US20010034837A1 - Method and apparatus for secure distribution of authentication credentials to roaming users - Google Patents
Method and apparatus for secure distribution of authentication credentials to roaming users Download PDFInfo
- Publication number
- US20010034837A1 US20010034837A1 US09/843,583 US84358301A US2001034837A1 US 20010034837 A1 US20010034837 A1 US 20010034837A1 US 84358301 A US84358301 A US 84358301A US 2001034837 A1 US2001034837 A1 US 2001034837A1
- Authority
- US
- United States
- Prior art keywords
- authentication credential
- requestor
- credential
- server
- challenge
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/02—Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3672—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes initialising or reloading thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/30—Payment architectures, schemes or protocols characterised by the use of specific devices or networks
- G06Q20/36—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
- G06Q20/367—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
- G06Q20/3674—Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes involving authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1008—Active credit-cards provided with means to personalise their use, e.g. with PIN-introduction/comparison system
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1025—Identification of user by a PIN code
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2127—Bluffing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- each user has two keys, a private key and a public key.
- the user performs a cryptographic operation (e.g., an encryption or a digital signature) on a digital quantity using his private key, such that the quantity may be authenticated by a verifier having access only to the user's public key.
- the private key therefore serves as the user's authentication credential. That is, the verifier need not know the user's private key in order to authenticate the user.
- the public key may be widely disseminated while the private key remains confidential, strong authentication is provided with enhanced security.
- Private keys are generally too long and complex for the user to memorize, and are therefore usually stored in software or hardware tokens, and interfaced with computers prior to use.
- One such software token is the so-called software wallet, in which the private key is encrypted with a password or other access-controlled datum.
- software wallets In such software wallets, an intruder is not deterred from repeatedly trying passwords, in an exhaustive manner, until he recovers the private key. This poses analogous security risks to the simple password schemes described above.
- the software wallet is stored on a user's computer, which may be inconvenient if the user needs to freely roam from one location to another.
- hardware tokens such as smart cards are more secure, and can be conveniently carried as the user roams.
- the private key is stored in hardware, and protected by a watchdog chip that allows the user to access the private key, should he enter the correct password that unlocks the smart card.
- the smart card can even be configured so that, if a hacker attempts to guess passwords, the card locks up after a small number of successive missed attempts.
- the disadvantages of hardware token are: (1) roaming is restricted to locations where the appropriate token reader hardware is installed; (2) hardware tokens are expensive in contrast to software tokens; (3) hardware tokens must be physically carried wherever the user wishes to roam; and (4) hardware tokens are often lost, misplaced, or stolen.
- the present invention discloses a method and apparatus for the on-demand delivery of authentication credentials to roaming users. Credentials are stored, delivered and transmitted in software, obviating the need for additional hardware.
- a user can demand his credential at will, upon providing proof of identity in the form of shared secret(s) that he has previously escrowed with the credential server.
- the shared secret may be chosen by the user, and could be easily remembered secrets such as: mother's maiden name, third grade teacher, etc.
- the user will respond to challenges from the server via a challenge- response protocol, with the server demanding correct answers to such questions prior to releasing the user's credentials.
- a user's authentication credential can be stored on the server protected by a simple shared secret scheme such as a password, a biometric authentication scheme based on a fingerprint or retinal image, or a one-to-one hashed shared secret.
- the user interacts with the server via a cryptographically camouflaged challenge-response protocol.
- the server via a cryptographically camouflaged challenge-response protocol.
- the user will receive his authentication credentials.
- the user responds incorrectly such as might be the case with a hacker trying to break the system, the user will receive plausible and well-formed but invalid credentials.
- the authentication credential itself could be encrypted or camouflaged with an additional secret that is known only to the user.
- An authentication credential is said to be in cryptographically camouflaged form when it is embedded among many pieces of similar (pseudo-valid) data. These data are sufficiently different that the user can locate the correct piece without any difficulty, using a shared secret that he can remember. However, the pieces of data are also sufficiently alike that an intruder will find all of them equally plausible.
- Such a cryptographically camouflaged authentication credential can be provided to the user in either camouflaged or decamouflaged form that is, the decamouflaging can be performed at either the credential server or at the user's computer.
- FIG. 1 illustrates an exemplary embodiment of the invention in which a user accesses a web server to conduct an electronic transaction with a transaction server protected by an access control server.
- FIG. 2 illustrates an exemplary embodiment of a wallet in which a private key is protected by a PIN.
- FIG. 3 illustrates an exemplary embodiment in which the wallet of FIG. 2 is protected by a form of cryptographic camouflaging.
- Web Server 110 is, in turn, safeguarded by Access Control Server 120 , which prevents unauthorized access to Transaction Server 130 .
- Access Control Server 120 might be a company's home page
- Access Control Server 120 might be a firewall
- Transaction Server 130 might contain proprietary company data that the user wishes to access.
- Access Control Server 120 might be a membership or credit/payment verification system
- Transaction Server 130 might be a back-end shipping/delivery system.
- servers 110 , 120 and 130 may be combined into a single server, that there may be more additional servers performing other specialized functions, that any of these servers may be co-located or widely distributed, and so forth.
- the electronic transaction may be of virtually any type including, but not limited to, secure electronic mail, accessing privileged or confidential information, and purchasing electronic or physical goods or services.
- the user Before accessing the Transaction Server 130 to perform the electronic transaction, the user first needs to authenticate himself to Access Control Server 120 .
- the user typically authenticates himself by using his private key to perform a cryptographic operation on a challenge sent by the Access Control Server 120 .
- This cryptographic operation might be a simple encryption, a hash followed by encryption (commonly referred to as a digital signature), or still other protocols that are well known to those skilled in the art.
- the authentication credential might be a simple password. Private key, password and other authentication credentials are well known to those skilled in the art, and need not be described in detail here. For examples thereof, the reader is referred to well-known, standard texts as Applied Cryptography (Bruce Schneier, Second Edition, 1996, pp. 101-112 & 548-549) for details.
- the present invention provides a method and apparatus for providing the authentication credential, on demand, to a user who wishes to be able to access servers 110 , 120 and/or 130 from a variety of Browsers 140 (the so-called “roaming user”).
- Credential Server 160 that downloads the authentication credential (e.g., private key) to the user at Browser 140 via a software Wallet 150 .
- Wallet 150 need only serve as a basic container for the authentication credential. As such, it could be considered to be simply the data structure in which the authentication credential is embodied, or it could be a more sophisticated container having the capability to handle other user-owned items such as a digital certificate or digital currency (including, without limitation, electronic cash or scrip).
- Credential Server 160 is embodied as a web server.
- the user points his Browser 140 to the Credential Server, which sends the user a challenge in the form of a shared secret that has previously been associated with the user during a set-up phase.
- This shared secret might be of the following exemplary forms: Question: Mother's maiden name? Answer: Jones Question: Dog's name? Answer: Lucky Question: Favorite sport? Answer: Football Question: PIN? Answer: PIN
- the actual number of questions can vary from credential server to credential server, as dictated by their respective security policies. If the user provides the correct answer(s), the Credential Server 160 obtains the user's wallet from a Wallet Database 170 (which may or may not be part of Credential Server 160 ) and provides the wallet to the user at Browser 140 . In an alternative embodiment, the wallet, or a part thereof, could be provided directly to any of servers 110 , 120 & 130 .
- the wallet could be installed either: 1) in the memory space of the software program, and/or subsequently 2) onto the hard drive or other physical memory of the computer. If only the former, the authentication credential would be destroyed when the session is ended. If the latter, the authentication credential could be available for use across multiple sessions on that particular computer. In either event, as the user roams to another computer, the process can be repeated to provide on-demand access to the needed authentication credential without the requirement of a physical token (even though the invention could also be used in conjunction with a physical token, as desired).
- the wallet might itself be protected by a shared secret.
- FIG. 2 shows an exemplary embodiment of a wallet in which a private key is protected by a PIN.
- the PIN (more generally, a shared secret) might be the shared secret transmitted by the user to the Credential Server 160 , as discussed previously, and the private key (more generally, the authentication credential) in the wallet might be decrypted by Credential Server 160 and provided in the clear to the user at Browser 140 .
- the entire wallet (including the authentication credential in encrypted form) might be provided to the user, for the user to decrypt locally at Browser 140 .
- the process of decrypting the PIN-protected authentication credential as follows.
- the user enters a PIN 200 (more generally, an access code) to unlock the wallet, and the PIN is passed through a one-to-one hash function 210 .
- the hash function may also include a salt value or other security-enhancing feature, as will be appreciated by persons skilled in the art.
- the hashed value 215 of the entered PIN is compared with a stored hash value 220 , which is the hashed value of the correct PIN. If the two hash values agree, the PIN is passed to decryption module 240 .
- decryption module 240 which is typically DES or some other cryptographic function such as, for example, triple-DES, IDEA or BLOWFISH. Hence, the decrypted private key 250 is released for use.
- the cryptographic operations of computing the hash(es) and decrypting the stored hash may be implemented using one or more cryptographic logic (e.g., software or hardware) modules, and the correct hash value and private key may be stored in protected data fields or other forms of memory (e.g., read from ROM, from computer-readable media, etc.).
- a typical key wallet would also include input and output logic for receiving candidate PINs and outputting decrypted private keys, as well as logic for management, viewing, copying, and handling of keys and other data.
- the one-to-one nature of the hash function ensures that the correct PIN and only the correct PIN will unlock the key wallet. Unfortunately, it also allows a malicious hacker to guess the complete PIN via a brute force search. For example, he might write a program that simply checks all six-digit PIN codes on the key wallet. If he gets a copy of the key wallet, he can carry out this attack on his computer, completely undetected and in an automated fashion, in a matter of a few minutes.
- Another embodiment of the invention uses a technique called cryptographic camouflaging to provide even greater security in connection with the authentication credential.
- Cryptographic camouflaging is described is summary form below with respect to FIG. 3; for full details, the reader may refer to co-pending U.S. patent application Ser. No. 08/996,758, which is incorporated herein by reference.
- the authentication credential (e.g., private key) is protected via an access code as in FIG. 2.
- the one-to-one hash is replaced with a many-to-one hash, i.e., a hash in which many inputs produce (i.e., regenerate) the same hashed output.
- the many-to-one hash function 310 might hash six-digit codes to two-digit hash values.
- the hashed value 315 of the entered PIN 300 is compared with the stored hash value 320 , which is the hashed value of the correct PIN. If the two hash values agree, the key wallet opens.
- the private key is again stored encrypted in field 330 of the key wallet, with the correct PIN as the encryption key.
- the stored encrypted key is decrypted and the correct private key 350 is released for use.
- the hash function is many-to-one, there will be many different entered PINs that will satisfy the hash challenge to open the key wallet. (PINs that hash to the same hash value as the correct PIN, including the correct PIN, are referred to herein as pseudo-valid PINs.) For example, if the hash function hashes six-digit codes to two-digit hash values, there will be 10,000 six-digit pseudo-valid PINs that will open the key wallet, out of a total of 1,000,000 possible six-digit codes.
- Pseudo-valid PINs will all be passed to the decryption module 340 to decrypt the stored encrypted key to produce a candidate private key. However, all but one of these candidate private keys will be incorrect decryptions of the stored (correct) private key. Only when the entered PIN is the correct PIN will the correct private key be recovered.
- the many-to-one hash function above should be chosen to be a good hash.
- MD5 and SHA are well-known good hash functions.
- Good hash functions are one means to substantially uniformly distribute the pseudo-valid PINs in the space of all possible PINs. For example, consider a hash function from six-digit codes to two-digit hash values. Of the 1,000,000 possible input values, 10,000 will be pseudo-valid PINs. If the hash function is a good hash, these values will be substantially uniformly distributed. In particular, one in a hundred PINs will be pseudo-valid, and these will be effectively randomly distributed. Specifically, the chances are ⁇ fraction (1/100) ⁇ that if the user makes a typographical error in entering the correct PIN, then the resulting PIN will be a pseudo-valid PIN.
- Another possible embodiment uses a weak hash, i.e., one which results in clustering of pseudo-valid PINs, whereby an intruder who guesses one pseudo-valid PIN will more easily find others.
- a legitimate user making a series of 1 -digit typographical errors would also get a sequence of pseudo-valid PINs and, if the system accepting the private key or messages encrypted thereby has an alarm-or-disable-upon-repeated-failure feature, this would inadvertently lock out the legitimate user.
- a weak hash is typically disfavored over the good hash. Nevertheless, there may be some applications where a weak hash provides certain characteristics such as computational efficiency and ease of implementation that are advantageous for specialized applications.
- the decryption processes 200-250 and 300-350 may be performed at either the user's computer or at the Credential Server 160 .
- the wallet is downloaded to the user in decrypted form, while in the latter, the wallet is decrypted at the Credential Server 160 before downloading to the user.
- the various challenge-response protocols described to this point can be used at either the Credential Server 160 or at Browser 140 , and that such use can occur in any combination or permutation.
- the Credential Server 160 could be accessed by a simple shared secret, and the wallet could be downloaded to the user in the clear.
- the wallet could be further protected by a one-to-one or many-to-one (i.e., cryptographically camouflaged) hashed shared secret and decrypted at the Credential Server in response to the user's responding to the appropriate challenge-response protocol.
- the decrypted (or, in the case of the many-to-one hash, the decamouflaged) wallet would then be downloaded to the user in the clear.
- the wallet could be downloaded to the user in camouflaged form, with the decamouflaging occurring at the user's computer.
- a one-to-one or many-to-one hash process could replace the simple shared secret for the initial server access.
- the one-to-one hash or many-to-one hash could be deployed at the initial server access stage, while any of the simple shared secret, one-to-one hash, many-to-one hash techniques could be employed at the subsequent wallet downloading stage.
Abstract
Description
- This application is a Continuation-in-Part of pending U.S. patent application Ser. No. 08/996,758.
- In networked computer deployments, users of client computers are required to authenticate themselves to server computers for applications such as electronic mail, accessing privileged or confidential information, purchasing goods or services, and many other electronic commerce transactions. When the information involved is of relatively low value, it may be sufficient for the user to authenticate himself with a simple password. However, when the information is of high value, or when the data network is unsecured, simple passwords are insufficient to control access effectively. For example, when computers are accessed across the Internet, passwords are easy to capture by filtering packets as they traverse the network. Alternatively, passwords can be guessed or “cracked” by intelligent trials, since passwords are often six or fewer characters. In brief, the convenience of passwords makes them easy to break—if they are sufficiently easy for the user to remember, they are sufficiently easy for the hacker to guess.
- To overcome the insecurity of the password, alternative technologies have been developed. One such technology is asymmetric key cryptography. In this technology, each user has two keys, a private key and a public key. The user performs a cryptographic operation (e.g., an encryption or a digital signature) on a digital quantity using his private key, such that the quantity may be authenticated by a verifier having access only to the user's public key. The private key therefore serves as the user's authentication credential. That is, the verifier need not know the user's private key in order to authenticate the user. Because the public key may be widely disseminated while the private key remains confidential, strong authentication is provided with enhanced security. Private keys are generally too long and complex for the user to memorize, and are therefore usually stored in software or hardware tokens, and interfaced with computers prior to use.
- One such software token is the so-called software wallet, in which the private key is encrypted with a password or other access-controlled datum. In such software wallets, an intruder is not deterred from repeatedly trying passwords, in an exhaustive manner, until he recovers the private key. This poses analogous security risks to the simple password schemes described above. In addition, the software wallet is stored on a user's computer, which may be inconvenient if the user needs to freely roam from one location to another.
- In contrast to software wallets, hardware tokens such as smart cards are more secure, and can be conveniently carried as the user roams. In a typical hardware smart card, the private key is stored in hardware, and protected by a watchdog chip that allows the user to access the private key, should he enter the correct password that unlocks the smart card. The smart card can even be configured so that, if a hacker attempts to guess passwords, the card locks up after a small number of successive missed attempts. The disadvantages of hardware token are: (1) roaming is restricted to locations where the appropriate token reader hardware is installed; (2) hardware tokens are expensive in contrast to software tokens; (3) hardware tokens must be physically carried wherever the user wishes to roam; and (4) hardware tokens are often lost, misplaced, or stolen.
- Thus, while hardware token systems offer increased security, they have several disadvantages compared to software based systems. It would, therefore, be desirable to have a system that combines the best features of both hardware and software based systems.
- The present invention discloses a method and apparatus for the on-demand delivery of authentication credentials to roaming users. Credentials are stored, delivered and transmitted in software, obviating the need for additional hardware. In a basic embodiment of the system, a user can demand his credential at will, upon providing proof of identity in the form of shared secret(s) that he has previously escrowed with the credential server. The shared secret may be chosen by the user, and could be easily remembered secrets such as: mother's maiden name, third grade teacher, etc. The user will respond to challenges from the server via a challenge- response protocol, with the server demanding correct answers to such questions prior to releasing the user's credentials. In another embodiment of the invention, a user's authentication credential can be stored on the server protected by a simple shared secret scheme such as a password, a biometric authentication scheme based on a fingerprint or retinal image, or a one-to-one hashed shared secret. In yet another embodiment of the invention, the user interacts with the server via a cryptographically camouflaged challenge-response protocol. In particular, if the user responds correctly to the server's challenges, the user will receive his authentication credentials. However, if the user responds incorrectly, such as might be the case with a hacker trying to break the system, the user will receive plausible and well-formed but invalid credentials. Furthermore, the authentication credential itself could be encrypted or camouflaged with an additional secret that is known only to the user. An authentication credential is said to be in cryptographically camouflaged form when it is embedded among many pieces of similar (pseudo-valid) data. These data are sufficiently different that the user can locate the correct piece without any difficulty, using a shared secret that he can remember. However, the pieces of data are also sufficiently alike that an intruder will find all of them equally plausible. Such a cryptographically camouflaged authentication credential can be provided to the user in either camouflaged or decamouflaged form that is, the decamouflaging can be performed at either the credential server or at the user's computer. The various embodiments of the invention described above provide one or more or the following advantages:
- No additional hardware is required for deployment. This is in contrast with hardware tokens such as smart cards where cards and card readers need to deployed in a widespread fashion.
- (1) High user convenience. Roaming users need not carry tokens with them, but can demand them as required.
- (2) Low administrative overhead. Users who have lost, misplaced or forgotten tokens do not require administrative intervention.
- (3) Rapid deployment rate. Soft credentials with roaming access can be deployed rapidly, since they are intuitive to use and require little user/administrator training.
- (4) Enhanced security over purely one-factor systems.
- FIG. 1 illustrates an exemplary embodiment of the invention in which a user accesses a web server to conduct an electronic transaction with a transaction server protected by an access control server.
- FIG. 2 illustrates an exemplary embodiment of a wallet in which a private key is protected by a PIN.
- FIG. 3 illustrates an exemplary embodiment in which the wallet of FIG. 2 is protected by a form of cryptographic camouflaging.
- We now describe various exemplary embodiments of the invention using the exemplary context of a user operating a web browser to access one or more remote server, whereby the user can freely roam about the Internet while still maintaining access to his authentication credential. Those skilled in the art will recognize that the invention is applicable to other client-server environments as well, including but not limited to databases, medical client stations, and financial trading stations. Furthermore, the network environment need not be the Internet, but could be an intranet or indeed any distributed computer network.
- Referring now to FIG. 1, a user at
Browser 140 wishes to access aWeb Server 110 to conduct an electronic transaction.Web Server 110 is, in turn, safeguarded by Access Control Server 120, which prevents unauthorized access toTransaction Server 130. For example,Web Server 110 might be a company's home page, Access Control Server 120 might be a firewall, and TransactionServer 130 might contain proprietary company data that the user wishes to access. In yet another example, AccessControl Server 120 might be a membership or credit/payment verification system, andTransaction Server 130 might be a back-end shipping/delivery system. Those skilled in the art will appreciate that any or all ofservers - Before accessing the
Transaction Server 130 to perform the electronic transaction, the user first needs to authenticate himself toAccess Control Server 120. As mentioned in the Background of the Invention, the user typically authenticates himself by using his private key to perform a cryptographic operation on a challenge sent by theAccess Control Server 120. This cryptographic operation might be a simple encryption, a hash followed by encryption (commonly referred to as a digital signature), or still other protocols that are well known to those skilled in the art. Of course, in lower security applications, the authentication credential might be a simple password. Private key, password and other authentication credentials are well known to those skilled in the art, and need not be described in detail here. For examples thereof, the reader is referred to well-known, standard texts as Applied Cryptography (Bruce Schneier, Second Edition, 1996, pp. 101-112 & 548-549) for details. - No matter what the authentication credential or protocol, if the
Access Control Server 120 authenticates the user, the user is subsequently allowed to access theTransaction Server 140. The present invention provides a method and apparatus for providing the authentication credential, on demand, to a user who wishes to be able to accessservers - This on-demand roaming capability is provided by a
Credential Server 160 that downloads the authentication credential (e.g., private key) to the user atBrowser 140 via asoftware Wallet 150. As used herein,Wallet 150 need only serve as a basic container for the authentication credential. As such, it could be considered to be simply the data structure in which the authentication credential is embodied, or it could be a more sophisticated container having the capability to handle other user-owned items such as a digital certificate or digital currency (including, without limitation, electronic cash or scrip). In a basic embodiment of the invention,Credential Server 160 is embodied as a web server. The user points hisBrowser 140 to the Credential Server, which sends the user a challenge in the form of a shared secret that has previously been associated with the user during a set-up phase. This shared secret might be of the following exemplary forms:Question: Mother's maiden name? Answer: Jones Question: Dog's name? Answer: Lucky Question: Favorite sport? Answer: Football Question: PIN? Answer: PIN - The actual number of questions can vary from credential server to credential server, as dictated by their respective security policies. If the user provides the correct answer(s), the
Credential Server 160 obtains the user's wallet from a Wallet Database 170 (which may or may not be part of Credential Server 160) and provides the wallet to the user atBrowser 140. In an alternative embodiment, the wallet, or a part thereof, could be provided directly to any ofservers - In either of the foregoing, the wallet could be installed either: 1) in the memory space of the software program, and/or subsequently 2) onto the hard drive or other physical memory of the computer. If only the former, the authentication credential would be destroyed when the session is ended. If the latter, the authentication credential could be available for use across multiple sessions on that particular computer. In either event, as the user roams to another computer, the process can be repeated to provide on-demand access to the needed authentication credential without the requirement of a physical token (even though the invention could also be used in conjunction with a physical token, as desired).
- The foregoing illustrates the use of so-called shared secrets, whereby the user and the server both share copies of information required to access the system. Of course, the invention is not limited to such simple protocols which, by their nature, are subject to abuse by a dishonest server. For example, zero knowledge proofs, whereby the user can prove to the server that he knows his mother's maiden name (or other secret information) without actually revealing the name to the server, can also be used. As a simple example, the user's private key itself could be used in this fashion, for a verifier need only know the corresponding public key to verify the private key. The principles and implementations of zero knowledge proofs are well known to those skilled in the art and need not be described here. The reader is referred to well-known, standard texts such asApplied Cryptography, supra, for details.
- In one embodiment of the invention, the wallet might itself be protected by a shared secret. For example, FIG. 2 shows an exemplary embodiment of a wallet in which a private key is protected by a PIN. The PIN (more generally, a shared secret) might be the shared secret transmitted by the user to the
Credential Server 160, as discussed previously, and the private key (more generally, the authentication credential) in the wallet might be decrypted byCredential Server 160 and provided in the clear to the user atBrowser 140. Alternatively, the entire wallet (including the authentication credential in encrypted form) might be provided to the user, for the user to decrypt locally atBrowser 140. With either approach, the process of decrypting the PIN-protected authentication credential as follows. The user enters a PIN 200 (more generally, an access code) to unlock the wallet, and the PIN is passed through a one-to-one hash function 210. The hash function may also include a salt value or other security-enhancing feature, as will be appreciated by persons skilled in the art. The hashed value 215 of the entered PIN is compared with a storedhash value 220, which is the hashed value of the correct PIN. If the two hash values agree, the PIN is passed todecryption module 240. The private key which has been encrypted (with the correct PIN as the encryption key) and stored infield 230, is decrypted bydecryption module 240, which is typically DES or some other cryptographic function such as, for example, triple-DES, IDEA or BLOWFISH. Hence, the decryptedprivate key 250 is released for use. - The cryptographic operations of computing the hash(es) and decrypting the stored hash may be implemented using one or more cryptographic logic (e.g., software or hardware) modules, and the correct hash value and private key may be stored in protected data fields or other forms of memory (e.g., read from ROM, from computer-readable media, etc.). A typical key wallet would also include input and output logic for receiving candidate PINs and outputting decrypted private keys, as well as logic for management, viewing, copying, and handling of keys and other data.
- The one-to-one nature of the hash function ensures that the correct PIN and only the correct PIN will unlock the key wallet. Unfortunately, it also allows a malicious hacker to guess the complete PIN via a brute force search. For example, he might write a program that simply checks all six-digit PIN codes on the key wallet. If he gets a copy of the key wallet, he can carry out this attack on his computer, completely undetected and in an automated fashion, in a matter of a few minutes.
- To resist the PIN hash attack, another embodiment of the invention uses a technique called cryptographic camouflaging to provide even greater security in connection with the authentication credential. Cryptographic camouflaging is described is summary form below with respect to FIG. 3; for full details, the reader may refer to co-pending U.S. patent application Ser. No. 08/996,758, which is incorporated herein by reference.
- Referring now to FIG. 3, the authentication credential (e.g., private key) is protected via an access code as in FIG. 2. However, the one-to-one hash is replaced with a many-to-one hash, i.e., a hash in which many inputs produce (i.e., regenerate) the same hashed output. In an exemplary implementation, the many-to-one
hash function 310 might hash six-digit codes to two-digit hash values. As in the conventional key wallet, the hashedvalue 315 of the enteredPIN 300 is compared with the storedhash value 320, which is the hashed value of the correct PIN. If the two hash values agree, the key wallet opens. The private key is again stored encrypted infield 330 of the key wallet, with the correct PIN as the encryption key. When the correct PIN is entered, the stored encrypted key is decrypted and the correctprivate key 350 is released for use. However, since the hash function is many-to-one, there will be many different entered PINs that will satisfy the hash challenge to open the key wallet. (PINs that hash to the same hash value as the correct PIN, including the correct PIN, are referred to herein as pseudo-valid PINs.) For example, if the hash function hashes six-digit codes to two-digit hash values, there will be 10,000 six-digit pseudo-valid PINs that will open the key wallet, out of a total of 1,000,000 possible six-digit codes. Pseudo-valid PINs will all be passed to thedecryption module 340 to decrypt the stored encrypted key to produce a candidate private key. However, all but one of these candidate private keys will be incorrect decryptions of the stored (correct) private key. Only when the entered PIN is the correct PIN will the correct private key be recovered. - Preferably, the many-to-one hash function above should be chosen to be a good hash. For example, and without limitation, MD5 and SHA are well-known good hash functions. Good hash functions are one means to substantially uniformly distribute the pseudo-valid PINs in the space of all possible PINs. For example, consider a hash function from six-digit codes to two-digit hash values. Of the 1,000,000 possible input values, 10,000 will be pseudo-valid PINs. If the hash function is a good hash, these values will be substantially uniformly distributed. In particular, one in a hundred PINs will be pseudo-valid, and these will be effectively randomly distributed. Specifically, the chances are {fraction (1/100)} that if the user makes a typographical error in entering the correct PIN, then the resulting PIN will be a pseudo-valid PIN.
- Another possible embodiment uses a weak hash, i.e., one which results in clustering of pseudo-valid PINs, whereby an intruder who guesses one pseudo-valid PIN will more easily find others. A legitimate user making a series of1-digit typographical errors would also get a sequence of pseudo-valid PINs and, if the system accepting the private key or messages encrypted thereby has an alarm-or-disable-upon-repeated-failure feature, this would inadvertently lock out the legitimate user. Thus a weak hash is typically disfavored over the good hash. Nevertheless, there may be some applications where a weak hash provides certain characteristics such as computational efficiency and ease of implementation that are advantageous for specialized applications.
- The foregoing paragraphs describes techniques for further protecting the wallet, either with a one-to-one or many-to-one hash. It will be appreciated by those skilled in the art that the decryption processes 200-250 and 300-350 (e.g., cryptographic decamouflaging) may be performed at either the user's computer or at the
Credential Server 160. In the former case, the wallet is downloaded to the user in decrypted form, while in the latter, the wallet is decrypted at theCredential Server 160 before downloading to the user. - More generally, it will also be appreciated that the various challenge-response protocols described to this point (e.g., the simple shared secret; the biometric method such as fingerprint recognition; the one-to-one hashed secret of FIG. 2; and the many-to-one hashed secret of FIG. 3) can be used at either the
Credential Server 160 or atBrowser 140, and that such use can occur in any combination or permutation. For example, with minimal security, theCredential Server 160 could be accessed by a simple shared secret, and the wallet could be downloaded to the user in the clear. Alternatively, the wallet could be further protected by a one-to-one or many-to-one (i.e., cryptographically camouflaged) hashed shared secret and decrypted at the Credential Server in response to the user's responding to the appropriate challenge-response protocol. The decrypted (or, in the case of the many-to-one hash, the decamouflaged) wallet would then be downloaded to the user in the clear. For greater security, the wallet could be downloaded to the user in camouflaged form, with the decamouflaging occurring at the user's computer. For still greater security, a one-to-one or many-to-one hash process could replace the simple shared secret for the initial server access. In general, then, the one-to-one hash or many-to-one hash could be deployed at the initial server access stage, while any of the simple shared secret, one-to-one hash, many-to-one hash techniques could be employed at the subsequent wallet downloading stage. Because of these and other variations that will be understood to those skilled in the art, it is therefore intended that the scope of the invention be not limited to the particular embodiments disclosed herein, but rather to the full breadth of the claims appended hereto.
Claims (52)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/843,583 US20010034837A1 (en) | 1997-12-23 | 2001-04-26 | Method and apparatus for secure distribution of authentication credentials to roaming users |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US08/996,758 US6170058B1 (en) | 1997-12-23 | 1997-12-23 | Method and apparatus for cryptographically camouflaged cryptographic key storage, certification and use |
US09/196,430 US6263446B1 (en) | 1997-12-23 | 1998-11-19 | Method and apparatus for secure distribution of authentication credentials to roaming users |
US09/843,583 US20010034837A1 (en) | 1997-12-23 | 2001-04-26 | Method and apparatus for secure distribution of authentication credentials to roaming users |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/196,430 Continuation US6263446B1 (en) | 1997-12-23 | 1998-11-19 | Method and apparatus for secure distribution of authentication credentials to roaming users |
Publications (1)
Publication Number | Publication Date |
---|---|
US20010034837A1 true US20010034837A1 (en) | 2001-10-25 |
Family
ID=26891908
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/196,430 Expired - Lifetime US6263446B1 (en) | 1997-12-23 | 1998-11-19 | Method and apparatus for secure distribution of authentication credentials to roaming users |
US09/843,583 Abandoned US20010034837A1 (en) | 1997-12-23 | 2001-04-26 | Method and apparatus for secure distribution of authentication credentials to roaming users |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/196,430 Expired - Lifetime US6263446B1 (en) | 1997-12-23 | 1998-11-19 | Method and apparatus for secure distribution of authentication credentials to roaming users |
Country Status (2)
Country | Link |
---|---|
US (2) | US6263446B1 (en) |
WO (1) | WO2000030285A1 (en) |
Cited By (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030043820A1 (en) * | 2001-09-06 | 2003-03-06 | Goringe Christopher M. | Using link state information to discover IP network topology |
US20030046427A1 (en) * | 2001-09-06 | 2003-03-06 | Goringe Christopher M. | Topology discovery by partitioning multiple discovery techniques |
US20030131096A1 (en) * | 2002-01-08 | 2003-07-10 | Goringe Christopher M. | Credential management and network querying |
US20030172090A1 (en) * | 2002-01-11 | 2003-09-11 | Petri Asunmaa | Virtual identity apparatus and method for using same |
US20030196094A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Method and apparatus for authenticating the content of a distributed database |
US20030195834A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Automated online purchasing system |
US20040123156A1 (en) * | 2002-10-16 | 2004-06-24 | Hammond Frank J. | System and method of non-centralized zero knowledge authentication for a computer network |
US20040128249A1 (en) * | 1994-11-28 | 2004-07-01 | Indivos Corporation, A Delaware Corporation | System and method for tokenless biometric electronic scrip |
WO2004112311A1 (en) * | 2003-06-17 | 2004-12-23 | Koninklijke Philips Electronics N.V. | Improved secure authenticated channel |
US20040260755A1 (en) * | 2003-06-19 | 2004-12-23 | Bardzil Timothy J. | Detection of load balanced links in internet protocol networks |
US20050086188A1 (en) * | 2001-04-11 | 2005-04-21 | Hillis Daniel W. | Knowledge web |
WO2005050911A1 (en) * | 2003-11-18 | 2005-06-02 | Giesecke & Devrient Gmbh | Authorisation of a transaction |
US20050131918A1 (en) * | 2003-12-12 | 2005-06-16 | W. Daniel Hillis | Personalized profile for evaluating content |
US20050131722A1 (en) * | 2003-12-12 | 2005-06-16 | Hillis W. D. | Delegated authority evaluation system |
US20050144133A1 (en) * | 1994-11-28 | 2005-06-30 | Ned Hoffman | System and method for processing tokenless biometric electronic transmissions using an electronic rule module clearinghouse |
US7111172B1 (en) * | 1999-07-19 | 2006-09-19 | Rsa Security Inc. | System and methods for maintaining and distributing personal security devices |
KR100690869B1 (en) | 2005-04-01 | 2007-03-09 | 엘지전자 주식회사 | Method for distribution of security key in location information system based on supl |
US20080060064A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for obtaining network access |
US20080060066A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for acquiring network credentials |
US20080060065A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for providing network credentials |
US20080134317A1 (en) * | 2006-12-01 | 2008-06-05 | Boss Gregory J | Method and apparatus for authenticating user identity when resetting passwords |
US20080307488A1 (en) * | 2002-10-16 | 2008-12-11 | Innerwall, Inc. | Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture |
EP2060050A2 (en) * | 2006-09-06 | 2009-05-20 | Devicescape Software, Inc. | Systems and methods for acquiring network credentials |
US20090217056A1 (en) * | 2008-02-25 | 2009-08-27 | Microsoft Corporation | Secure and Usable Protection of a Roamable Credentials Store |
US7676829B1 (en) * | 2001-10-30 | 2010-03-09 | Microsoft Corporation | Multiple credentials in a distributed system |
US20100185626A1 (en) * | 2002-04-10 | 2010-07-22 | Hillis W Daniel | Delegated authority evaluation system |
US7765206B2 (en) | 2002-12-13 | 2010-07-27 | Metaweb Technologies, Inc. | Meta-Web |
US20100263022A1 (en) * | 2008-10-13 | 2010-10-14 | Devicescape Software, Inc. | Systems and Methods for Enhanced Smartclient Support |
US7882032B1 (en) | 1994-11-28 | 2011-02-01 | Open Invention Network, Llc | System and method for tokenless biometric authorization of electronic communications |
US20110040870A1 (en) * | 2006-09-06 | 2011-02-17 | Simon Wynn | Systems and Methods for Determining Location Over a Network |
US7970678B2 (en) | 2000-05-31 | 2011-06-28 | Lapsley Philip D | Biometric financial transaction system and method |
US8012025B2 (en) | 2002-12-13 | 2011-09-06 | Applied Minds, Llc | Video game controller hub with control input reduction and combination schemes |
US8146143B1 (en) * | 2005-03-31 | 2012-03-27 | James A. Roskind | Fraud detection |
US8194589B2 (en) | 2006-09-06 | 2012-06-05 | Devicescape Software, Inc. | Systems and methods for wireless network selection based on attributes stored in a network database |
US20120226911A1 (en) * | 2005-12-21 | 2012-09-06 | Stephan Feil | Control of access to a secondary system |
US20120291108A1 (en) * | 2011-05-12 | 2012-11-15 | Konvax Corporation | Secure user credential control |
US20120294445A1 (en) * | 2011-05-16 | 2012-11-22 | Microsoft Corporation | Credential storage structure with encrypted password |
US8353007B2 (en) | 2008-10-13 | 2013-01-08 | Devicescape Software, Inc. | Systems and methods for identifying a network |
US20130097427A1 (en) * | 2011-10-12 | 2013-04-18 | Goldkey Security Corporation | Soft-Token Authentication System |
US20130145170A1 (en) * | 2011-12-01 | 2013-06-06 | International Business Machines Corporation | Cross system secure logon |
US8554830B2 (en) | 2006-09-06 | 2013-10-08 | Devicescape Software, Inc. | Systems and methods for wireless network selection |
US8667596B2 (en) | 2006-09-06 | 2014-03-04 | Devicescape Software, Inc. | Systems and methods for network curation |
US8743778B2 (en) | 2006-09-06 | 2014-06-03 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
US9037865B1 (en) | 2013-03-04 | 2015-05-19 | Ca, Inc. | Method and system to securely send secrets to users |
US9165323B1 (en) | 2000-05-31 | 2015-10-20 | Open Innovation Network, LLC | Biometric transaction system and method |
US9165130B2 (en) | 2012-11-21 | 2015-10-20 | Ca, Inc. | Mapping biometrics to a unique key |
WO2017004326A1 (en) * | 2015-06-30 | 2017-01-05 | Morphotrust Usa, Llc | Electronic security container |
WO2020142319A1 (en) * | 2018-12-31 | 2020-07-09 | Finicity Corporation | Decentralized customer-controlled credit verification |
Families Citing this family (188)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7454782B2 (en) * | 1997-12-23 | 2008-11-18 | Arcot Systems, Inc. | Method and system for camouflaging access-controlled data |
US7328350B2 (en) | 2001-03-29 | 2008-02-05 | Arcot Systems, Inc. | Method and apparatus for secure cryptographic key generation, certification and use |
US6754820B1 (en) * | 2001-01-30 | 2004-06-22 | Tecsec, Inc. | Multiple level access system |
US7110984B1 (en) * | 1998-08-13 | 2006-09-19 | International Business Machines Corporation | Updating usage conditions in lieu of download digital rights management protected content |
US6732277B1 (en) * | 1998-10-08 | 2004-05-04 | Entrust Technologies Ltd. | Method and apparatus for dynamically accessing security credentials and related information |
US7058597B1 (en) | 1998-12-04 | 2006-06-06 | Digital River, Inc. | Apparatus and method for adaptive fraud screening for electronic commerce transactions |
US20030195974A1 (en) * | 1998-12-04 | 2003-10-16 | Ronning Joel A. | Apparatus and method for scheduling of search for updates or downloads of a file |
US7617124B1 (en) | 1998-12-04 | 2009-11-10 | Digital River, Inc. | Apparatus and method for secure downloading of files |
US6571339B1 (en) * | 1998-12-30 | 2003-05-27 | Intel Corporation | Use of a processor identification for authentication |
US8099359B1 (en) | 1999-04-19 | 2012-01-17 | The Western Union Company | System and method for issuing negotiable instruments by licensed money transmitter from direct deposits |
US6694025B1 (en) * | 1999-06-02 | 2004-02-17 | Koninklijke Philips Electronics N.V. | Method and apparatus for secure distribution of public/private key pairs |
GB2353682B (en) * | 1999-07-15 | 2004-03-31 | Nds Ltd | Key management for content protection |
IL130963A (en) * | 1999-07-15 | 2006-04-10 | Nds Ltd | Key management for content protection |
US7953671B2 (en) * | 1999-08-31 | 2011-05-31 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
US7505941B2 (en) * | 1999-08-31 | 2009-03-17 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions using biometrics |
US7343351B1 (en) * | 1999-08-31 | 2008-03-11 | American Express Travel Related Services Company, Inc. | Methods and apparatus for conducting electronic transactions |
US7239226B2 (en) | 2001-07-10 | 2007-07-03 | American Express Travel Related Services Company, Inc. | System and method for payment using radio frequency identification in contact and contactless transactions |
US7889052B2 (en) | 2001-07-10 | 2011-02-15 | Xatra Fund Mx, Llc | Authorizing payment subsequent to RF transactions |
US6868160B1 (en) * | 1999-11-08 | 2005-03-15 | Bellsouth Intellectual Property Corporation | System and method for providing secure sharing of electronic data |
US6895391B1 (en) * | 1999-11-09 | 2005-05-17 | Arcot Systems, Inc. | Method and system for secure authenticated payment on a computer network |
US7593898B1 (en) | 1999-12-30 | 2009-09-22 | First Data Corporation | Method and system for payment transactions and shipment tracking over the internet |
US7177836B1 (en) * | 1999-12-30 | 2007-02-13 | First Data Corporation | Method and system for facilitating financial transactions between consumers over the internet |
US7376587B1 (en) * | 2000-07-11 | 2008-05-20 | Western Union Financial Services, Inc. | Method for enabling transfer of funds through a computer network |
WO2001052134A1 (en) * | 2000-01-13 | 2001-07-19 | Access Co., Ltd. | Information home electric appliance |
US7340600B1 (en) * | 2000-01-14 | 2008-03-04 | Hewlett-Packard Development Company, L.P. | Authorization infrastructure based on public key cryptography |
US7010683B2 (en) * | 2000-01-14 | 2006-03-07 | Howlett-Packard Development Company, L.P. | Public key validation service |
US6763459B1 (en) | 2000-01-14 | 2004-07-13 | Hewlett-Packard Company, L.P. | Lightweight public key infrastructure employing disposable certificates |
US6802002B1 (en) | 2000-01-14 | 2004-10-05 | Hewlett-Packard Development Company, L.P. | Method and apparatus for providing field confidentiality in digital certificates |
US7269726B1 (en) * | 2000-01-14 | 2007-09-11 | Hewlett-Packard Development Company, L.P. | Lightweight public key infrastructure employing unsigned certificates |
US7020778B1 (en) * | 2000-01-21 | 2006-03-28 | Sonera Smarttrust Oy | Method for issuing an electronic identity |
US6453301B1 (en) * | 2000-02-23 | 2002-09-17 | Sony Corporation | Method of using personal device with internal biometric in conducting transactions over a network |
GB0004656D0 (en) * | 2000-02-28 | 2000-04-19 | Edentity Limited | Information processing system and method |
US7140036B2 (en) | 2000-03-06 | 2006-11-21 | Cardinalcommerce Corporation | Centralized identity authentication for electronic communication networks |
CA2403283A1 (en) | 2000-03-15 | 2001-09-20 | Edward J. Hogan | Method and system for secure payments over a computer network |
US20100228668A1 (en) * | 2000-04-11 | 2010-09-09 | Hogan Edward J | Method and System for Conducting a Transaction Using a Proximity Device and an Identifier |
US20100223186A1 (en) * | 2000-04-11 | 2010-09-02 | Hogan Edward J | Method and System for Conducting Secure Payments |
US7379919B2 (en) * | 2000-04-11 | 2008-05-27 | Mastercard International Incorporated | Method and system for conducting secure payments over a computer network |
AU5350101A (en) * | 2000-04-14 | 2001-10-30 | Next Level Comm | Method and apparatus for test and verification of field and terminal equipment |
FR2808146B1 (en) * | 2000-04-21 | 2006-07-28 | Max Bir | METHOD FOR CONTROLLING THE IDENTITY OF A PERSON CONDUCTING A TRANSACTION ON A SITE OF A NETWORK SUCH AS THE INTERNET NETWORK |
US7222362B1 (en) * | 2000-05-15 | 2007-05-22 | International Business Machines Corporation | Non-transferable anonymous credentials |
US7174454B2 (en) | 2002-11-19 | 2007-02-06 | America Online, Inc. | System and method for establishing historical usage-based hardware trust |
GB2362970B (en) * | 2000-05-31 | 2004-12-29 | Hewlett Packard Co | Improvements relating to information storage |
KR20010111403A (en) * | 2000-06-08 | 2001-12-19 | 오상균 | The method for controlling internet service access and the range of use of internet service of user by utilizing certificates |
US7949600B1 (en) | 2000-06-27 | 2011-05-24 | Western Union Financial Services, Inc. | Method for facilitating payment of a computerized transaction |
AU2001276914A1 (en) | 2000-07-11 | 2002-01-21 | First Data Corporation | Wide area network person-to-person payment |
US7146338B2 (en) * | 2001-06-28 | 2006-12-05 | Checkfree Services Corporation | Inter-network financial service |
WO2002019124A1 (en) * | 2000-08-30 | 2002-03-07 | Matsushita Electric Industrial Co.,Ltd. | Authentication system, authentication request device, validating device, and service medium |
US20020091646A1 (en) * | 2000-11-03 | 2002-07-11 | Lake Lawrence L. | Method and system for verifying the identity of on-line credit card purchasers through a proxy transaction |
US20020095580A1 (en) * | 2000-12-08 | 2002-07-18 | Brant Candelore | Secure transactions using cryptographic processes |
US7251633B2 (en) * | 2000-12-11 | 2007-07-31 | Sony Corporation | Method or system for executing deferred transactions |
US7765163B2 (en) * | 2000-12-12 | 2010-07-27 | Sony Corporation | System and method for conducting secure transactions over a network |
US7114080B2 (en) * | 2000-12-14 | 2006-09-26 | Matsushita Electric Industrial Co., Ltd. | Architecture for secure remote access and transmission using a generalized password scheme with biometric features |
US7266533B2 (en) | 2000-12-15 | 2007-09-04 | The Western Union Company | Electronic gift greeting |
FI115098B (en) | 2000-12-27 | 2005-02-28 | Nokia Corp | Authentication in data communication |
US7131000B2 (en) * | 2001-01-18 | 2006-10-31 | Bradee Robert L | Computer security system |
US20020124190A1 (en) * | 2001-03-01 | 2002-09-05 | Brian Siegel | Method and system for restricted biometric access to content of packaged media |
US9853759B1 (en) | 2001-03-31 | 2017-12-26 | First Data Corporation | Staged transaction system for mobile commerce |
US7117183B2 (en) | 2001-03-31 | 2006-10-03 | First Data Coroporation | Airline ticket payment and reservation system and methods |
US8150763B2 (en) | 2001-03-31 | 2012-04-03 | The Western Union Company | Systems and methods for staging transactions, payments and collections |
US7107249B2 (en) | 2001-03-31 | 2006-09-12 | First Data Corporation | Electronic identifier payment systems and methods |
US7184989B2 (en) | 2001-03-31 | 2007-02-27 | First Data Corporation | Staged transactions systems and methods |
US7725427B2 (en) | 2001-05-25 | 2010-05-25 | Fred Bishop | Recurrent billing maintenance with radio frequency payment devices |
US7093281B2 (en) * | 2001-06-04 | 2006-08-15 | G.E. Information Services, Inc. | Casual access application with context sensitive pin authentication |
US9024719B1 (en) | 2001-07-10 | 2015-05-05 | Xatra Fund Mx, Llc | RF transaction system and method for storing user personal data |
US7360689B2 (en) | 2001-07-10 | 2008-04-22 | American Express Travel Related Services Company, Inc. | Method and system for proffering multiple biometrics for use with a FOB |
US8001054B1 (en) | 2001-07-10 | 2011-08-16 | American Express Travel Related Services Company, Inc. | System and method for generating an unpredictable number using a seeded algorithm |
US7303120B2 (en) | 2001-07-10 | 2007-12-04 | American Express Travel Related Services Company, Inc. | System for biometric security using a FOB |
US7493288B2 (en) | 2001-07-10 | 2009-02-17 | Xatra Fund Mx, Llc | RF payment via a mobile device |
US7668750B2 (en) | 2001-07-10 | 2010-02-23 | David S Bonalle | Securing RF transactions using a transactions counter |
US7249112B2 (en) | 2002-07-09 | 2007-07-24 | American Express Travel Related Services Company, Inc. | System and method for assigning a funding source for a radio frequency identification device |
US8548927B2 (en) | 2001-07-10 | 2013-10-01 | Xatra Fund Mx, Llc | Biometric registration for facilitating an RF transaction |
US8294552B2 (en) | 2001-07-10 | 2012-10-23 | Xatra Fund Mx, Llc | Facial scan biometrics on a payment device |
US8284025B2 (en) | 2001-07-10 | 2012-10-09 | Xatra Fund Mx, Llc | Method and system for auditory recognition biometrics on a FOB |
US9031880B2 (en) | 2001-07-10 | 2015-05-12 | Iii Holdings 1, Llc | Systems and methods for non-traditional payment using biometric data |
US9454752B2 (en) | 2001-07-10 | 2016-09-27 | Chartoleaux Kg Limited Liability Company | Reload protocol at a transaction processing entity |
US20040236699A1 (en) | 2001-07-10 | 2004-11-25 | American Express Travel Related Services Company, Inc. | Method and system for hand geometry recognition biometrics on a fob |
US7735725B1 (en) | 2001-07-10 | 2010-06-15 | Fred Bishop | Processing an RF transaction using a routing number |
US7705732B2 (en) | 2001-07-10 | 2010-04-27 | Fred Bishop | Authenticating an RF transaction using a transaction counter |
US20030014631A1 (en) * | 2001-07-16 | 2003-01-16 | Steven Sprague | Method and system for user and group authentication with pseudo-anonymity over a public network |
CA2353738A1 (en) * | 2001-07-24 | 2003-01-24 | Webcc Inc. | Method and for secure transfer of information |
US8374962B2 (en) | 2001-10-26 | 2013-02-12 | First Data Corporation | Stored value payouts |
US8244632B2 (en) | 2001-10-26 | 2012-08-14 | First Data Corporation | Automated transfer with stored value |
WO2003058427A1 (en) * | 2001-12-28 | 2003-07-17 | Jeffrey James Jonas | Real time data warehousing |
US7095859B2 (en) | 2002-03-18 | 2006-08-22 | Lenovo (Singapore) Pte. Ltd. | Managing private keys in a free seating environment |
US7899753B1 (en) | 2002-03-25 | 2011-03-01 | Jpmorgan Chase Bank, N.A | Systems and methods for time variable financial authentication |
US20030204732A1 (en) * | 2002-04-30 | 2003-10-30 | Yves Audebert | System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients |
US20030233580A1 (en) * | 2002-05-29 | 2003-12-18 | Keeler James D. | Authorization and authentication of user access to a distributed network communication system with roaming features |
US20050044385A1 (en) * | 2002-09-09 | 2005-02-24 | John Holdsworth | Systems and methods for secure authentication of electronic transactions |
EP2600560A3 (en) * | 2002-09-09 | 2014-04-16 | U.S. Encode Corporation | Systems and methods for secure authentication of electronic transactions |
US6805287B2 (en) | 2002-09-12 | 2004-10-19 | American Express Travel Related Services Company, Inc. | System and method for converting a stored value card to a credit card |
US20040078603A1 (en) * | 2002-10-18 | 2004-04-22 | Eiji Ogura | System and method of protecting data |
CN1757188A (en) * | 2002-11-06 | 2006-04-05 | 国际商业机器公司 | Confidential data sharing and anonymous entity resolution |
US7571140B2 (en) * | 2002-12-16 | 2009-08-04 | First Data Corporation | Payment management |
US8620937B2 (en) * | 2002-12-27 | 2013-12-31 | International Business Machines Corporation | Real time data warehousing |
WO2004061668A1 (en) * | 2002-12-31 | 2004-07-22 | International Business Machines Corporation | Authorized anonymous authentication |
US7827101B2 (en) * | 2003-01-10 | 2010-11-02 | First Data Corporation | Payment system clearing for transactions |
US7003493B2 (en) * | 2003-01-22 | 2006-02-21 | First Data Corporation | Direct payment with token |
EP1631908A4 (en) * | 2003-03-24 | 2012-01-25 | Ibm | Secure coordinate identification method, system and program |
US7320073B2 (en) * | 2003-04-07 | 2008-01-15 | Aol Llc | Secure method for roaming keys and certificates |
US8082210B2 (en) * | 2003-04-29 | 2011-12-20 | The Western Union Company | Authentication for online money transfers |
WO2005001653A2 (en) * | 2003-06-24 | 2005-01-06 | Corestreet, Ltd. | Access control |
US7523200B2 (en) * | 2003-07-02 | 2009-04-21 | International Business Machines Corporation | Dynamic access decision information module |
CN100426719C (en) * | 2003-09-01 | 2008-10-15 | 台均科技(深圳)有限公司 | Method of identification between user device and local client use or remote-network service |
WO2005029746A2 (en) * | 2003-09-12 | 2005-03-31 | Rsa Security Inc. | System and method providing disconnected authentication |
US7467415B2 (en) * | 2003-09-30 | 2008-12-16 | Novell, Inc. | Distributed dynamic security for document collaboration |
US7299493B1 (en) | 2003-09-30 | 2007-11-20 | Novell, Inc. | Techniques for dynamically establishing and managing authentication and trust relationships |
US8015301B2 (en) * | 2003-09-30 | 2011-09-06 | Novell, Inc. | Policy and attribute based access to a resource |
US7316027B2 (en) | 2004-02-03 | 2008-01-01 | Novell, Inc. | Techniques for dynamically establishing and managing trust relationships |
US7519815B2 (en) | 2003-10-29 | 2009-04-14 | Microsoft Corporation | Challenge-based authentication without requiring knowledge of secret authentication data |
US7657745B2 (en) | 2003-10-29 | 2010-02-02 | Microsoft Corporation | Secure electronic transfer without requiring knowledge of secret data |
US9729321B2 (en) * | 2015-04-29 | 2017-08-08 | Citrix Systems, Inc. | Autonomous private key recovery |
US20050203843A1 (en) * | 2004-03-12 | 2005-09-15 | Wood George L. | Internet debit system |
US8042163B1 (en) | 2004-05-20 | 2011-10-18 | Symatec Operating Corporation | Secure storage access using third party capability tokens |
US7823190B1 (en) * | 2004-06-02 | 2010-10-26 | Sap Ag | System and method for implementing a distributed keystore within an enterprise network |
US7219832B2 (en) * | 2004-06-17 | 2007-05-22 | First Data Corporation | ATM machine and methods with currency conversion capabilities |
US7341181B2 (en) * | 2004-07-01 | 2008-03-11 | American Express Travel Related Services Company, Inc. | Method for biometric security using a smartcard |
US7314165B2 (en) * | 2004-07-01 | 2008-01-01 | American Express Travel Related Services Company, Inc. | Method and system for smellprint recognition biometrics on a smartcard |
US7363504B2 (en) | 2004-07-01 | 2008-04-22 | American Express Travel Related Services Company, Inc. | Method and system for keystroke scan recognition biometrics on a smartcard |
US7314164B2 (en) * | 2004-07-01 | 2008-01-01 | American Express Travel Related Services Company, Inc. | System for biometric security using a smartcard |
US7325724B2 (en) | 2004-07-01 | 2008-02-05 | American Express Travel Related Services Company, Inc. | Method for registering a biometric for use with a smartcard |
US7318550B2 (en) | 2004-07-01 | 2008-01-15 | American Express Travel Related Services Company, Inc. | Biometric safeguard method for use with a smartcard |
US20060021066A1 (en) * | 2004-07-26 | 2006-01-26 | Ray Clayton | Data encryption system and method |
US7421739B2 (en) * | 2004-10-04 | 2008-09-02 | American Express Travel Related Services Company, Inc. | System and method for monitoring and ensuring data integrity in an enterprise security system |
US8152054B2 (en) | 2004-10-19 | 2012-04-10 | The Western Union Company | Money transfer systems and methods |
US8151112B2 (en) * | 2005-04-22 | 2012-04-03 | Gerard Lin | Deliver-upon-request secure electronic message system |
WO2006121854A2 (en) * | 2005-05-06 | 2006-11-16 | Verisign, Inc. | Token sharing system and method |
US7392940B2 (en) | 2005-05-18 | 2008-07-01 | The Western Union Company | In-lane money transfer systems and methods |
US8672220B2 (en) | 2005-09-30 | 2014-03-18 | The Western Union Company | Money transfer system and method |
US7707417B2 (en) * | 2005-06-23 | 2010-04-27 | Masami Yoshioka | Secure transmission of data between clients over communications network |
US8171531B2 (en) * | 2005-11-16 | 2012-05-01 | Broadcom Corporation | Universal authentication token |
DE102005062307A1 (en) * | 2005-12-24 | 2007-06-28 | T-Mobile International Ag & Co. Kg | Chip card e.g. subscriber identity module card, pre-arranging method for electronic signature services, involves generating asymmetrical code pair and signature-personal identification number on card, and conveying number to user by card |
US20070220594A1 (en) * | 2006-03-04 | 2007-09-20 | Tulsyan Surendra K | Software based Dynamic Key Generator for Multifactor Authentication |
CN101090397B (en) | 2006-06-13 | 2010-12-15 | 国际商业机器公司 | Method, device and computer system for performing transactions between a client and a server |
US20080010453A1 (en) * | 2006-07-06 | 2008-01-10 | Laurence Hamid | Method and apparatus for one time password access to portable credential entry and memory storage devices |
US20080276309A1 (en) * | 2006-07-06 | 2008-11-06 | Edelman Lance F | System and Method for Securing Software Applications |
US8670564B1 (en) | 2006-08-14 | 2014-03-11 | Key Holdings, LLC | Data encryption system and method |
US20070219926A1 (en) * | 2006-10-18 | 2007-09-20 | Stanley Korn | Secure method and system of identity authentication |
US8204831B2 (en) * | 2006-11-13 | 2012-06-19 | International Business Machines Corporation | Post-anonymous fuzzy comparisons without the use of pre-anonymization variants |
US20080250248A1 (en) * | 2006-12-24 | 2008-10-09 | Zeev Lieber | Identity Management System with an Untrusted Identity Provider |
US20080155664A1 (en) * | 2006-12-24 | 2008-06-26 | Zeev Lieber | Identity management system with an untrusted identity provider |
US8818904B2 (en) | 2007-01-17 | 2014-08-26 | The Western Union Company | Generation systems and methods for transaction identifiers having biometric keys associated therewith |
US7933835B2 (en) | 2007-01-17 | 2011-04-26 | The Western Union Company | Secure money transfer systems and methods using biometric keys associated therewith |
US7866551B2 (en) | 2007-02-15 | 2011-01-11 | Visa U.S.A. Inc. | Dynamic payment device characteristics |
US8108918B2 (en) * | 2007-02-27 | 2012-01-31 | Red Hat, Inc. | Zero knowledge attribute storage and retrieval |
US8504473B2 (en) | 2007-03-28 | 2013-08-06 | The Western Union Company | Money transfer system and messaging system |
US20080288376A1 (en) | 2007-04-27 | 2008-11-20 | Cashedge, Inc. | Centralized payment hub method and system |
US7783571B2 (en) | 2007-05-31 | 2010-08-24 | First Data Corporation | ATM system for receiving cash deposits from non-networked clients |
US8359630B2 (en) * | 2007-08-20 | 2013-01-22 | Visa U.S.A. Inc. | Method and system for implementing a dynamic verification value |
US20090296997A1 (en) * | 2008-06-03 | 2009-12-03 | James Rocheford | Method and apparatus for securing a computer |
WO2010005681A1 (en) | 2008-06-16 | 2010-01-14 | Visa U.S.A. Inc. | System and method for authorizing financial transactions with online merchants |
US8898089B2 (en) * | 2008-06-24 | 2014-11-25 | Visa U.S.A. Inc. | Dynamic verification value system and method |
US8140853B2 (en) * | 2008-07-01 | 2012-03-20 | International Business Machines Corporation | Mutually excluded security managers |
WO2010022109A1 (en) * | 2008-08-18 | 2010-02-25 | Cashedge, Inc. | Money movement network hub system |
US8468585B2 (en) * | 2009-01-05 | 2013-06-18 | International Business Machines Corporation | Management of credentials used by software applications |
US20100205649A1 (en) * | 2009-02-06 | 2010-08-12 | Microsoft Corporation | Credential gathering with deferred instantiation |
US10764748B2 (en) | 2009-03-26 | 2020-09-01 | Qualcomm Incorporated | Apparatus and method for user identity authentication in peer-to-peer overlay networks |
US8768505B2 (en) * | 2009-08-25 | 2014-07-01 | Bryan Thompson | System and method for dispensing pre-paid items using a uniquely identified container |
US20110087888A1 (en) * | 2009-10-13 | 2011-04-14 | Google Inc. | Authentication using a weak hash of user credentials |
US20110213707A1 (en) * | 2010-03-01 | 2011-09-01 | Fiserv, Inc. | Systems and methods for facilitating person-to-person payments |
CN105516198B (en) * | 2010-12-30 | 2018-10-12 | 环联有限责任公司 | Authentication system and method |
US20120323786A1 (en) * | 2011-06-16 | 2012-12-20 | OneID Inc. | Method and system for delayed authorization of online transactions |
CN102223235A (en) * | 2011-06-23 | 2011-10-19 | 甘肃农业大学 | Fingerprint characteristic template protecting method and identity authentication method in open network environment |
US10979226B1 (en) * | 2011-10-12 | 2021-04-13 | Cybrsecurity Corporation | Soft-token authentication system with token blocking after entering the wrong PIN |
US9225690B1 (en) * | 2011-12-06 | 2015-12-29 | Amazon Technologies, Inc. | Browser security module |
US8819444B2 (en) * | 2011-12-27 | 2014-08-26 | Majid Shahbazi | Methods for single signon (SSO) using decentralized password and credential management |
US9356924B1 (en) * | 2011-12-27 | 2016-05-31 | Majid Shahbazi | Systems, methods, and computer readable media for single sign-on (SSO) using optical codes |
US10742634B1 (en) | 2011-12-27 | 2020-08-11 | Majid Shahbazi | Methods for single sign-on (SSO) using optical codes |
WO2013109932A1 (en) | 2012-01-18 | 2013-07-25 | OneID Inc. | Methods and systems for secure identity management |
US10152530B1 (en) | 2013-07-24 | 2018-12-11 | Symantec Corporation | Determining a recommended control point for a file system |
US20160027017A1 (en) * | 2014-07-22 | 2016-01-28 | Ca, Inc. | Method and system for using dynamic cvv in qr code payments |
US10395227B2 (en) | 2015-01-14 | 2019-08-27 | Tactilis Pte. Limited | System and method for reconciling electronic transaction records for enhanced security |
US10037528B2 (en) | 2015-01-14 | 2018-07-31 | Tactilis Sdn Bhd | Biometric device utilizing finger sequence for authentication |
US9607189B2 (en) | 2015-01-14 | 2017-03-28 | Tactilis Sdn Bhd | Smart card system comprising a card and a carrier |
US10949841B2 (en) | 2015-05-07 | 2021-03-16 | Visa International Service Association | Provisioning of access credentials using device codes |
US9887978B2 (en) | 2015-06-23 | 2018-02-06 | Veritas Technologies Llc | System and method for centralized configuration and authentication |
US10757104B1 (en) | 2015-06-29 | 2020-08-25 | Veritas Technologies Llc | System and method for authentication in a computing system |
US10509900B1 (en) | 2015-08-06 | 2019-12-17 | Majid Shahbazi | Computer program products for user account management |
WO2017063031A1 (en) * | 2015-10-16 | 2017-04-20 | Kasada Pty Ltd | Dynamic cryptographic polymorphism (dcp) system and method |
CN108431698A (en) | 2015-10-23 | 2018-08-21 | 西维克斯控股有限责任公司 | The system and method being authenticated using mobile device |
US10958725B2 (en) | 2016-05-05 | 2021-03-23 | Neustar, Inc. | Systems and methods for distributing partial data to subnetworks |
US11025428B2 (en) | 2016-05-05 | 2021-06-01 | Neustar, Inc. | Systems and methods for enabling trusted communications between controllers |
US11108562B2 (en) | 2016-05-05 | 2021-08-31 | Neustar, Inc. | Systems and methods for verifying a route taken by a communication |
US11277439B2 (en) | 2016-05-05 | 2022-03-15 | Neustar, Inc. | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks |
WO2017193093A1 (en) | 2016-05-05 | 2017-11-09 | Neustar, Inc. | Systems and methods for enabling trusted communications between entities |
US10891372B1 (en) | 2017-12-01 | 2021-01-12 | Majid Shahbazi | Systems, methods, and products for user account authentication and protection |
US10972275B1 (en) | 2018-07-17 | 2021-04-06 | Imageware Systems, Inc. | Zero-knowledge, anonymous verification and management using immutable databases such as blockchain |
CN109660359B (en) * | 2019-01-22 | 2022-01-18 | 上海易酷信息技术服务有限公司 | Method and equipment for generating HD (high definition) wallet business card and method for generating HD wallet trusted address |
US11863561B2 (en) * | 2021-11-10 | 2024-01-02 | Oracle International Corporation | Edge attestation for authorization of a computing node in a cloud infrastructure system |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US3798605A (en) * | 1971-06-30 | 1974-03-19 | Ibm | Centralized verification system |
US5148479A (en) * | 1991-03-20 | 1992-09-15 | International Business Machines Corp. | Authentication protocols in communication networks |
US5491752A (en) * | 1993-03-18 | 1996-02-13 | Digital Equipment Corporation, Patent Law Group | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens |
DE69312328T2 (en) * | 1993-09-20 | 1998-01-08 | Ibm | SYSTEM AND METHOD FOR CHANGING THE KEY OR PASSWORD IN A COMMUNICATION NETWORK WITH KEY DISTRIBUTION |
US5475756A (en) * | 1994-02-17 | 1995-12-12 | At&T Corp. | Method of authenticating a terminal in a transaction execution system |
US5668876A (en) * | 1994-06-24 | 1997-09-16 | Telefonaktiebolaget Lm Ericsson | User authentication method and apparatus |
US5764890A (en) * | 1994-12-13 | 1998-06-09 | Microsoft Corporation | Method and system for adding a secure network server to an existing computer network |
CA2167631A1 (en) * | 1995-01-20 | 1996-07-21 | W. Dale Hopkins | Method and apparatus for user and security device authentication |
US5689566A (en) * | 1995-10-24 | 1997-11-18 | Nguyen; Minhtam C. | Network with secure communications sessions |
US5745756A (en) * | 1996-06-24 | 1998-04-28 | International Business Machines Corporation | Method and system for managing movement of large multi-media data files from an archival storage to an active storage within a multi-media server computer system |
-
1998
- 1998-11-19 US US09/196,430 patent/US6263446B1/en not_active Expired - Lifetime
-
1999
- 1999-11-19 WO PCT/US1999/027621 patent/WO2000030285A1/en active IP Right Grant
-
2001
- 2001-04-26 US US09/843,583 patent/US20010034837A1/en not_active Abandoned
Cited By (88)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040128249A1 (en) * | 1994-11-28 | 2004-07-01 | Indivos Corporation, A Delaware Corporation | System and method for tokenless biometric electronic scrip |
US8260716B2 (en) | 1994-11-28 | 2012-09-04 | Open Invention Network, Llc | System and method for processing tokenless biometric electronic transmissions using an electronic rule module clearinghouse |
US8831994B1 (en) | 1994-11-28 | 2014-09-09 | Open Invention Network, Llc | System and method for tokenless biometric authorization of electronic communications |
US7882032B1 (en) | 1994-11-28 | 2011-02-01 | Open Invention Network, Llc | System and method for tokenless biometric authorization of electronic communications |
US7698567B2 (en) | 1994-11-28 | 2010-04-13 | Yt Acquisition Corporation | System and method for tokenless biometric electronic scrip |
US20050144133A1 (en) * | 1994-11-28 | 2005-06-30 | Ned Hoffman | System and method for processing tokenless biometric electronic transmissions using an electronic rule module clearinghouse |
US7111172B1 (en) * | 1999-07-19 | 2006-09-19 | Rsa Security Inc. | System and methods for maintaining and distributing personal security devices |
US8452680B1 (en) | 2000-05-31 | 2013-05-28 | Open Invention Network, Llc | Biometric financial transaction system and method |
US8630933B1 (en) | 2000-05-31 | 2014-01-14 | Open Invention Network, Llc | Biometric financial transaction system and method |
US8630932B1 (en) | 2000-05-31 | 2014-01-14 | Open Invention Network, Llc | Biometric financial transaction system and method |
US9165323B1 (en) | 2000-05-31 | 2015-10-20 | Open Innovation Network, LLC | Biometric transaction system and method |
US7970678B2 (en) | 2000-05-31 | 2011-06-28 | Lapsley Philip D | Biometric financial transaction system and method |
US7502770B2 (en) | 2001-04-11 | 2009-03-10 | Metaweb Technologies, Inc. | Knowledge web |
US20050086188A1 (en) * | 2001-04-11 | 2005-04-21 | Hillis Daniel W. | Knowledge web |
US7069343B2 (en) | 2001-09-06 | 2006-06-27 | Avaya Technologycorp. | Topology discovery by partitioning multiple discovery techniques |
US7200122B2 (en) | 2001-09-06 | 2007-04-03 | Avaya Technology Corp. | Using link state information to discover IP network topology |
US20030043820A1 (en) * | 2001-09-06 | 2003-03-06 | Goringe Christopher M. | Using link state information to discover IP network topology |
US20030046427A1 (en) * | 2001-09-06 | 2003-03-06 | Goringe Christopher M. | Topology discovery by partitioning multiple discovery techniques |
US7676829B1 (en) * | 2001-10-30 | 2010-03-09 | Microsoft Corporation | Multiple credentials in a distributed system |
US7571239B2 (en) * | 2002-01-08 | 2009-08-04 | Avaya Inc. | Credential management and network querying |
US20030131096A1 (en) * | 2002-01-08 | 2003-07-10 | Goringe Christopher M. | Credential management and network querying |
US7996888B2 (en) | 2002-01-11 | 2011-08-09 | Nokia Corporation | Virtual identity apparatus and method for using same |
US20030172090A1 (en) * | 2002-01-11 | 2003-09-11 | Petri Asunmaa | Virtual identity apparatus and method for using same |
US8069175B2 (en) | 2002-04-10 | 2011-11-29 | Google Inc. | Delegating authority to evaluate content |
US20030195834A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Automated online purchasing system |
US20030196094A1 (en) * | 2002-04-10 | 2003-10-16 | Hillis W. Daniel | Method and apparatus for authenticating the content of a distributed database |
US20100185626A1 (en) * | 2002-04-10 | 2010-07-22 | Hillis W Daniel | Delegated authority evaluation system |
US8239917B2 (en) | 2002-10-16 | 2012-08-07 | Enterprise Information Management, Inc. | Systems and methods for enterprise security with collaborative peer to peer architecture |
US20110072265A1 (en) * | 2002-10-16 | 2011-03-24 | Hammond Ii Frank J | System And Method Of Non-Centralized Zero Knowledge Authentication For A Computer Network |
US20080307488A1 (en) * | 2002-10-16 | 2008-12-11 | Innerwall, Inc. | Systems And Methods For Enterprise Security With Collaborative Peer To Peer Architecture |
US7840806B2 (en) * | 2002-10-16 | 2010-11-23 | Enterprise Information Management, Inc. | System and method of non-centralized zero knowledge authentication for a computer network |
US20040123156A1 (en) * | 2002-10-16 | 2004-06-24 | Hammond Frank J. | System and method of non-centralized zero knowledge authentication for a computer network |
US8012025B2 (en) | 2002-12-13 | 2011-09-06 | Applied Minds, Llc | Video game controller hub with control input reduction and combination schemes |
US7765206B2 (en) | 2002-12-13 | 2010-07-27 | Metaweb Technologies, Inc. | Meta-Web |
US20060161772A1 (en) * | 2003-06-17 | 2006-07-20 | Talstra Johan C | Secure authenticated channel |
WO2004112311A1 (en) * | 2003-06-17 | 2004-12-23 | Koninklijke Philips Electronics N.V. | Improved secure authenticated channel |
US7426577B2 (en) | 2003-06-19 | 2008-09-16 | Avaya Technology Corp. | Detection of load balanced links in internet protocol netwoks |
US20040260755A1 (en) * | 2003-06-19 | 2004-12-23 | Bardzil Timothy J. | Detection of load balanced links in internet protocol networks |
US20070185811A1 (en) * | 2003-11-18 | 2007-08-09 | Dieter Weiss | Authorization of a transaction |
WO2005050911A1 (en) * | 2003-11-18 | 2005-06-02 | Giesecke & Devrient Gmbh | Authorisation of a transaction |
US7844610B2 (en) | 2003-12-12 | 2010-11-30 | Google Inc. | Delegated authority evaluation system |
US8321419B1 (en) | 2003-12-12 | 2012-11-27 | Google Inc. | Delegated authority to evaluate content |
US20050131918A1 (en) * | 2003-12-12 | 2005-06-16 | W. Daniel Hillis | Personalized profile for evaluating content |
US20050131722A1 (en) * | 2003-12-12 | 2005-06-16 | Hillis W. D. | Delegated authority evaluation system |
US8146143B1 (en) * | 2005-03-31 | 2012-03-27 | James A. Roskind | Fraud detection |
KR100690869B1 (en) | 2005-04-01 | 2007-03-09 | 엘지전자 주식회사 | Method for distribution of security key in location information system based on supl |
US8522324B2 (en) * | 2005-12-21 | 2013-08-27 | International Business Machines Corporation | Control of access to a secondary system |
US9577990B2 (en) | 2005-12-21 | 2017-02-21 | International Business Machines Corporation | Control of access to a secondary system |
US9087180B2 (en) * | 2005-12-21 | 2015-07-21 | International Business Machines Corporation | Control of access to a secondary system |
US20120226911A1 (en) * | 2005-12-21 | 2012-09-06 | Stephan Feil | Control of access to a secondary system |
US20130275764A1 (en) * | 2005-12-21 | 2013-10-17 | International Business Machines Corporation | Control of access to a secondary system |
EP2060050A4 (en) * | 2006-09-06 | 2011-03-16 | Devicescape Software Inc | Systems and methods for acquiring network credentials |
US20080060066A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for acquiring network credentials |
US8196188B2 (en) | 2006-09-06 | 2012-06-05 | Devicescape Software, Inc. | Systems and methods for providing network credentials |
US8194589B2 (en) | 2006-09-06 | 2012-06-05 | Devicescape Software, Inc. | Systems and methods for wireless network selection based on attributes stored in a network database |
US9913303B2 (en) | 2006-09-06 | 2018-03-06 | Devicescape Software, Inc. | Systems and methods for network curation |
EP2062129A4 (en) * | 2006-09-06 | 2011-03-16 | Devicescape Software Inc | Systems and methods for providing network credentials |
EP2062130A4 (en) * | 2006-09-06 | 2011-03-16 | Devicescape Software Inc | Systems and methods for obtaining network access |
US20110040870A1 (en) * | 2006-09-06 | 2011-02-17 | Simon Wynn | Systems and Methods for Determining Location Over a Network |
US20080060064A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for obtaining network access |
US9326138B2 (en) | 2006-09-06 | 2016-04-26 | Devicescape Software, Inc. | Systems and methods for determining location over a network |
US8191124B2 (en) | 2006-09-06 | 2012-05-29 | Devicescape Software, Inc. | Systems and methods for acquiring network credentials |
US20080060065A1 (en) * | 2006-09-06 | 2008-03-06 | Devicescape Software, Inc. | Systems and methods for providing network credentials |
US8743778B2 (en) | 2006-09-06 | 2014-06-03 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
US8667596B2 (en) | 2006-09-06 | 2014-03-04 | Devicescape Software, Inc. | Systems and methods for network curation |
EP2060050A2 (en) * | 2006-09-06 | 2009-05-20 | Devicescape Software, Inc. | Systems and methods for acquiring network credentials |
EP2062130A2 (en) * | 2006-09-06 | 2009-05-27 | Devicescape Software, Inc. | Systems and methods for obtaining network access |
US8549588B2 (en) | 2006-09-06 | 2013-10-01 | Devicescape Software, Inc. | Systems and methods for obtaining network access |
US8554830B2 (en) | 2006-09-06 | 2013-10-08 | Devicescape Software, Inc. | Systems and methods for wireless network selection |
EP2062129A2 (en) * | 2006-09-06 | 2009-05-27 | Devicescape Software, Inc. | Systems and methods for providing network credentials |
US7874011B2 (en) | 2006-12-01 | 2011-01-18 | International Business Machines Corporation | Authenticating user identity when resetting passwords |
US20080134317A1 (en) * | 2006-12-01 | 2008-06-05 | Boss Gregory J | Method and apparatus for authenticating user identity when resetting passwords |
US8205098B2 (en) | 2008-02-25 | 2012-06-19 | Microsoft Corporation | Secure and usable protection of a roamable credentials store |
US20090217056A1 (en) * | 2008-02-25 | 2009-08-27 | Microsoft Corporation | Secure and Usable Protection of a Roamable Credentials Store |
US9262618B2 (en) | 2008-02-25 | 2016-02-16 | Microsoft Technology Licensing, Llc | Secure and usable protection of a roamable credentials store |
US20100263022A1 (en) * | 2008-10-13 | 2010-10-14 | Devicescape Software, Inc. | Systems and Methods for Enhanced Smartclient Support |
US8353007B2 (en) | 2008-10-13 | 2013-01-08 | Devicescape Software, Inc. | Systems and methods for identifying a network |
US20120291108A1 (en) * | 2011-05-12 | 2012-11-15 | Konvax Corporation | Secure user credential control |
US8918849B2 (en) * | 2011-05-12 | 2014-12-23 | Konvax Corporation | Secure user credential control |
US20120294445A1 (en) * | 2011-05-16 | 2012-11-22 | Microsoft Corporation | Credential storage structure with encrypted password |
US20130097427A1 (en) * | 2011-10-12 | 2013-04-18 | Goldkey Security Corporation | Soft-Token Authentication System |
US10263782B2 (en) * | 2011-10-12 | 2019-04-16 | Goldkey Corporation | Soft-token authentication system |
US9135428B2 (en) * | 2011-12-01 | 2015-09-15 | International Business Machines Corporation | Cross system secure logon |
US20130145170A1 (en) * | 2011-12-01 | 2013-06-06 | International Business Machines Corporation | Cross system secure logon |
US9165130B2 (en) | 2012-11-21 | 2015-10-20 | Ca, Inc. | Mapping biometrics to a unique key |
US9037865B1 (en) | 2013-03-04 | 2015-05-19 | Ca, Inc. | Method and system to securely send secrets to users |
WO2017004326A1 (en) * | 2015-06-30 | 2017-01-05 | Morphotrust Usa, Llc | Electronic security container |
WO2020142319A1 (en) * | 2018-12-31 | 2020-07-09 | Finicity Corporation | Decentralized customer-controlled credit verification |
Also Published As
Publication number | Publication date |
---|---|
US6263446B1 (en) | 2001-07-17 |
WO2000030285A8 (en) | 2001-07-19 |
WO2000030285A1 (en) | 2000-05-25 |
WO2000030285A9 (en) | 2002-08-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6263446B1 (en) | Method and apparatus for secure distribution of authentication credentials to roaming users | |
US7409543B1 (en) | Method and apparatus for using a third party authentication server | |
Bhargav-Spantzel et al. | Privacy preserving multi-factor authentication with biometrics | |
US5276735A (en) | Data enclave and trusted path system | |
US6185316B1 (en) | Self-authentication apparatus and method | |
US5491752A (en) | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens | |
US8474025B2 (en) | Methods and apparatus for credential validation | |
US8041954B2 (en) | Method and system for providing a secure login solution using one-time passwords | |
US6073237A (en) | Tamper resistant method and apparatus | |
US20040193893A1 (en) | Application-specific biometric templates | |
US20090235086A1 (en) | Server-side biometric authentication | |
US20080313707A1 (en) | Token-based system and method for secure authentication to a service provider | |
WO2008109661A2 (en) | Method and system for securely caching authentication elements | |
EP1131911B1 (en) | Method and apparatus for secure distribution of authentication credentials to roaming users | |
WO2020183250A1 (en) | A system for generation and verification of identity and a method thereof | |
MXPA01004925A (en) | Method and apparatus for secure distribution of authentication credentials to roaming users. | |
JP2004021591A (en) | Management device and authentication device | |
AU2002339767A1 (en) | Authentication using application-specific biometric templates |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: MEVC DRAPER FISHER JURVETSON FUND I, INC., CALIFOR Free format text: SECURITY INTEREST;ASSIGNOR:ARCOT SYSTEMS, INC.;REEL/FRAME:013691/0282 Effective date: 20021231 Owner name: MEVC DRAPER FISHER JURVETSON FUND I, INC.,CALIFORN Free format text: SECURITY INTEREST;ASSIGNOR:ARCOT SYSTEMS, INC.;REEL/FRAME:013691/0282 Effective date: 20021231 |
|
AS | Assignment |
Owner name: ARCOT SYSTEMS, INC., NEW YORK Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MVC CAPITAL, INC. (FORMERLY KNOWN AS MEVC DRAPER FISHER JURVETSON FUND I, INC.);REEL/FRAME:025894/0720 Effective date: 20110223 |