公开(公告)号：US08875263B1

公开(公告)日：2014-10-28

申请号：US13434272

申请日：2012-03-29

申请人： Marten van Dijk ,  Kevin D. Bowers ,  John G. Brainard ,  Samuel Curry ,  Sean P. Doyle ,  Michael J. O'Malley ,  Nikolaos Triandopoulos

发明人： Marten van Dijk ,  Kevin D. Bowers ,  John G. Brainard ,  Samuel Curry ,  Sean P. Doyle ,  Michael J. O'Malley ,  Nikolaos Triandopoulos

IPC分类号： G06F21/00 ,  H04L9/16 ,  H04L29/06 ,  G06F21/31 ,  H04L9/32 ,  G06F21/42

CPC分类号： G06F21/31 ,  G06F21/34 ,  G06F21/42 ,  H04L9/3228 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0846 ,  H04L63/0853 ,  H04L63/18

摘要： A technique controls a soft token running within an electronic apparatus. The technique involves providing an initial series of authentication codes based on a first set of machine states. The initial series of authentication codes is provided from the electronic apparatus to a server through a forward channel to authenticate a user. The technique further involves receiving a command from the server through a reverse channel between the electronic apparatus and the server. The reverse channel provides communications in a direction opposite to that of the forward channel. The technique further involves changing the first set of machine states to a second set of machine states in response to the command, and providing a new series of authentication codes based on the second set of machine states. The new series of authentication codes is provided from the electronic apparatus to the server through the forward channel for user authentication.

摘要翻译： 技术控制在电子设备内运行的软令牌。 该技术涉及提供基于第一组机器状态的初始系列认证码。 通过前向信道从电子设备向服务器提供初始系列认证码，以认证用户。 该技术还涉及通过电子设备和服务器之间的反向信道从服务器接收命令。 反向信道在与正向信道相反的方向上提供通信。 该技术还涉及响应于该命令将第一组机器状态改变到第二组机器状态，并且基于第二组机器状态提供新的一系列认证代码。 新的认证码系列通过前向信道从电子设备提供给服务器，用于用户认证。

公开(公告)号：US08683563B1

公开(公告)日：2014-03-25

申请号：US13435616

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  William M. Duane ,  Ari Juels ,  Michael J. O'Malley ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  William M. Duane ,  Ari Juels ,  Michael J. O'Malley ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： G06F7/04

CPC分类号： H04L9/00 ,  G06F21/43 ,  G06F21/554 ,  G06F21/56 ,  H04L63/1433 ,  H04W12/06 ,  H04W12/12

摘要： An improved technique for assessing the security status of a device on which a soft token is run collects device posture information from the device running the soft token and initiates transmission of the device posture information to a server to be used in assessing whether the device has been subjected to malicious activity. The device posture information may relate to the software status, hardware status, and/or environmental context of the device. In some examples, the device posture information is transmitted to the server directly. In other examples, the device posture information is transmitted to the server via auxiliary bits embedded in passcodes displayed to the user, which the user may read and transfer to the server as part of authentication requests. The server may apply the device posture information in a number of areas, including, for example, authentication management, risk assessment, and/or security analytics.

摘要翻译： 用于评估其上运行软令牌的设备的安全状态的改进技术从运行软令牌的设备收集设备姿态信息，并且发起设备姿态信息传输到服务器以用于评估设备是否已经被 遭受恶意活动。 设备姿态信息可以涉及设备的软件状态，硬件状态和/或环境上下文。 在一些示例中，设备姿态信息被直接发送到服务器。 在其他示例中，设备姿态信息通过嵌入在显示给用户的密码中的辅助位发送到服务器，用户可以作为认证请求的一部分读取和传送到服务器。 服务器可以在多个区域中应用设备姿态信息，包括例如认证管理，风险评估和/或安全分析。

公开(公告)号：US08752156B1

公开(公告)日：2014-06-10

申请号：US13435848

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： H04L29/06

CPC分类号： H04W12/06 ,  H04L9/0869 ,  H04L9/3228 ,  H04W12/12

摘要： A technique for detecting unauthorized copies of a soft token that runs on a mobile device includes generating a set of random bits on the mobile device and providing samples of the set of random bits, as well as token codes from the soft token, for delivery to a server during authentication requests. The server acquires the set of random bits of the mobile device, or learns the set of random bits over the course of multiple login attempts. Thereafter, the server predicts values of the samples of the set of random bits and tests actual samples arriving in connection with subsequent authentication requests. Mismatches between predicted samples and received samples indicate discrepancies between the random bits of the device providing the samples and the random bits of the mobile device, and thus indicate unauthorized soft token copies.

摘要翻译： 用于检测在移动设备上运行的软令牌的未授权复制的技术包括在移动设备上生成一组随机比特，并提供该组随机比特的样本以及来自该软令牌的令牌代码，用于递送到 认证请求期间的服务器。 服务器获取移动设备的一组随机比特，或者在多次登录尝试过程中学习一组随机比特。 此后，服务器预测该组随机比特的样本的值并测试结合后续认证请求到达的实际样本。 预测样本和接收到的样本之间的不匹配指示提供样本的设备的随机比特与移动设备的随机比特之间的差异，并且因此指示未授权的软令牌副本。

公开(公告)号：US08819769B1

公开(公告)日：2014-08-26

申请号：US13435606

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Eyal Kolman ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Eyal Kolman ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： H04L29/06

CPC分类号： H04L63/0876 ,  H04L67/303

摘要： An improved technique for managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating the user to the remote network.

摘要翻译： 用于管理计算机的用户对远程网络的访问的改进技术收集关于用户的移动设备的设备姿态信息。 移动设备运行软令牌，并且收集的姿态信息涉及例如移动设备的各个方面，例如移动设备的硬件，软件，环境和/或用户。 服务器将所收集的设备姿态信息以及来自软令牌的令牌代码应用于将用户认证到远程网络。

公开(公告)号：US08752146B1

公开(公告)日：2014-06-10

申请号：US13434280

申请日：2012-03-29

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/32

CPC分类号： H04L63/0861 ,  G06F21/32 ,  G06F21/43 ,  H04L9/3215 ,  H04L9/3228 ,  H04L9/3231 ,  H04L63/0838 ,  H04L63/18

摘要： A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.

摘要翻译： 一种技术提供认证码以将用户认证给认证服务器。 该技术涉及通过电子设备（例如，智能电话，平板电脑，笔记本电脑等）从加密密钥生成令牌代码。 该技术还涉及从用户获取生物测量，并输出复合密码作为认证码。 复合密码包括基于生物特征测量的令牌代码和生物特征因子。 此外，复合密码的令牌代码和生物特征因子作为认证服务器执行的用户认证操作的认证输入。 在一些布置中，生物特征因子是面部识别（例如，经由相机），语音识别（例如，经由麦克风），门识别（例如，经由加速度计），触摸识别和/或打字识别（例如， 通过触摸屏或键盘），其组合等

公开(公告)号：US08683570B1

公开(公告)日：2014-03-25

申请号：US13435611

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Nikolaos Triandopoulos

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Nikolaos Triandopoulos

IPC分类号： H04L29/06 ,  G06F21/35

CPC分类号： G06F21/35 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/1416

摘要： An improved technique provides scheduled data transfer between a mobile device and a server. The mobile device combines token codes generated by a soft token with sequences of auxiliary bits and displays the combinations to users as passcodes. Users may then copy the passcodes to their computers for authenticating to a server on a remote network. As the passcodes include both token codes and sequences of auxiliary bits, a communication channel is established whereby the auxiliary bits as well as the soft token codes are transmitted from the mobile device to the server.

摘要翻译： 改进的技术提供了移动设备和服务器之间的调度数据传输。 移动设备将由软令牌产生的令牌代码与辅助位序列组合，并将用户的组合显示为密码。 然后，用户可以将密码复制到其计算机，以便对远程网络上的服务器进行身份验证。 由于密码包括令牌码和辅助比特序列，所以建立通信信道，由此辅助比特以及软令牌码从移动设备发送到服务器。

公开(公告)号：US20150242616A1

公开(公告)日：2015-08-27

申请号：US14190195

申请日：2014-02-26

申请人： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

发明人： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

IPC分类号： G06F21/44

CPC分类号： G06F21/445 ,  G06F21/32 ,  G06F21/34 ,  G06F2221/2113 ,  G06F2221/2131

摘要： There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

摘要翻译： 公开了用于证书恢复的方法。 在一个示例性实施例中，该方法包括确定需要至少一个可信实体来验证第一实体的身份以便于凭证恢复的策略。 该方法还包括接收由至少一个可信实体验证第一实体的身份的至少一个通信。 该方法还包括基于所接收的验证允许凭证恢复。

公开(公告)号：US08813234B1

公开(公告)日：2014-08-19

申请号：US13171759

申请日：2011-06-29

申请人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

发明人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

IPC分类号： G06F21/00

CPC分类号： G06F21/552 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/20

摘要： A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.

摘要翻译： 处理设备包括处理器，其耦合到存储器并且实现基于图的方法以保护包括信息技术基础设施的系统免受持久的安全威胁。 持续性安全威胁的攻击升级状态被分配给图中的相应节点，并且用于防止节点对之间的转换的防御成本被分配给图中的相应边缘。 计算图的最小值，并根据最小值确定防御策略。 包含受到持续安全威胁的信息技术基础架构的系统是根据防御策略配置的，以便阻止持续的安全威胁。

公开(公告)号：US08904525B1

公开(公告)日：2014-12-02

申请号：US13536355

申请日：2012-06-28

申请人： Roy Hodgman ,  Samir D. Saklikar ,  Kevin D. Bowers

发明人： Roy Hodgman ,  Samir D. Saklikar ,  Kevin D. Bowers

IPC分类号： G06F12/14 ,  G06F21/56

CPC分类号： G06F21/562 ,  G06F21/56 ,  G06F21/566 ,  G06F21/567 ,  G06F2201/815

摘要： A technique to detect malware on a mobile device which stores a virtual machine image involves establishing a connection from an electronic malware detection apparatus to the mobile device, the electronic malware detection apparatus being external to the mobile device. The technique further involves transferring mobile device data from the mobile device to the electronic malware detection apparatus through the connection to form a copy of the virtual machine image within the electronic malware detection apparatus. The technique further involves performing, by the electronic detection apparatus, a set of malware detection operations on the copy of the virtual machine image to determine whether the mobile device is infected with malware.

摘要翻译： 一种用于检测存储虚拟机图像的移动设备上的恶意软件的技术涉及建立从电子恶意软件检测设备到移动设备的连接，电子恶意软件检测设备在移动设备外部。 该技术还涉及通过连接将移动设备数据从移动设备传送到电子恶意软件检测设备，以在电子恶意软件检测设备内形成虚拟机映像的副本。 该技术还包括通过电子检测设备对虚拟机映像的副本执行一组恶意软件检测操作，以确定移动设备是否被恶意软件感染。

公开(公告)号：US09659177B1

公开(公告)日：2017-05-23

申请号：US13625465

申请日：2012-09-24

申请人： Ari Juels ,  Kevin D. Bowers

发明人： Ari Juels ,  Kevin D. Bowers

IPC分类号： G06F3/00 ,  G06F21/57

CPC分类号： G06F21/57 ,  G06F21/34 ,  G06F21/445 ,  G06F21/575 ,  H04L63/0853 ,  H04L63/0869

摘要： An authentication token configured to generate authentication information comprises an attestation module. The attestation module of the authentication token is configured to receive an attestation generated by an attestation module of a client, to perform a check on the received attestation, and to release the authentication information to a designated entity if the check indicates that the attestation is valid. The designated entity may comprise the client itself or another entity that participates in an authentication process involving at least one of the authentication token and the client. The authentication token in performing the check on the attestation received from the client may determine if the received attestation conforms to a predetermined policy. The attestation may comprise a platform attestation generated by the client for a given instantiated software stack of the client.