公开(公告)号：US09294473B1

公开(公告)日：2016-03-22

申请号：US14662600

申请日：2015-03-19

Applicant: EMC Corporation

Inventor： Ari Juels ,  Nikolaos Triandopoulos ,  Marten van Dijk ,  John Brainard ,  Ronald Rivest ,  Kevin Bowers

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/31 ,  G06F21/45

CPC classification number: H04L63/083 ,  G06F21/31 ,  G06F21/45 ,  H04L9/0662 ,  H04L9/12 ,  H04L9/3213 ,  H04L9/3228 ,  H04L63/0838

Abstract: Server methods and apparatus are provided for processing passcodes generated by configurable one-time authentication tokens. An authentication server is configured to process an original passcode generated by a configurable one-time authentication token by configuring the authentication server to have a server configuration that is compatible with a selected configuration of the configurable one-time authentication token; receiving a candidate passcode based on the original passcode generated by the configurable one-time authentication token; and processing the Is candidate passcode based on the server configuration. The selected configuration of the configurable one-time authentication token must always enable a forward-secure pseudorandom number generation feature for the one-time authentication token and at least one additional selected token feature.

Abstract translation: 服务器方法和设备被提供用于处理由可配置的一次性认证令牌生成的密码。 认证服务器被配置为通过将认证服务器配置为具有与所配置的一次性认证令牌的所选配置兼容的服务器配置来处理由可配置的一次认证令牌生成的原始密码; 基于由可配置的一次认证令牌生成的原始密码来接收候选密码; 并根据服务器配置处理Is候选密码。 所选择的可配置一次认证令牌的配置必须始终为一次性认证令牌和至少一个附加选择的令牌特征启用前向安全伪随机数生成功能。

公开(公告)号：US09270655B1

公开(公告)日：2016-02-23

申请号：US13837259

申请日：2013-03-15

Applicant: EMC Corporation

Inventor： Ari Juels ,  Nikolaos Triandopoulos ,  Marten van Dijk ,  John Brainard ,  Ronald Rivest ,  Kevin Bowers

IPC: H04L29/06

CPC classification number: H04L63/083 ,  G06F21/31 ,  G06F21/45 ,  H04L9/0662 ,  H04L9/12 ,  H04L9/3213 ,  H04L9/3228 ,  H04L63/0838

Abstract: Configurable one-time authentication tokens are provided with improved resilience to attacks. A one-time authentication token is configured by providing a plurality of token features that may be selectively incorporated into the configurable one-time authentication token, wherein the plurality of token features comprise at least two of the features; obtaining a selection of at least a plurality of the token features: and configuring the one-time authentication token based on the selected token features, wherein the configuration must always enable forward security for the one-time authentication token and at least one additional selected token feature. A configurable one-time authentication token is provided that comprises a plurality of selectable token features that may be selectively incorporated into the configurable one-time authentication token, wherein the configurable one-time authentication token is always configured with the forward security and at least one additional token feature.

Abstract translation: 可配置的一次性身份验证令牌具有更好的攻击弹性。 通过提供可以选择性地并入可配置的一次性认证令牌中的多个令牌特征来配置一次性认证令牌，其中所述多个令牌特征包括所述特征中的至少两个; 获取至少多个令牌特征的选择;以及基于所选择的令牌特征来配置所述一次性认证令牌，其中所述配置必须始终为所述一次认证令牌和至少一个附加选择令牌提供转发安全性 特征。 提供了一种可配置的一次性认证令牌，其包括可以选择性地并入可配置的一次性认证令牌中的多个可选令牌特征，其中可配置的一次认证令牌始终配置有前向安全性，并且至少一个 附加令牌功能。

公开(公告)号：US09256725B2

公开(公告)日：2016-02-09

申请号：US14190195

申请日：2014-02-26

Applicant: EMC Corporation

Inventor： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

IPC: H04L29/06 ,  G06F21/44

CPC classification number: G06F21/445 ,  G06F21/32 ,  G06F21/34 ,  G06F2221/2113 ,  G06F2221/2131

Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

公开(公告)号：US09043890B1

公开(公告)日：2015-05-26

申请号：US13905600

申请日：2013-05-30

Applicant: EMC Corporation

Inventor： Guoying Luo ,  Ari Juels

IPC: G06F21/00 ,  G06F21/31 ,  G06F21/32 ,  H04L29/06

CPC classification number: G06F21/31 ,  G06F21/32 ,  G06F21/6254 ,  H04L9/3231 ,  H04L63/0407 ,  H04L63/0442 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0861 ,  H04L2209/42

Abstract: An authentication system including a first server configured to store identifiers of respective users in association with respective pseudonyms, and a second server configured to store templates of the respective users in association with the respective pseudonyms. Input is received from a given user in conjunction with an authentication attempt. The first server is configured to determine if a first portion of the received input is associated with one of the user identifiers stored in the first server. If the first portion of the received input is associated with one of the user identifiers stored in the first server, the corresponding pseudonym is provided from the first server to the second server. The given user is authenticated based on a determination as to whether or not a second portion of the received input matches one of the stored user templates corresponding to the pseudonym provided to the second server.

Abstract translation: 一种认证系统，包括被配置为存储与各个假名相关联的各个用户的标识符的第一服务器，以及第二服务器，被配置为存储与相应的假名相关联的各个用户的模板。 结合认证尝试，从给定的用户接收输入。 第一服务器被配置为确定接收到的输入的第一部分是否与存储在第一服务器中的用户标识符中的一个相关联。 如果接收到的输入的第一部分与存储在第一服务器中的用户标识符之一相关联，则从第一服务器向第二服务器提供相应的假名。 基于对接收到的输入的第二部分是否匹配与提供给第二服务器的假名相对应的所存储的用户模板中的一个，确定给定用户。

公开(公告)号：US08850609B1

公开(公告)日：2014-09-30

申请号：US13625480

申请日：2012-09-24

Applicant: EMC Corporation

Inventor： Ari Juels

IPC: G06F11/30

CPC classification number: G06F21/34

Abstract: A processing device comprising a processor coupled to a memory is configured to determine a risk of simultaneous theft of a primary device and at least one satellite device associated with the primary device, and to identify said at least one satellite device as an appropriate authentication factor for use in an authentication process involving the primary device, based at least in part on the determined risk. The identified satellite device may serve as an additional or alternative authentication factor relative to one or more other authentication factors. The processing device may comprise the primary device itself, or another separate device, such as an authentication server that also participates in the authentication process. Information associated with the identified satellite device is utilized in the authentication process to authenticate a user of the primary device.

Abstract translation: 包括耦合到存储器的处理器的处理设备被配置为确定与主设备相关联的主设备和至少一个卫星设备的同时窃取的风险，并且将所述至少一个卫星设备识别为适当的认证因子 至少部分地基于所确定的风险，在涉及主设备的认证过程中使用。 识别的卫星设备可以用作相对于一个或多个其他认证因素的附加或替代认证因素。 处理设备可以包括主设备本身或者另外单独的设备，诸如也参与认证过程的认证服务器。 在认证过程中利用与所识别的卫星设备相关联的信息来认证主设备的用户。

公开(公告)号：US09917694B1

公开(公告)日：2018-03-13

申请号：US14092028

申请日：2013-11-27

Applicant: EMC Corporation

Inventor： Ari Juels ,  David D. Taku

IPC: H04L29/06 ,  H04L9/08

CPC classification number: H04L9/0861 ,  H04L9/0825 ,  H04L9/3226 ,  H04L9/3234

Abstract: A processing device is configured to obtain an address and a public key, both associated with an authentication service, to generate a symmetric key as a function of the public key, to configure an authentication token to incorporate the symmetric key, to encrypt the symmetric key utilizing the public key, and to transmit the encrypted symmetric key to the address so as to permit the authentication service to bind the symmetric key to an identifier of the authentication token. By way of example, the authentication token may comprise a software authentication token implemented on the processing device. One or more tokencodes generated by the authentication token utilizing the symmetric key are transmitted to the authentication service for authentication. The authentication by the authentication service is based on the symmetric key bound to the identifier of the authentication token.

公开(公告)号：US09537845B1

公开(公告)日：2017-01-03

申请号：US14042645

申请日：2013-09-30

Applicant: EMC Corporation

Inventor： Ari Juels ,  Ronald L. Rivest

IPC: H04L29/06 ,  G06F21/31 ,  G06F21/44

CPC classification number: H04L63/08 ,  G06F21/316 ,  G06F21/33 ,  G06F21/44 ,  G06F21/552 ,  G06F2221/2101 ,  H04L63/0807 ,  H04L63/107

Abstract: A method comprises storing in a memory of a first processing device information relating to one or more historical events visible to the first processing device and a second processing device. The method further comprises, in an authentication sessions between the first processing device and the second processing device, transmitting an indicator derived from at least a portion of the stored information from the first processing device to the second processing device. The indicator permits the second processing device to determine authenticity of the first processing device.

Abstract translation: 一种方法包括在第一处理设备的存储器中存储与第一处理设备可见的一个或多个历史事件相关的信息和第二处理设备。 该方法还包括在第一处理设备和第二处理设备之间的认证会话中，将从至少一部分存储的信息从第一处理设备传送到第二处理设备的指示符。 指示器允许第二处理装置确定第一处理装置的真实性。

公开(公告)号：US09454654B1

公开(公告)日：2016-09-27

申请号：US14144707

申请日：2013-12-31

Applicant: EMC Corporation

Inventor： Nikolaos Triandopoulos ,  Ari Juels ,  Ronald L. Rivest ,  John Brainard

IPC: G06F21/31 ,  H04L25/03

CPC classification number: G06F21/31 ,  H04L25/03929 ,  H04L63/0838 ,  H04L63/0853

Abstract: Multi-server one-time passcode verification is provided for respective high order and low order passcode portions. A user is authenticated by receiving an authentication passcode generated by a token associated with the user; and authenticating the user based on the received authentication passcode using at least a first authentication server and a second authentication server, wherein the first authentication server verifies a high-order portion of the received authentication passcode and wherein the second authentication server verifies a low-order portion of the received authentication passcode. The received authentication passcode is based on, for example, at least two protocodes PR,t and PB,t generated by the token and/or pseudorandom information RA,t. A codebook Ct, based on the pseudorandom information RA,t, can be used to embed additional auxiliary information into the authentication passcode.

Abstract translation: 针对相应的高阶和低位密码部分提供多服务器一次性密码验证。 通过接收与用户相关联的令牌生成的认证密码来认证用户; 以及使用至少第一认证服务器和第二认证服务器基于所接收的认证密码对所述用户进行认证，其中所述第一认证服务器验证所接收的认证密码的高阶部分，并且其中所述第二认证服务器验证低阶 接收的认证密码的一部分。 接收到的认证密码基于例如由令牌和/或伪随机信息RA，t生成的至少两个原码PR，t和PB，t。 可以使用基于伪随机信息RA，t的码本Ct将附加辅助信息嵌入到认证密码中。

公开(公告)号：US09407631B1

公开(公告)日：2016-08-02

申请号：US14144712

申请日：2013-12-31

Applicant: EMC Corporation

Inventor： Nikolaos Triandopoulos ,  Ari Juels ,  John Brainard

IPC: H04L29/06 ,  G06F21/31

CPC classification number: H04L63/0838 ,  G06F21/31 ,  G06F2221/2137 ,  H04L9/3228 ,  H04L9/3234 ,  H04L63/0807

Abstract: Multi-server passcode verification is provided for one-time authentication tokens with auxiliary channel compatibility. An exemplary method comprises receiving an authentication passcode generated by a token associated with a user; and processing the received authentication passcode using at least a first authentication server and a second authentication server, wherein the received authentication passcode is based on at least one protocode and embedded auxiliary information and wherein at least one of the first authentication server, the second authentication server and a relying party extract the embedded auxiliary information from the received authentication passcode. The disclosed method can extend an existing multi-server verification process to provide the processing of the received authentication passcode based on the embedded auxiliary information.

Abstract translation: 提供多服务器密码验证，用于具有辅助通道兼容性的一次性身份验证令牌。 一种示例性方法包括接收由与用户相关联的令牌生成的认证密码; 以及使用至少第一认证服务器和第二认证服务器来处理所接收的认证密码，其中所接收的认证密码基于至少一个原代码和嵌入的辅助信息，并且其中，所述第一认证服务器，所述第二认证服务器 并且依赖方从接收到的认证密码中提取嵌入的辅助信息。 所公开的方法可以扩展现有的多服务器验证过程，以基于嵌入的辅助信息提供接收的认证密码的处理。

公开(公告)号：US09361447B1

公开(公告)日：2016-06-07

申请号：US14477152

申请日：2014-09-04

Applicant: EMC Corporation

Inventor： Kevin D. Bowers ,  Vihang P. Dudhalkar ,  Ari Juels ,  Ronald L. Rivest ,  Samir Saklikar ,  Nikolaos Triandopoulos

IPC: G06F21/00 ,  G06F21/31 ,  H04L12/00 ,  G06F21/36 ,  G06F3/0484 ,  H04L9/32 ,  H04L29/06

CPC classification number: G06F21/36 ,  G06F3/04842 ,  G06F21/31 ,  G09C5/00 ,  H04L9/3226 ,  H04L63/08 ,  H04L63/083

Abstract: A processing device comprises a processor coupled to a memory and is configured to implement an overlay effects selection interface for use in conjunction with generation of a graphical password. An image is obtained and presented in the overlay effects selection interface with a plurality of user-selectable overlay effects. User input is received identifying at least one overlay effect selected from the plurality of user-selectable overlay effects, and a modified version of the image is presented incorporating the selected at least one overlay effect. Information characterizing the image and the selected at least one overlay effect is utilized to control access to a protected resource. For example, the information characterizing the image and the selected at least one overlay effect may be obtained as part of a graphical password enrollment process and stored as at least a portion of the graphical password for controlling access to the protected resource.

Abstract translation: 处理设备包括耦合到存储器的处理器，并且被配置为实现与生成图形密码一起使用的覆盖效果选择界面。 获得图像并且在具有多个用户可选择的重叠效果的叠加效果选择界面中呈现图像。 接收用户输入，识别从多个用户可选择的重叠效果中选择的至少一个叠加效果，并且呈现包含所选择的至少一个叠加效果的图像的修改版本。 利用表征图像和所选择的至少一个叠加效果的信息来控制对受保护资源的访问。 例如，可以获得表征图像和所选择的至少一个覆盖效果的信息，作为图形密码注册过程的一部分，并且被存储为用于控制对受保护资源的访问的图形口令的至少一部分。