公开(公告)号：US08875263B1

公开(公告)日：2014-10-28

申请号：US13434272

申请日：2012-03-29

申请人： Marten van Dijk ,  Kevin D. Bowers ,  John G. Brainard ,  Samuel Curry ,  Sean P. Doyle ,  Michael J. O'Malley ,  Nikolaos Triandopoulos

发明人： Marten van Dijk ,  Kevin D. Bowers ,  John G. Brainard ,  Samuel Curry ,  Sean P. Doyle ,  Michael J. O'Malley ,  Nikolaos Triandopoulos

IPC分类号： G06F21/00 ,  H04L9/16 ,  H04L29/06 ,  G06F21/31 ,  H04L9/32 ,  G06F21/42

CPC分类号： G06F21/31 ,  G06F21/34 ,  G06F21/42 ,  H04L9/3228 ,  H04L63/08 ,  H04L63/083 ,  H04L63/0846 ,  H04L63/0853 ,  H04L63/18

摘要： A technique controls a soft token running within an electronic apparatus. The technique involves providing an initial series of authentication codes based on a first set of machine states. The initial series of authentication codes is provided from the electronic apparatus to a server through a forward channel to authenticate a user. The technique further involves receiving a command from the server through a reverse channel between the electronic apparatus and the server. The reverse channel provides communications in a direction opposite to that of the forward channel. The technique further involves changing the first set of machine states to a second set of machine states in response to the command, and providing a new series of authentication codes based on the second set of machine states. The new series of authentication codes is provided from the electronic apparatus to the server through the forward channel for user authentication.

摘要翻译： 技术控制在电子设备内运行的软令牌。 该技术涉及提供基于第一组机器状态的初始系列认证码。 通过前向信道从电子设备向服务器提供初始系列认证码，以认证用户。 该技术还涉及通过电子设备和服务器之间的反向信道从服务器接收命令。 反向信道在与正向信道相反的方向上提供通信。 该技术还涉及响应于该命令将第一组机器状态改变到第二组机器状态，并且基于第二组机器状态提供新的一系列认证代码。 新的认证码系列通过前向信道从电子设备提供给服务器，用于用户认证。

公开(公告)号：US08752156B1

公开(公告)日：2014-06-10

申请号：US13435848

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： H04L29/06

CPC分类号： H04W12/06 ,  H04L9/0869 ,  H04L9/3228 ,  H04W12/12

摘要： A technique for detecting unauthorized copies of a soft token that runs on a mobile device includes generating a set of random bits on the mobile device and providing samples of the set of random bits, as well as token codes from the soft token, for delivery to a server during authentication requests. The server acquires the set of random bits of the mobile device, or learns the set of random bits over the course of multiple login attempts. Thereafter, the server predicts values of the samples of the set of random bits and tests actual samples arriving in connection with subsequent authentication requests. Mismatches between predicted samples and received samples indicate discrepancies between the random bits of the device providing the samples and the random bits of the mobile device, and thus indicate unauthorized soft token copies.

摘要翻译： 用于检测在移动设备上运行的软令牌的未授权复制的技术包括在移动设备上生成一组随机比特，并提供该组随机比特的样本以及来自该软令牌的令牌代码，用于递送到 认证请求期间的服务器。 服务器获取移动设备的一组随机比特，或者在多次登录尝试过程中学习一组随机比特。 此后，服务器预测该组随机比特的样本的值并测试结合后续认证请求到达的实际样本。 预测样本和接收到的样本之间的不匹配指示提供样本的设备的随机比特与移动设备的随机比特之间的差异，并且因此指示未授权的软令牌副本。

公开(公告)号：US08683563B1

公开(公告)日：2014-03-25

申请号：US13435616

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  William M. Duane ,  Ari Juels ,  Michael J. O'Malley ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  William M. Duane ,  Ari Juels ,  Michael J. O'Malley ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： G06F7/04

CPC分类号： H04L9/00 ,  G06F21/43 ,  G06F21/554 ,  G06F21/56 ,  H04L63/1433 ,  H04W12/06 ,  H04W12/12

摘要： An improved technique for assessing the security status of a device on which a soft token is run collects device posture information from the device running the soft token and initiates transmission of the device posture information to a server to be used in assessing whether the device has been subjected to malicious activity. The device posture information may relate to the software status, hardware status, and/or environmental context of the device. In some examples, the device posture information is transmitted to the server directly. In other examples, the device posture information is transmitted to the server via auxiliary bits embedded in passcodes displayed to the user, which the user may read and transfer to the server as part of authentication requests. The server may apply the device posture information in a number of areas, including, for example, authentication management, risk assessment, and/or security analytics.

摘要翻译： 用于评估其上运行软令牌的设备的安全状态的改进技术从运行软令牌的设备收集设备姿态信息，并且发起设备姿态信息传输到服务器以用于评估设备是否已经被 遭受恶意活动。 设备姿态信息可以涉及设备的软件状态，硬件状态和/或环境上下文。 在一些示例中，设备姿态信息被直接发送到服务器。 在其他示例中，设备姿态信息通过嵌入在显示给用户的密码中的辅助位发送到服务器，用户可以作为认证请求的一部分读取和传送到服务器。 服务器可以在多个区域中应用设备姿态信息，包括例如认证管理，风险评估和/或安全分析。

公开(公告)号：US08752146B1

公开(公告)日：2014-06-10

申请号：US13434280

申请日：2012-03-29

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： G06F21/00 ,  H04L29/06 ,  H04L9/32 ,  H04L9/08 ,  G06F21/32

CPC分类号： H04L63/0861 ,  G06F21/32 ,  G06F21/43 ,  H04L9/3215 ,  H04L9/3228 ,  H04L9/3231 ,  H04L63/0838 ,  H04L63/18

摘要： A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.

摘要翻译： 一种技术提供认证码以将用户认证给认证服务器。 该技术涉及通过电子设备（例如，智能电话，平板电脑，笔记本电脑等）从加密密钥生成令牌代码。 该技术还涉及从用户获取生物测量，并输出复合密码作为认证码。 复合密码包括基于生物特征测量的令牌代码和生物特征因子。 此外，复合密码的令牌代码和生物特征因子作为认证服务器执行的用户认证操作的认证输入。 在一些布置中，生物特征因子是面部识别（例如，经由相机），语音识别（例如，经由麦克风），门识别（例如，经由加速度计），触摸识别和/或打字识别（例如， 通过触摸屏或键盘），其组合等

公开(公告)号：US08819769B1

公开(公告)日：2014-08-26

申请号：US13435606

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Eyal Kolman ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Sean P. Doyle ,  Eyal Kolman ,  Nikolaos Triandopoulos ,  Riaz Zolfonoon

IPC分类号： H04L29/06

CPC分类号： H04L63/0876 ,  H04L67/303

摘要： An improved technique for managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating the user to the remote network.

摘要翻译： 用于管理计算机的用户对远程网络的访问的改进技术收集关于用户的移动设备的设备姿态信息。 移动设备运行软令牌，并且收集的姿态信息涉及例如移动设备的各个方面，例如移动设备的硬件，软件，环境和/或用户。 服务器将所收集的设备姿态信息以及来自软令牌的令牌代码应用于将用户认证到远程网络。

公开(公告)号：US08683570B1

公开(公告)日：2014-03-25

申请号：US13435611

申请日：2012-03-30

申请人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Nikolaos Triandopoulos

发明人： Marten van Dijk ,  Kevin D. Bowers ,  Samuel Curry ,  Nikolaos Triandopoulos

IPC分类号： H04L29/06 ,  G06F21/35

CPC分类号： G06F21/35 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/1416

摘要： An improved technique provides scheduled data transfer between a mobile device and a server. The mobile device combines token codes generated by a soft token with sequences of auxiliary bits and displays the combinations to users as passcodes. Users may then copy the passcodes to their computers for authenticating to a server on a remote network. As the passcodes include both token codes and sequences of auxiliary bits, a communication channel is established whereby the auxiliary bits as well as the soft token codes are transmitted from the mobile device to the server.

摘要翻译： 改进的技术提供了移动设备和服务器之间的调度数据传输。 移动设备将由软令牌产生的令牌代码与辅助位序列组合，并将用户的组合显示为密码。 然后，用户可以将密码复制到其计算机，以便对远程网络上的服务器进行身份验证。 由于密码包括令牌码和辅助比特序列，所以建立通信信道，由此辅助比特以及软令牌码从移动设备发送到服务器。

公开(公告)号：US20150242616A1

公开(公告)日：2015-08-27

申请号：US14190195

申请日：2014-02-26

申请人： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

发明人： Alina Oprea ,  Kevin D. Bowers ,  Nikolaos Triandopoulos ,  Ting-Fang Yen ,  Ari Juels

IPC分类号： G06F21/44

CPC分类号： G06F21/445 ,  G06F21/32 ,  G06F21/34 ,  G06F2221/2113 ,  G06F2221/2131

摘要： There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

摘要翻译： 公开了用于证书恢复的方法。 在一个示例性实施例中，该方法包括确定需要至少一个可信实体来验证第一实体的身份以便于凭证恢复的策略。 该方法还包括接收由至少一个可信实体验证第一实体的身份的至少一个通信。 该方法还包括基于所接收的验证允许凭证恢复。

公开(公告)号：US08813234B1

公开(公告)日：2014-08-19

申请号：US13171759

申请日：2011-06-29

申请人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

发明人： Kevin D. Bowers ,  Marten E. van Dijk ,  Ari Juels ,  Alina M. Oprea ,  Ronald L. Rivest ,  Nikolaos Triandopoulos

IPC分类号： G06F21/00

CPC分类号： G06F21/552 ,  H04L63/1408 ,  H04L63/1441 ,  H04L63/20

摘要： A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.

摘要翻译： 处理设备包括处理器，其耦合到存储器并且实现基于图的方法以保护包括信息技术基础设施的系统免受持久的安全威胁。 持续性安全威胁的攻击升级状态被分配给图中的相应节点，并且用于防止节点对之间的转换的防御成本被分配给图中的相应边缘。 计算图的最小值，并根据最小值确定防御策略。 包含受到持续安全威胁的信息技术基础架构的系统是根据防御策略配置的，以便阻止持续的安全威胁。

公开(公告)号：US09009844B1

公开(公告)日：2015-04-14

申请号：US13436080

申请日：2012-03-30

申请人： Thomas S. Corn ,  Ari Juels ,  Nikolaos Triandopoulos

发明人： Thomas S. Corn ,  Ari Juels ,  Nikolaos Triandopoulos

IPC分类号： H04L29/06

CPC分类号： H04L9/0675 ,  H04L9/3271

摘要： Knowledge-based authentication (KBA) is provided using historically-aware questionnaires. The KBA can obtain a plurality of historically different answers from the user to at least one question; challenge the user with the question for a given period of time; receive a response from the user to the question; and grant access to the restricted resource if the response is accurate for the given period of time based on the historically different answers. Alternatively, the KBA can be based on historically aware answers to a set of inter-related questions. The user is challenged with the inter-related questions for a given period of time. Historically different answers can comprise answers with applicable dates, or correct answers to the question over time. Historically aware answers can comprise an answer that is accurate for an indicated date or period of time. An accurate response demonstrates knowledge of multiple related personal events.

摘要翻译： 基于知识的认证（KBA）是使用历史感知的问卷调查表提供的。 KBA可以从用户获得多个历史上不同的答案至少一个问题; 在给定的时间内质疑用户的问题; 接收用户对该问题的回复; 并且如果响应在给定时间段内基于历史上不同的答案准确，则授予对受限资源的访问。 或者，KBA可以基于历史上意识到的一系列相互关联的问题的答案。 用户在给定的时间内受到相互关联的问题的挑战。 历史上不同的答案可以包括适用日期的答案，或者随着时间的推移对问题的正确答案。 历史上意识到的答案可以包含对于指定的日期或时间段的准确的答案。 准确的答复表明了多个相关个人事件的知识。

公开(公告)号：US08984609B1

公开(公告)日：2015-03-17

申请号：US13404780

申请日：2012-02-24

申请人： Ari Juels ,  Nikolaos Triandopoulos ,  Ronald Rivest ,  Marten Erik van Dijk

发明人： Ari Juels ,  Nikolaos Triandopoulos ,  Ronald Rivest ,  Marten Erik van Dijk

IPC分类号： G06F9/00

CPC分类号： G06F21/34 ,  G06F2221/2129 ,  H04L9/3228 ,  H04L63/0846

摘要： Methods and apparatus are provided for embedding auxiliary information in one-time passcode authentication tokens. Auxiliary information is embedded in authentication information transmitted to a receiver by obtaining the auxiliary information; and mapping the auxiliary information to a codeword using a secret key, wherein the secret key is shared between the security token and an authentication authority; and combining the codeword with a tokencode generated by a security token to generate a one-time passcode. The one-time passcode can then be transmitted to the receiver.

摘要翻译： 提供了将辅助信息嵌入一次性密码认证令牌中的方法和装置。 辅助信息被嵌入到通过获取辅助信息发送到接收器的认证信息中; 以及使用秘密密钥将所述辅助信息映射到码字，其中所述秘密密钥在所述安全令牌和认证机构之间共享; 以及将码字与由安全令牌生成的令牌代码组合以生成一次性密码。 然后可以将一次性密码传送到接收器。