? reception (13) of the encrypted string by the user;

? decryption (14) of the encrypted string comprising the runtime generation of the secret key for the symmetric cryptographic system comprising the following steps:

o authentication of the user (800) with a fingerprint via the module (125);

o the real-time generation of a hash (810) through the 256-bit SHA-2 algorithm contained in the module (130) which provides as input the positive result of said fingerprint-based authentication;

o the derivation of a key (820) through the PBKDF2 algorithm contained in the module (130) which provides as input the hash generated in real time in the step (810), the initialization of a secret and random seed stored in said module (130) and the setting of a pre-established number of interactions equal to 1000;

? detecting (15) the random password with respect to the salt by the password manager (140) running RAM (110);

? confirmation of the detection and transmission (16) of the confirmation to the server (515) by the user endpoint via browser (135);

? enabling (17) the userspace input form and the pre-filled input form by the server (515);

? automatic prefilling (18) of the automatically generated random password and salt associated with the username of that specific account via the password manager (140);

? manual entry of the immutable user password (900) by the user in the input form defined for the user space;

? concatenation (19) of said user password with the random password and salt and that possibly said concatenation also includes the transposition; ? calculation (19) string hash concatenated from user endpoint;

? transmission (21) of the concatenated string hash and/or of the username to the server; ? reception (22) of the username and the concatenated string hash;

? comparison (23) between said calculated hash and the concatenated string hash previously stored in the server during account registration.

It is clear that the user with only two simple steps respectively first through the fingerprint (800) to generate the secret decryption key at runtime and then to enter the user password (900), proposes a usable, secure and low-cost solution. low cost by allowing the user to remember only one simple password but combined with this invention robust in account protection. To specify that the runtime secret key is not ? never stored but is always generated at runtime starting from authentication with the user's fingerprint and the user password? unique and immutable for all accounts.

How will it be? Appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method, device or use thereof, or a computer program product. Accordingly, aspects of the present invention may take the form of an all-hardware embodiment, an all-software embodiment (including firmware, resident software, microcode, etc.), or an embodiment that combines both software and hardware aspects at which can you? generally referred to herein as "circuit", "module", or "system". Additionally, aspects of the present invention may take the form of a computer program product embedded in one or more programs. computer-readable media on which ? incorporated program code that can be used by computers. Can? be used any combination of one or more? computer readable media. Can computer-readable media be a computer-readable signal carrier or a computer-readable storage carrier. A computer-readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, device, or any suitable combination of the foregoing. The computer program code for performing operations for aspects of the present invention can be written in any combination of one or more? programming languages, including an object-oriented programming language such as Java?, Smalltalk?, C+ or similar, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code can run entirely on your computer, partially on your computer, as a stand-alone software package, partly on your computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer can be connected to your computer over any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection can? be made to an external computer (for example, over the Internet using an Internet service provider).

Claims (10)

1) A method for protecting a user account with a variable password for each account but immutable for the user, performed by at least one computer and loaded in a RAM type memory, characterized by the fact that the creation of each account includes the following phases: ? automatic generation of a random password string using an automatic random password algorithm; ? automatic generation of a random salt string using an automatic random hash algorithm; ? manual entry by a user of an immutable password that is easy to remember; ? concatenating the immutable password with said random password and with said random salt; ? the association of said concatenation with a specific username of a specific account. 2) The method according to the preceding claims, characterized in that the insertion of the user password comprises the insertion of at least four types of characters, in which at least one character ? uppercase type, at least one ? of lowercase type, at least one ? a special character, at least one ? a number and that the generation of the automatic random password string includes the definition of the minimum length and the maximum length, preferably from 25 to 50 and the selection of the type of character preferably between uppercase and lowercase letters, special characters and numbers and that the generation of the random salt string includes the selection of the minimum length and the maximum length preferably from 25 to 50 and the selection of the character type preferably between uppercase and lowercase letters, special characters and numbers. 3) The method according to the preceding claims, characterized in that the concatenation comprises the transposition of the characters of the user password according to a predefined sequence between the characters of the random password and/or of the random salt and/or the transposition of the characters of the random salt according to a predefined sequence between the characters of the random password and that possibly said sequence includes: ? the dynamic definition of the transposition of a hundred number of characters according to the input received from the user in the phase of inserting the user password and more? precisely the reception of the number in correspondence with the insertion of the character type number. 4) The method according to the preceding claims, characterized in that the random password and salt comprise the memorization step on a non-volatile type memory support and that optionally said random password and salt comprise the encryption step before storage using a symmetric and/or asymmetric encryption system. 5) The method according to the preceding claims, characterized in that the generation at runtime of the secret key for the symmetric encryption system comprises the following steps: ? user authentication according to the fingerprint-based scheme; ? the generation of a hash in real time through an algorithm which implements a cryptographic hash function which foresees as input the positive result of said fingerprint-based authentication; ? and possibly, the derivation of a key through a key derivation algorithm which provides as input the hash generated in real time, a secret seed and a pre-established number of interactions. 6) The method according to the preceding claims, wherein the step of authentication with an authentication server comprising the establishment of an encrypted connection session on a communication channel between an endpoint of a user and said authentication server, ? characterized by the fact that it includes the following phases: ? entering the username by a user in the input form defined for the username; ? automatic prefilling of an automatically generated random password and salt; ? entering an immutable user password in the input form defined for the user space; ? concatenation of said user password with said password and random salts and that possibly the concatenation includes the transposition; ? calculation of the hash for the concatenated string by the endpoint; ? transmission of the concatenated string hash and/or username from the endpoint to the server; ? receipt of the concatenated string hash and/or username from the server; ? comparison between said calculated hash and the concatenated string hash previously stored on the server during user account registration. 7) The method according to the preceding claims, wherein the step of authentication with an authentication server comprising the establishment of an encrypted connection session of a communication channel between a user's endpoint and an authentication server, ? characterized by the fact that it includes the following stages: ? insertion of the username by a user; ? transmission of the username to said server; ? receipt of the user and retransmission to the user of an encrypted string containing the concatenation of a password and the random salt and which possibly said concatenation includes the transposition of the characters of the password and the random salt; ? receipt of said encrypted string by the user?s endpoint; ? decryption of the concatenated string by the user?s endpoint; ? random password detection versus random salt; ? transmission of the positive confirmation regarding the activity? discovery to the server; ? enable userspace input form and prefilled form input by server; ? automatic prefilling of automatically generated random password and random salt for the specific account; ? entering the immutable user password in the input form defined for the user space; ? concatenation of said user password with said random passwords and salts, and that possibly, the concatenation step also includes the transposition step; ? computation of the concatenated string hash by the endpoint; ? transmission of the concatenated string hash and/or username from the endpoint to the server; ? receiving the hash of the concatenated string and/or username from the server; ? comparison between said calculated hash and the concatenated string hash previously stored on the server during user account registration. 8) Device for protecting a user account with a variable password for each account but unchangeable for the user, comprising a hardware module with fingerprint sensor, which said hardware module comprises a ROM and/or EPROM having a firmware, said device comprises a chip that implements one or more? cryptographic hash functions and a key derivation function and that said chip comprises at least one flash memory, characterized in that it performs the methods set forth in claims 5 and/or 7 above. 9) Use of the device according to the preceding claim, characterized in that it is integrated in a mouse and/or in a smartphone and/or in a keyboard for personal computers and/or in a tablet and/or in a personal computer and/or or in external and/or removable media and/or in any endpoint. 10) A system for protecting a user account with a variable password for each account but immutable for the user, comprising a user endpoint having at least one processor and RAM-type memory, comprising an authentication server, which said endpoint and servers are interconnected by means of a local network and/or remotely possibly in VPN and that the connection session between the endpoint and the server comprises an encrypted communication channel, that said endpoint comprises the device according to the preceding claims, that in said server ? stored a concatenated string hash comprising the possibly transposed concatenation of a user? password with an automatically generated random password and an automatically generated random salt, in said server ? memorized an encrypted string relating to said passwords and random salts, characterized by the fact of executing the following method for user authentication: ? entering usernames by a user; ? transmission of the username to said server by the user?s endpoint; ? receipt of the username and transmission by the server to the user of the encrypted string containing random password and salt; ? receipt of the encrypted string by the user; ? decryption of the encrypted string; ? random password detection versus salt; ? confirmation of the detection and transmission of the confirmation to the server by the user endpoint; ? enable the userspace input form and the precompiled input form by the server; ? automatic pre-filling of the automatically generated random password and salt associated with the username of that specific account; ? entering the immutable user password by the user in the input form defined for the user space; ? concatenation of said user password with the password and random salts and that possibly said concatenation also includes the transposition; ? string hash computation concatenated from user endpoint; ? transmission of the concatenated string hash and/or username to the server; ? receipt of username and concatenated string hash; ? comparison between said calculated hash and the concatenated string hash previously stored on the server during account registration.