公开(公告)号：US20070256123A1

公开(公告)日：2007-11-01

申请号：US11607836

申请日：2006-12-01

申请人： William Duane ,  Lawrence Friedman ,  Alexander Volanis

发明人： William Duane ,  Lawrence Friedman ,  Alexander Volanis

IPC分类号： H04L9/32

CPC分类号： H04L63/0838 ,  H04L63/1441

摘要： A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

摘要翻译： 用于检测和防止重放攻击的系统包括多个互连的认证服务器，以及用于生成一次性密码并将一次性密码提供给认证服务器之一用于认证的一个或多个令牌。 该系统包括与每个认证服务器相关联的裁判员功能。 审判员评估与令牌寻求认证相关联的高水位值，如果高水位评估指示在先前认证中未使用一次性密码，则允许认证进行令牌，并且如果高水位则防止认证 标记评估表示在以前的认证中使用一次性密码。 令牌与维护令牌当前高水位的家庭认证服务器相关联。 家庭认证服务器代表评估用于认证的令牌的裁判员功能验证当前的高水位标记。

公开(公告)号：US07810147B2

公开(公告)日：2010-10-05

申请号：US11607836

申请日：2006-12-01

申请人： William Duane ,  Lawrence N. Friedman ,  Alexander Volanis

发明人： William Duane ,  Lawrence N. Friedman ,  Alexander Volanis

IPC分类号： G06F7/04 ,  G06F15/16

CPC分类号： H04L63/0838 ,  H04L63/1441

摘要： A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

摘要翻译： 用于检测和防止重放攻击的系统包括多个互连的认证服务器，以及用于生成一次性密码并将一次性密码提供给一个认证服务器进行认证的一个或多个令牌。 该系统包括与每个认证服务器相关联的裁判员功能。 审判员评估与令牌寻求认证相关联的高水位值，如果高水位评估指示在先前认证中未使用一次性密码，则允许认证进行令牌，并且如果高水位则防止认证 标记评估表示在以前的认证中使用一次性密码。 令牌与维护令牌当前高水位的家庭认证服务器相关联。 家庭认证服务器代表评估用于认证的令牌的裁判员功能验证当前的高水位标记。

公开(公告)号：US08601588B1

公开(公告)日：2013-12-03

申请号：US13173726

申请日：2011-06-30

申请人： Robert Black ,  William Duane ,  Robert S. Philpott

发明人： Robert Black ,  William Duane ,  Robert S. Philpott

IPC分类号： G06F11/00

CPC分类号： G06F21/577 ,  G06F11/008 ,  G06F21/34 ,  G06F21/44 ,  G06F21/55 ,  G06Q40/02 ,  G06Q2220/00 ,  H04L63/1433 ,  H04L63/1441

摘要： A method includes engaging in authentication operations each involving apparent use of a legitimate authenticator. Values of one or more authenticator variables are received and stored, where the authenticator variable(s) normally change in a known authenticator-specific way during the authentication operations, such as being calculated from a monotonically increasing dynamic variable. A risk analysis function is applied to the stored values to generate a risk indicator signal indicating a level of risk that the clone authenticator is in use. The risk analysis function includes detection of an abnormal change of the authenticator variable(s), such as use of non-monotonic dynamic variable values. The risk indicator signal is output to an access controller that operates, based on the level of risk indicated by the risk indicator signal, to selectively inhibit an otherwise successful authentication operation involving apparent use of the legitimate authenticator.

摘要翻译： 一种方法包括参与认证操作，每个认证操作包括明确使用合法认证器。 接收和存储一个或多个验证器变量的值，其中验证器变量在认证操作期间通常以已知的认证器特定方式改变，诸如从单调递增的动态变量计算。 对存储的值应用风险分析功能，以生成指示克隆认证器正在使用的风险级别的风险指示符信号。 风险分析功能包括检测认证者变量的异常变化，例如使用非单调动态变量值。 该风险指示信号被输出到一个接入控制器，该接入控制器基于风险指示信号所指示的风险水平来选择性地禁止涉及明确使用合法验证器的另外成功的认证操作。

公开(公告)号：US08458483B1

公开(公告)日：2013-06-04

申请号：US12495447

申请日：2009-06-30

申请人： Daniel Bailey ,  Marco Ciaffi ,  William Duane ,  Ari Juels ,  John O'Brien

发明人： Daniel Bailey ,  Marco Ciaffi ,  William Duane ,  Ari Juels ,  John O'Brien

IPC分类号： G06F21/00 ,  G06F12/14

CPC分类号： H04B5/0037 ,  G06F1/3287 ,  G06F21/35 ,  G06F21/74 ,  G06F21/81 ,  G06F2221/2105 ,  H04B5/0056 ,  H04L63/0838 ,  H04W4/80 ,  H04W12/06 ,  H04W52/0229 ,  Y02D10/171 ,  Y02D70/166 ,  Y02D70/42

摘要： A technique of message-passing using shared memory of an RF tag involves storing a message in the shared memory while a security processor of the RF tag is in a sleep mode, the security processor being constructed and arranged to access the shared memory when the security processor is in a wakened mode. The technique further involves transitioning the security processor from the sleep mode to the wakened mode, and processing the message from the shared memory using the security processor after the security processor has transitioned from the sleep mode to the wakened mode. If the security processor is awakened only as needed (rather than remain in the wakened mode), lifetime of a battery which powers the security processor can be maximized.

摘要翻译： 使用RF标签的共享存储器的消息传递的技术涉及在RF标签的安全处理器处于睡眠模式的同时将消息存储在共享存储器中，所述安全处理器被构造和布置成在安全性时访问共享存储器 处理器处于唤醒模式。 该技术还包括将安全处理器从睡眠模式转换到唤醒模式，以及在安全处理器从睡眠模式转换到唤醒模式之后，使用安全处理器处理来自共享存储器的消息。 如果仅根据需要唤醒安全处理器（而不是保持在唤醒模式），则可以最大化为安全处理器供电的电池的寿命。

公开(公告)号：US09860059B1

公开(公告)日：2018-01-02

申请号：US13336056

申请日：2011-12-23

申请人： Christopher Duane ,  Robert S. Philpott ,  William Duane ,  Gareth Richards

发明人： Christopher Duane ,  Robert S. Philpott ,  William Duane ,  Gareth Richards

IPC分类号： H04L9/32 ,  H04L9/00 ,  H04L9/08 ,  H04L29/06

CPC分类号： H04L9/0869 ,  H04L9/0866 ,  H04L63/045 ,  H04L63/0838

摘要： A method and system for use in distributing token records is disclosed. At least one token record comprises a unique seed associated with a one-time password (OTP) token. An encryption key and a corresponding decryption key are generated for assisting selective encryption and decryption of a token record associated with a OTP token. The encryption key and the decryption key being unique to an end user of the token record. The token record is encrypted with the assistance of the encryption key. One of the decryption key and the encrypted token record is provided to the end user of the token record. The other of the decryption key and the encrypted token record is provided to the end user in response to secure receipt of the one of the decryption key and the encrypted token record by the end user. The encrypted token record can be decrypted with the assistance of the decryption key.

公开(公告)号：US09454648B1

公开(公告)日：2016-09-27

申请号：US13336043

申请日：2011-12-23

申请人： Robert S Philpott ,  William Duane ,  Christopher Duane ,  Gareth Richards

发明人： Robert S Philpott ,  William Duane ,  Christopher Duane ,  Gareth Richards

IPC分类号： G06F11/30 ,  G06F21/00 ,  G06F21/10 ,  H04L9/08

CPC分类号： G06F21/10 ,  G06F21/34 ,  G06F2221/2107 ,  H04L9/0822 ,  H04L9/0866

摘要： Method and system for distributing token records in market environment is disclosed. At least one token record comprising a unique seed associated with a OTP token. Encryption key and decryption key are generated for assisting selective encryption and decryption of token record associated with OTP token. The token record is encrypted with the assistance of encryption key. One of encrypted token record and decryption key is provided into market environment. A device comprising an identifier for facilitating identification of token record associated with OTP token is provided into market environment together with the one of encrypted token record and decryption key. The identifier concealed by tamper-evident removable material such that any effort to reveal identifier will be readily apparent. The other of the encrypted token record and decryption key is provided to an entity in response to entity providing identifier.

摘要翻译： 公开了在市场环境中分配令牌记录的方法和系统。 至少一个令牌记录包括与OTP令牌相关联的唯一种子。 生成加密密钥和解密密钥，用于协助与OTP令牌相关联的令牌记录的选择性加密和解密。 令牌记录通过加密密钥进行加密。 加密令牌记录和解密密钥之一被提供到市场环境中。 包括用于便于识别与OTP令牌相关联的令牌记录的标识符的设备与加密的令牌记录和解密密钥中的一个一起提供给市场环境。 隐形可拆卸材料隐藏的标识符将使任何显示标识符的努力都将显而易见。 响应于实体提供标识符，加密令牌记录和解密密钥中的另一个被提供给实体。

公开(公告)号：US08370638B2

公开(公告)日：2013-02-05

申请号：US11357724

申请日：2006-02-17

申请人： William Duane ,  Jeffrey Hamel

发明人： William Duane ,  Jeffrey Hamel

IPC分类号： H04L29/06 ,  H04L9/32

CPC分类号： H04L9/0833 ,  G06F21/31 ,  G06F21/34 ,  G07C9/00015 ,  H04L9/0866 ,  H04L9/0869 ,  H04L9/0877 ,  H04L9/3213

摘要： A method of generating authentication seeds for a plurality of users, the method involving: based on a single master seed, generating a plurality of derivative seeds, each one for a corresponding different one of a plurality of users; and distributing the plurality of derivative seeds to a verifier for use in individually authenticating each of the plurality of users to that verifier, wherein generating each one of the plurality of derivative seeds involves mathematically combining the master seed and a unique identifier identifying the corresponding user.

摘要翻译： 一种为多个用户生成认证种子的方法，所述方法包括：基于单个母种，生成多个衍生种子，每个种子种类用于多个用户中的相应不同的一个; 以及将所述多个衍生种子分发到验证器以用于将所述多个用户中的每一个单独认证用于所述验证​​者，其中生成所述多个衍生种子中的每一个的数学上涉及所述主种子和识别相应用户的唯一标识符。

公开(公告)号：US07831837B1

公开(公告)日：2010-11-09

申请号：US11424427

申请日：2006-06-15

申请人： William Duane ,  Eric A. Silva ,  Jeffrey Hamel

发明人： William Duane ,  Eric A. Silva ,  Jeffrey Hamel

IPC分类号： G06F21/00

CPC分类号： G06F21/34 ,  G06F21/629 ,  G06F21/74 ,  G06F2221/2105 ,  H04L63/0838 ,  H04L63/0853

摘要： A method of communicating within a system that includes a device, a controller for the device, a token, and a driver which implements a predefined interface for enabling communication with and/or control of the device through the controller, the method involving: via the predefined interface, receiving instructions and/or data at the controller from the driver for controlling the device; via the predefined interface, receiving at the controller a preselected control parameter indicating that communication with the token is desired; and in response to receiving the preselected control parameter, directing communications to the token.

摘要翻译： 一种在系统内进行通信的方法，所述系统包括设备，用于所述设备的控制器，令牌和驱动器，所述驱动器实现用于通过所述控制器与所述设备进行通信和/或控制的预定界面，所述方法包括： 预定义接口，从控制器接收指令和/或数据从驱动器控制设备; 通过预定义的接口，在控制器处接收指示与令牌进行通信的预选控制参数; 并且响应于接收到预选的控制参数，将通信指向令牌。

公开(公告)号：US20060177056A1

公开(公告)日：2006-08-10

申请号：US10549542

申请日：2004-07-09

申请人： Peter Rostin ,  Magnus Nystrom ,  William Duane

发明人： Peter Rostin ,  Magnus Nystrom ,  William Duane

IPC分类号： H04L9/28 ,  H04L9/00 ,  H04K1/00

CPC分类号： H04L9/3234 ,  H04L9/06 ,  H04L9/0869 ,  H04L9/3242 ,  H04L9/3271 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/0853 ,  H04L2209/20 ,  H04L2209/56 ,  H04L2209/80

摘要： Techniques for secure generation of a seed for use in performing one or more cryptographic operations, utilizing a seed generation protocol carried out by a seed generation client (110c) and a seed generation server (110s). The seed generation server (110s) provides a first string to the seed generation client (110c). The seed generation client (110c) generates a second string, encrypts the second string utilizing a key (216), and sends the encrypted second string to the seed generation server (110s). The seed generation client (110c) generates the seed as a function of at leas the first string and the second string. The seed generation server (110s) decrypts the encrypted second string (222) and independently generates the seed as a function of at least the first string an the second string.

摘要翻译： 利用由种子生成客户端（110c）和种子生成服务器（110s）执行的种子生成协议，用于安全地生成用于执行一个或多个密码操作的种子的技术。 种子生成服务器（110s）向种子生成客户端（110c）提供第一串。 种子生成客户端（110c）生成第二串，利用密钥（216）加密第二串，并将加密的第二串发送到种子生成服务器（110s）。 种子生成客户端（110c）根据第一串和第二串的函数产生种子。 种子生成服务器（110s）对加密的第二串（222）进行解密，并且独立地生成作为第二串的至少第一串的函数的种子。

公开(公告)号：US08966276B2

公开(公告)日：2015-02-24

申请号：US10938422

申请日：2004-09-10

申请人： Andrew Nanopoulos ,  Karl Ackerman ,  Piers Bowness ,  William Duane ,  Markus Jakobsson ,  Burt Kaliski ,  Dmitri Pal ,  Shane D. Rice ,  Ronald L. Rivest

发明人： Andrew Nanopoulos ,  Karl Ackerman ,  Piers Bowness ,  William Duane ,  Markus Jakobsson ,  Burt Kaliski ,  Dmitri Pal ,  Shane D. Rice ,  Ronald L. Rivest

IPC分类号： G06F21/00 ,  H04L29/06 ,  G06F21/31 ,  G06F21/34 ,  H04L9/32 ,  H04L9/00

CPC分类号： H04L63/0838 ,  G06F21/31 ,  G06F21/34 ,  G06F2221/2103 ,  H04L9/002 ,  H04L9/3228 ,  H04L9/3234 ,  H04L9/3236 ,  H04L9/3271 ,  H04L63/0853 ,  H04L2209/38 ,  H04L2209/80

摘要： In a system for disconnected authentication, verification records corresponding to given authentication token outputs over a predetermined period of time, sequence of events, and/or set of challenges are downloaded to a verifier. The records include encrypted or hashed information for the given authentication token outputs. In one embodiment using time intervals, for each time interval, token output data, a salt value, and a pepper value, are hashed and compared with the verification record for the time interval. After a successful comparison, a user can access the computer. A PIN value can also be provided as an input the hash function. A portion of the hash function output can be used as a key to decrypt an encrypted (Windows) password, or other sensitive information.

摘要翻译： 在用于断开认证的系统中，在预定时间段，事件顺序和/或挑战集合上对应于给定认证令牌输出的验证记录被下载到验证者。 记录包括给定认证令牌输出的加密或散列信息。 在使用时间间隔的一个实施例中，对于每个时间间隔，令牌输出数据，盐值和胡椒值被散列并与时间间隔的验证记录进行比较。 成功比较后，用户可以访问计算机。 也可以提供PIN值作为输入的散列函数。 哈希函数输出的一部分可以用作解密加密（Windows）密码或其他敏感信息的密钥。