Philip MacKenzie

Bio: Philip MacKenzie is an academic researcher from Mackenzie Investments. The author has contributed to research in topics: Password & Syskey. The author has an hindex of 3, co-authored 3 publications receiving 62 citations.

Method and apparatus for performing multi-server threshold password-authenticated key exchange

Abstract: A provably secure multi-server threshold password-authenticated key exchange system and method. Initially, an encryption of a function of a client's password is provided to each of a plurality of servers. The client later can authenticate the password (i.e., login) by generating an encryption based on the password which is nonetheless mathematically independent of the value of the password. Then, this encryption, along with a “proof” that the encryption was, in fact, generated based on the password, is provided to each of the servers for verification. Thus, it can be shown that the protocol is provably secure. The password authentication protocol advantageously incorporates a thresholding scheme such that the compromise of fewer than a given threshold number of the servers neither compromises the security of the system nor inhibits the proper operation of the password authentication process.

Methods and apparatus for two-party generation of DSA signatures

Abstract: Techniques are provided for sharing the DSA signature function, so that two parties can efficiently generate a DSA signature with respect to a given public key but neither can alone. In an illustrative embodiment, the invention provides a DSA signature protocol that allows a proof of security for concurrent execution in the random oracle model. The invention also allows a proof of security for sequential execution without random oracles.

Method and apparatus for distributing shares of a password for use in multi-server password authentication

Abstract: A method for distributing a password amongst a plurality of servers for subsequent use in a provably secure multi-server threshold password authentication process. A client, having a password to be authenticated by a plurality of servers, generates an encryption of a function of the password. Then, this encryption is provided to each of the servers for use in subsequent password authentication. In accordance with one illustrative embodiment of the invention, the encryption is of an ElGamal ciphertext of the function g (π C ) −1 , where π C is password and g is the generator used to generate the cryptographic keys used for communication between the client and the plurality of servers.

Systems and methods of secure data exchange

Abstract: In embodiments of the present invention improved capabilities are described for managing digital rights management (DRM) protected content sharing in a networked secure collaborative computer data exchange environment through a secure exchange facility managed by an intermediate organizational entity amongst users of a plurality of other organizational entities, wherein computer data content and access rights for the computer data content is shared between a first and second user, the computer data content and access rights for the computer data content are transformed into a DRM protected computer data content through communications with a DRM engine, wherein the DRM engine is selected based on a content type of the computer data content, and the DRM engine is provided by an entity other than the intermediate organizational entity and other than any of the plurality of other organizational entities.

Litigation support in cloud-hosted file sharing and collaboration

Abstract: In embodiments, the disclosure provides a method for managing content, including providing an electronic discovery facility of a secure data exchange environment, wherein at least one of a plurality of users of a first entity utilizes a network-based content storage service of a second entity to store content, and wherein the storage and access of the content with the network-based content storage service is tracked by the electronic discovery facility. The method includes receiving, at the electronic discovery facility, a discovery request, the discovery request comprising a request for a legal counsel of a third entity to access content stored on the network-based content storage service, the discovery request being, for example, in association with a litigation discovery action in relation to the first entity. Further, the method includes identifying and securing, by the electronic discovery facility and as a result of the discovery request, at least one item of content on the network-based content storage service; and providing, by the electronic discovery facility of the secure data exchange environment, access to the identified and secured item of content stored on network-based content storage service to the legal counsel of the third entity.

Initial password security accentuated by triple encryption and hashed cache table management on the hosted site's server

Abstract: A method for remote services authentication in an internet hosted environment includes a high level process and functionality for a secure, practical and logically optimized inter-network authentication mechanism by employees, partners and customers of an enterprise into the hosted Internet site. The lightweight authentication and authorization mechanism can be most effectively implemented in Java as part of the application or web server servlet. The method for remote services authentication includes initial secure password establishment, subsequent authentication and authorization, as well as authentication and authorization upon resuming previously run sessions with the hosted server using Internet cookies.

Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency

Abstract: Partially homomorphic encryption systems may be transformed into fully homomorphic encryption systems that are scalable, rapid in translation speed, difficult to invert or break, capable of enabling various types of public and/or private key generation protocols and semantically secure. Input plaintext data are transformed into modified plaintext data using a prime number operation and the modified plaintext data is then encrypted using any number of conventional encryption schemes. Desired computations on the encrypted data are transformed into homomorphic operations, based on the nature of the encryption format, and the homomorphic operations are applied to yield manipulated encrypted data. The manipulated encrypted data may be decrypted and the decrypted plaintext data may be modified into final, output plaintext data using a similar prime number operation as applied during encryption. The final, output plaintext is equivalent to plaintext data that would have been generated by just applying the desired computations to the input plaintext data.

Distributed single sign-on

Abstract: Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t 1 ≦n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t 2 ≦t 1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t 1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t 2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T≦t 1 of said t 1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.