公开(公告)号：WO2010080573A1

公开(公告)日：2010-07-15

申请号：PCT/US2009/068646

申请日：2009-12-18

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH ,  COUCK, Guy, Louis

Inventor： COUCK, Guy, Louis

IPC: G06K19/077

CPC classification number: G06K19/041 ,  G06K19/07345 ,  G06K19/07703 ,  H01H2221/004 ,  Y10T29/49105

Abstract: The present invention relates to the field of pocket-size electronic devices, including credit card sized devices such as authentication tokens. It consists of an improvement of the well-known "raised ridge" to protect individual buttons from false key presses, obtained by applying embossing. A known problem with applying embossing to cards containing electronic components, is the fact that the embossing process may damage the components or the wiring inside the card. In the process according to the invention, an embossed ridge of a judiciously designed shape is used to avoid such damage.

Abstract translation: 本发明涉及袖珍电子设备领域，包括诸如认证令牌的信用卡大小的设备。 它通过改进了众所周知的“凸脊”，以保护通过应用压花获得的假按键的各个按钮。 对于包含电子部件的卡片进行压印的已知问题是压印过程可能会损坏卡内部的部件或布线。 在根据本发明的方法中，使用具有明智设计形状的压纹脊来避免这种损坏。

公开(公告)号：WO2010056655A1

公开(公告)日：2010-05-20

申请号：PCT/US2009/063845

申请日：2009-11-10

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH ,  NOE, Frederick

Inventor： NOE, Frederick

IPC: G06F7/04

CPC classification number: H04L63/105 ,  G06F21/41 ,  H04L9/3213 ,  H04L63/0815

Abstract: The present invention relates to the field of authentication of users of services over a computer network, more specifically within the paradigms of federated authentication or single sign-on. A known technique consists of associating different trust levels to different authentication mechanisms, wherein the respective trust levels give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication. The present invention provides a mechanism to allow the trust level to decrease without re-authenticating with the single sign on system, down to the level at which it is no longer sufficient to obtain access to a desired resource. Only then, the user needs to reauthenticate.

Abstract translation: 本发明涉及通过计算机网络的服务的用户认证领域，更具体地涉及联合认证或单点登录的范例。 已知技术包括将不同的信任级别与不同的认证机制相关联，其中相应的信任级别提供对不同信息资源的访问，特别是提供用更强形式的认证来保护更多敏感资源的可能性。 本发明提供一种允许信任级别降低的机制，而不用系统上的单一登录重新认证，直到不再足以获得对期望资源的访问的级别。 只有这样，用户才需要重新认证。

公开(公告)号：WO2009025905A2

公开(公告)日：2009-02-26

申请号：PCT/US2008/065216

申请日：2008-05-30

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH ,  COULIER, Frank ,  HOORNAERT, Frank

Inventor： COULIER, Frank ,  HOORNAERT, Frank

IPC: H04L9/00

CPC classification number: G06F21/34 ,  G06F21/31 ,  G06F21/33 ,  G06F2221/2103 ,  G06Q20/3823 ,  G06Q20/388 ,  H04L9/006 ,  H04L9/3228 ,  H04L9/3242 ,  H04L9/3271 ,  H04L63/067 ,  H04L2209/56

Abstract: The invention provides a method, apparatus, computer readable medium and signal which allows the usage of devices containing PKl private keys such as PKI- enabled smart cards or USB sticks to authenticate users and to sign transactions. The authenticity of the user and/or the message is verified. Furthermore the operation (authentication and/or signing) occurs without the need for an application to have some kind of a direct or indirect digital connection with the device containing the private key. In other words a digital connection that would allow an application to submit data to the card for signing by the card's private key and that would allow retrieving the entire resulting signature from the card is not required. In addition the operation occurs without the need for the PKI-enabled device containing the private key (e.g. a PKI smart card or USB stick) to either support symmetric cryptographic operations or to have been personalized with some secret or confidential data element that can be read by a suitable reader.

Abstract translation: 本发明提供了一种方法，设备，计算机可读介质和信号，其允许使用包含PKI私钥的设备（例如启用PKI的智能卡或USB棒）来认证用户并对交易进行签名。 用户和/或消息的真实性得到验证。 此外，操作（认证和/或签名）不需要应用程序与包含私钥的设备进行某种直接或间接的数字连接。 换句话说，允许应用程序向卡提交数据以供卡的私钥签名并且允许从卡中检索整个签名的数字连接不是必需的。 此外，该操作不需要包含私钥的PKI设备（例如PKI智能卡或USB棒）就可以支持对称加密操作，或者通过一些可以读取的秘密或机密数据元素进行个性化 由适当的读者。

公开(公告)号：WO2002091662A1

公开(公告)日：2002-11-14

申请号：PCT/US2002/013521

申请日：2002-04-30

Applicant: VASCO DATA SECURITY, INC.

Inventor： COULIER, Frank

IPC: H04L9/00

CPC classification number: H04L63/0435 ,  H04L63/0869 ,  H04L63/166

Abstract: The invention describes a method (200) and system for verifying the link between a public key and a server's identity as claimed in the server's certificate without relying on the trustworthiness of the root certificate of the server's certificate chain. The system establishes a secure socket layer type connection (201) between a client and a server, wherein the server transmits information including the server's public key to the client while establishing the connection. Next, a first information is sent from the client to the server (202). The client and the server create an identical authentication key using a shared secret known to the server and the client (203 and 204). Next, the server transmits a first encrypted message to the client (206), wherein the first encrypted message includes the server's public key encrypted with the authentication key. Then, the client decrypts the first encrypted message and verifies the correctness (207) of that message including comparing the public key included in the decrypted first encrypted message to the public key transmitted during the set-up of the secure socket layer type connection to authenticate the client and to establish the trustworthiness of the server's public key and thereby the entire SSL connection. The client then transmits a second encrypted message to the server (209), wherein the second encrypted message is the first information encrypted with the authentication key. Finally, the server then decrypts the second encrypted message and verifies the correctness of the decrypted second encrypted message to authenticate the client (210).

Abstract translation: 本发明描述了一种方法（200）和系统，用于在不依赖于服务器证书链的根证书的可信度的情况下验证服务器证书所要求的公开密钥和服务器身份之间的链接。 该系统在客户机和服务器之间建立安全套接字层类型连接（201），其中服务器在建立连接的同时向客户端发送包括服务器公钥的信息。 接下来，从客户端向服务器（202）发送第一信息。 客户机和服务器使用服务器和客户机（203和204）已知的共享秘密创建相同的认证密钥。 接下来，服务器向客户机（206）发送第一加密消息，其中第一加密消息包括用认证密钥加密的服务器的公钥。 然后，客户端解密第一加密消息并验证该消息的正确性（207），包括将解密的第一加密消息中包括的公开密钥与在安全套接字层类型连接的建立期间发送的公开密钥进行认证 客户端并建立服务器公钥的可信赖性，从而建立整个SSL连接。 客户机然后向服务器（209）发送第二加密消息，其中第二加密消息是用认证密钥加密的第一信息。 最后，服务器然后解密第二加密消息，并验证解密的第二加密消息的正确性以认证客户端（210）。

公开(公告)号：WO2016190903A3

公开(公告)日：2017-01-19

申请号：PCT/US2015067784

申请日：2015-12-29

Applicant: VASCO DATA SECURITY INC ,  VASCO DATA SECURITY INT GMBH

Inventor： CLAES MATHIAS ,  COULIER FRANK

IPC: H04L29/06

CPC classification number: H04L9/3213 ,  G06F21/31 ,  G06F21/45 ,  H04L9/3228 ,  H04L9/3234 ,  H04L9/3247 ,  H04L63/0435 ,  H04L63/0838 ,  H04L63/0853 ,  H04L63/0861 ,  H04L63/123

Abstract: Methods, apparatus, and systems for personalizing a software token using a dynamic credential (such as a one-time password or electronic signature) generated by a hardware token are disclosed.

Abstract translation: 公开了使用由硬件令牌生成的动态凭证（例如一次性密码或电子签名）来个性化软件令牌的方法，装置和系统。

公开(公告)号：WO2016109809A1

公开(公告)日：2016-07-07

申请号：PCT/US2015/068310

申请日：2015-12-31

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH

Inventor： DE WASCH, Tom

IPC: G06Q10/06 ,  G06F21/34 ,  G06F21/60 ,  H04W12/12

CPC classification number: H04L63/0492 ,  G06F21/34 ,  G06F21/606 ,  G06F2221/2111 ,  G06Q10/0635 ,  H04L9/3247 ,  H04L63/061 ,  H04L63/126 ,  H04L2463/061

Abstract: Methods, apparatus, and systems for authenticating a user taking into account measurement values of characteristics of the purported environment of the user are described.

Abstract translation: 描述了考虑用户所声称的环境的特性的测量值来认证用户的方法，装置和系统。

公开(公告)号：WO2015103302A1

公开(公告)日：2015-07-09

申请号：PCT/US2014/072818

申请日：2014-12-30

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH

Inventor： TEIXERON, Guillaume ,  LAVIGNE, Sebastien

IPC: G06F21/57 ,  H04L29/06 ,  H04W12/12 ,  H04W12/06 ,  H04W12/08 ,  G06F21/30 ,  H04L9/08

CPC classification number: H04L63/0838 ,  G06F21/31 ,  G06F21/57 ,  H04L9/0863 ,  H04L63/067 ,  H04L63/10 ,  H04L63/1433 ,  H04W12/06 ,  H04W12/12

Abstract: Methods, apparatus, and systems for generating and verifying one time passwords in connection with a risk assessment are disclosed. The risk assessment may comprise a client-side risk assessment. The risk assessment may also comprise a server-side risk assessment.

Abstract translation: 公开了用于生成和验证与风险评估有关的一次密码的方法，装置和系统。 风险评估可能包括客户端风险评估。 风险评估还可能包括服务器端风险评估。

公开(公告)号：WO2014106181A3

公开(公告)日：2014-07-03

申请号：PCT/US2013/078314

申请日：2013-12-30

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH

Inventor： BRAAMS, Harm

IPC: G06F21/64 ,  G06F21/34 ,  H04L9/32

Abstract: The invention provides a method and apparatus for the secure electronic signing of electronic documents and data. In a preferred embodiment, a method for generating a first digital signature associated with a set of application data is disclosed. The method comprises the steps of: obtaining a first digital representation in a high level first data format of the set of application data; generating a second digital representation in a low level second data format of the application data whereby said low level second data format is different from said high level first data format; presenting an analog representation of the set of application data to a user, whereby said second digital representation is a precise and accurate representation of said analog representation; obtaining an indication whether said user approves said analog representation for signing; if said indication indicates that the user approves said analog representation for signing, generating said first digital signature over said second digital representation using a first signature key associated with the user.

公开(公告)号：WO2014106181A2

公开(公告)日：2014-07-03

申请号：PCT/US2013078314

申请日：2013-12-30

Applicant: VASCO DATA SECURITY INC ,  VASCO DATA SECURITY INT GMBH

Inventor： BRAAMS HARM

IPC: H04L9/32

CPC classification number: H04L9/3247 ,  G06F21/34 ,  G06F21/64 ,  G06F2221/2153

Abstract: The invention provides a method and apparatus for the secure electronic signing of electronic documents and data. In a preferred embodiment, a method for generating a first digital signature associated with a set of application data is disclosed. The method comprises the steps of: obtaining a first digital representation in a high level first data format of the set of application data; generating a second digital representation in a low level second data format of the application data whereby said low level second data format is different from said high level first data format; presenting an analog representation of the set of application data to a user, whereby said second digital representation is a precise and accurate representation of said analog representation; obtaining an indication whether said user approves said analog representation for signing; if said indication indicates that the user approves said analog representation for signing, generating said first digital signature over said second digital representation using a first signature key associated with the user.

Abstract translation: 本发明提供了一种用于电子文档和数据的安全电子签名的方法和装置。 在优选实施例中，公开了一种用于生成与一组应用数据相关联的第一数字签名的方法。 该方法包括以下步骤：获得一组应用数据的高级第一数据格式的第一数字表示; 生成应用数据的低级第二数据格式的第二数字表示，由此所述低级第二数据格式不同于所述高级第一数据格式; 向用户呈现该组应用数据的模拟表示，由此所述第二数字表示是所述模拟表示的精确和准确的表示; 获得所述用户是否批准所述模拟表示以进行签名的指示; 如果所述指示指示用户批准所述模拟表示进行签名，则使用与用户相关联的第一签名密钥，通过所述第二数字表示生成所述第一数字签名。

公开(公告)号：WO2011050332A1

公开(公告)日：2011-04-28

申请号：PCT/US2010/053862

申请日：2010-10-22

Applicant: VASCO DATA SECURITY, INC. ,  VASCO DATA SECURITY INTERNATIONAL GMBH ,  GRANGE, Benoit ,  MARIEN, Dirk ,  HOORNAERT, Frank

Inventor： GRANGE, Benoit ,  MARIEN, Dirk ,  HOORNAERT, Frank

IPC: H04L29/06

CPC classification number: H04L9/16 ,  H04L9/0897 ,  H04L9/3234 ,  H04L2209/56 ,  H04L2209/80

Abstract: The present invention defines a strong authentication token for generating different dynamic credentials for different application providers comprising an input interface providing an output representing an application provider indicator; a secret key storage for storing one or more secret keys; a variability source for providing a dynamic variable value; a key providing agent for providing an application provider specific key as a function of said application provider indicator using one or more keys stored in said secret key storage; a cryptographic agent for cryptographically combining said application provider specific key with said dynamic variable value using symmetric cryptography; a transformation agent coupled to said cryptographic agent for transforming an output of said cryptographic agent to produce a dynamic credential; and an output interface to output said dynamic credential.

Abstract translation: 本发明定义了用于为不同应用提供者生成不同动态证书的强认证令牌，其包括提供表示应用提供商指示符的输出的输入接口; 用于存储一个或多个秘密密钥的秘密密钥存储器; 用于提供动态变量值的变异性源; 密钥提供代理，用于使用存储在所述秘密密钥存储器中的一个或多个密钥来提供作为所述应用提供商指示符的功能的应用提供者特定密钥; 用于使用对称密码术将所述应用提供者特定密钥与所述动态变量值密码地组合的加密代理; 耦合到所述加密代理的转换代理，用于变换所述密码代理的输出以产生动态证书; 以及用于输出所述动态凭证的输出接口。