Bjorn Jakobsson

Bio: Bjorn Jakobsson is an academic researcher from Mackenzie Investments. The author has contributed to research in topics: Password & Syskey. The author has an hindex of 1, co-authored 1 publications receiving 23 citations.

Method and apparatus for performing multi-server threshold password-authenticated key exchange

Abstract: A provably secure multi-server threshold password-authenticated key exchange system and method. Initially, an encryption of a function of a client's password is provided to each of a plurality of servers. The client later can authenticate the password (i.e., login) by generating an encryption based on the password which is nonetheless mathematically independent of the value of the password. Then, this encryption, along with a “proof” that the encryption was, in fact, generated based on the password, is provided to each of the servers for verification. Thus, it can be shown that the protocol is provably secure. The password authentication protocol advantageously incorporates a thresholding scheme such that the compromise of fewer than a given threshold number of the servers neither compromises the security of the system nor inhibits the proper operation of the password authentication process.

Systems and methods of secure data exchange

Abstract: In embodiments of the present invention improved capabilities are described for managing digital rights management (DRM) protected content sharing in a networked secure collaborative computer data exchange environment through a secure exchange facility managed by an intermediate organizational entity amongst users of a plurality of other organizational entities, wherein computer data content and access rights for the computer data content is shared between a first and second user, the computer data content and access rights for the computer data content are transformed into a DRM protected computer data content through communications with a DRM engine, wherein the DRM engine is selected based on a content type of the computer data content, and the DRM engine is provided by an entity other than the intermediate organizational entity and other than any of the plurality of other organizational entities.

Litigation support in cloud-hosted file sharing and collaboration

Abstract: In embodiments, the disclosure provides a method for managing content, including providing an electronic discovery facility of a secure data exchange environment, wherein at least one of a plurality of users of a first entity utilizes a network-based content storage service of a second entity to store content, and wherein the storage and access of the content with the network-based content storage service is tracked by the electronic discovery facility. The method includes receiving, at the electronic discovery facility, a discovery request, the discovery request comprising a request for a legal counsel of a third entity to access content stored on the network-based content storage service, the discovery request being, for example, in association with a litigation discovery action in relation to the first entity. Further, the method includes identifying and securing, by the electronic discovery facility and as a result of the discovery request, at least one item of content on the network-based content storage service; and providing, by the electronic discovery facility of the secure data exchange environment, access to the identified and secured item of content stored on network-based content storage service to the legal counsel of the third entity.

Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency

Abstract: Partially homomorphic encryption systems may be transformed into fully homomorphic encryption systems that are scalable, rapid in translation speed, difficult to invert or break, capable of enabling various types of public and/or private key generation protocols and semantically secure. Input plaintext data are transformed into modified plaintext data using a prime number operation and the modified plaintext data is then encrypted using any number of conventional encryption schemes. Desired computations on the encrypted data are transformed into homomorphic operations, based on the nature of the encryption format, and the homomorphic operations are applied to yield manipulated encrypted data. The manipulated encrypted data may be decrypted and the decrypted plaintext data may be modified into final, output plaintext data using a similar prime number operation as applied during encryption. The final, output plaintext is equivalent to plaintext data that would have been generated by just applying the desired computations to the input plaintext data.

Distributed single sign-on

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t 1 ≦n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t 2 ≦t 1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t 1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t 2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T≦t 1 of said t 1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.

Email effectivity facility in a networked secure collaborative exchange environment

Abstract: In embodiments of the present invention improved capabilities are described for managing access to a secure exchange environment managed by an intermediate business entity through a user email identity, the method comprising establishing a secure exchange server hosted by an intermediate business entity, wherein communications and access to a collection of files established by a first business entity are managed for a second business entity; and establishing an email effectivity facility that allows a user of the first business entity to specify a condition for email-based access to at least one resource in the collection of files, wherein the condition expresses (a) an effective period for using an email providing access to the resource and (b) a condition of email access to the resource by a designated individual of the second business entity, wherein the access permission was assigned using a specific email address of the designated individual.