Richard Edward Lennon

Bio: Richard Edward Lennon is an academic researcher from IBM. The author has contributed to research in topics: Cryptography & Message authentication code. The author has an hindex of 8, co-authored 13 publications receiving 611 citations.

Transaction security system

Abstract: An electronic funds transfer system (EFT) is described in which retail terminals located in stores are connected through a public switched telecommunication system to card issuing agencies data processing centers. Users of the system are issued with intelligent secure bank cards, which include a microprocessor, ROS and RAM stores. The POS includes a personal key (KP) and an account number (PAN) stored on the card when the issuer issues it to the user. Users also have a personal identity number (PIN) which is stored or remembered separately. A transaction is initiated at a retail terminal when a card is inserted in an EFT module connected to the terminal. A request message including the PAN and a session key (KS) is transmitted to the issuers data processing center. The issuer generates an authentication parameter (TAP) based upon its stored version of KP and PIN and a time variant parameter received from the terminal. The TAP is then returned to the terminal in a response message, and based upon an imputed PIN, partial processing of the input PIN and KP on the card a derived TAP is compared with the received TAP in the terminal. A correct comparison indicating that the entered PIN is valid. The request message includes the PAN encoded under the KS and KS encoded under a cross-domain key. Message authentication codes (MAC) are attached to each message and the correct reception and regeneration of a MAC on a message including a term encoded under KS indicates that the received KS is valid and that the message originated at a valid terminal or card.

Cryptographic verification of operational keys used in communication networks

Abstract: In a data communication network providing communication security for communication sessions between a first station and a second station where each station has cryptographic apparatus provided with an operational key which should be common to both stations for cryptographic operations, an operational key verification arrangement is provided in which a first number provided at the first station is operated upon in accordance with the first station operational key to obtain cryptographic data for transmission to the second station, requiring the second station to perform an operation on the first station cryptographic data in accordance with the second station operational key to obtain cryptographic data for transmission back to the first station and performing an operation at the first station in accordance with the first number and the second station cryptographic data to verify that the second station is the source of second station cryptographic data only if the operational keys are identical.

Transaction security system using time variant parameter

Abstract: An electronic funds transfer system (EFT) is described in which retail terminals located in stores are connected through a public switched telecommunication system to card issuing agencies data processing centers. Users of the system are issued with intelligent secure bank cards, which include a microprocessor, ROS and RAM stores. The ROS includes a personal key (KP) and an account number (PAN) stored on the card when the issuer issues it to the user. Users also have a personal identity numbe (PIN) which is stored or remembered separately. A transaction is initiated at a retail terminal when a card is inserted in an EPT module connected to the terminal. A request message including the PAN and a session key (KS) is transmitted to the issuers data processing center. The issuer generates an authentication parameter (TAP) based upon its stored version of KP and PIN and a time variant parameter received from the terminal. The TAP is then returned to the terminal in a response message, and based upon an inputed PIN, partial processing of the input PIN and KP on the card a derived TAP is compared with the received TAP in the terminal. A correct comparison indicating that the entered PIN is valid. The request message includes the PAN encoded under the KS and KS encoded under a cross-domain key. Message authentication codes (MAC) are attached to each message and the correct reception and regeneration of a MAC on a message including a term encoded under KS indicates that the received KS is valid and that the message originated at a valid terminal or card.

Cryptographic Authentication of Time-Invariant Quantities

Abstract: With any strong cryptographic algorithm, such as the data encryption standard (DES), it is possible to devise protocols for authentication. One technique, which allows arbitrary, time-invariant quantities (such as encrypted keys and passwords) to be authenticated, is based upon a secret cryptographic (master) key residing in a host processor. Each quantity to be authenticated has a corresponding precomputed test pattern. At any later time, the test pattern can be used together with the quantity to be authenticated to generate a nonsecret verification pattern. The verification pattern can in turn be used as the basis for accepting or rejecting the quantity to be authenticated.

Cryptographic application for interbank verification

Abstract: In a data communication network which includes terminals interconnected via a central switch, a process for verifying the identity of a terminal user who is provided with secret data associated with his identity. In carrying out the verification process, the secret data is first encrypted at the terminal under a transfer-in key for transmission to an associated data processing system. When it is determined that the terminal user maintains an account at the associated data processing system, a first translate operation is performed to translate the data from encryption under the transfer-in key to encryption under an authentication key, both of which keys are protected under other keys which are different from each other, thereby providing an authentication parameter which may be used to verify the identity of the terminal user. When it is determined that the terminal user does not maintain an account at the associated data processing system, a second translate operation is performed to translate the data from encryption under the transfer-in key to encryption under a transfer-out key for transmission to the next associated host system, the switch or a remote host system. At each such node, except the switch, a determination is made as to whether a verification process can be performed otherwise, the encrypted data is translated for transmission to the next or a remote node of the network for such verification.

Method and system for placing a purchase order via a communications network

Abstract: A method and system for placing an order to purchase an item via the Internet. The order is placed by a purchaser at a client system and received by a server system. The server system receives purchaser information including identification of the purchaser, payment information, and shipment information from the client system. The server system then assigns a client identifier to the client system and associates the assigned client identifier with the received purchaser information. The server system sends to the client system the assigned client identifier and an HTML document identifying the item and including an order button. The client system receives and stores the assigned client identifier and receives and displays the HTML document. In response to the selection of the order button, the client system sends to the server system a request to purchase the identified item. The server system receives the request and combines the purchaser information associated with the client identifier of the client system to generate an order to purchase the item in accordance with the billing and shipment information whereby the purchaser effects the ordering of the product by selection of the order button.

Network sales system

Abstract: A network-based sales system includes at least one buyer computer for operation by a user desiring to buy a product, at least one merchant computer, and at least one payment computer. The buyer computer, the merchant computer, and the payment computer are interconnected by a computer network. The buyer computer is programmed to receive a user request for purchasing a product, and to cause a payment message to be sent to the payment computer that comprises a product identifier identifying the product. The payment computer is programmed to receive the payment message, to cause an access message to be created that comprises the product identifier and an access message authenticator based on a cryptographic key, and to cause the access message to be sent to the merchant computer. The merchant computer is programmed to receive the access message, to verify the access message authenticator to ensure that the access message authenticator was created using the cryptographic key, and to cause the product to be sent to the user desiring to buy the product.

Display screen or portion thereof with graphical user interface

Abstract: Newness and distinctiveness is claimed in the features of ornamentation as shown inside the broken line circle in the accompanying representation.

System for controlling access and distribution of digital property

Abstract: A method and device are provided for controlling access to data. Portions of the data are protected and rules concerning access rights to the data are determined. Access to the protected portions of the data is prevented, other than in a non-useable form; and users are provided access to the data only in accordance with the rules as enforced by a mechanism protected by tamper detection. A method is also provided for distributing data for subsequent controlled use of those data. The method includes protecting portions of the data; preventing access to the protected portions of the data other than in a non-useable form; determining rules concerning access rights to the data; protecting the rules; and providing a package including: the protected portions of the data and the protected rules. A user is provided controlled access to the distributed data only in accordance with the rules as enforced by a mechanism protected by tamper protection. A device is provided for controlling access to data having protected data portions and rules concerning access rights to the data. The device includes means for storing the rules; and means for accessing the protected data portions only in accordance with the rules, whereby user access to the protected data portions is permitted only if the rules indicate that the user is allowed to access the portions of the data.

Internet server access control and monitoring systems

Abstract: This invention relates to methods for controlling and monitoring access to network servers. In particular, the process described in the invention includes client-server sessions over the Internet. In this environment, when the user attempts to access an access-controlled file, the server subjects the request to a secondary server which determines whether the client has an authorization or valid account. Upon such verification, the user is provided with a session identification which allows the user to access to the requested file as well as any other files within the present protection domain.