Showing papers on "Authentication server published in 1999"

Local authentication of a client at a network device

Abstract: A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.

Certificate handling for digital rights management system

Abstract: A delivery system for managing security keys uses three key pairs to establish, register, move, and revoke rights in a device (705) used to view protected matter. The first and second key pairs cooperate to establish a secure certificate (740) containing a device public and private key, and the pairs of keys are manipulated to install the appropriate keys in the device and associated authentication server without ever exposing the keys. Thereafter, in the event of a need to authorize a new device to view content associated with a prior, authorized device, the key pairs are used to revoke the rights of an old device and establish identical viewing rights in the new device.

Public-key cryptography and password protocols.

Abstract: We study protocols for strong authentication and key exchange in asymmetric scenarios where the authentication server possesses ~a pair of private and public keys while the client has only a weak human-memorizable password as its authentication key. We present and analyze several simple password authentication protocols in this scenario, and show that the security of these protocols can be formally proven based on standard cryptographic assumptions. Remarkably, our analysis shows optimal resistance to off-line password guessing attacks under the choice of suitable public key encryption functions. In addition to user authentication, we describe ways to enhance these protocols to provide two-way authentication, authenticated key exchange, defense against server's compromise, and user anonymity. We complement these results with a proof that strongly indicates that public key techniques are unavoidable for password protocols that resist off-line guessing attacks.As a further contribution, we introduce the notion of public passwords that enables the use of the above protocols in situations where the client's machine does not have the means to validate the server's public key. Public passwords serve as "hand-held certificates" that the user can carry without the need for specal computing devices.

Authenticating access to a network server without communicating login information through the network server

Abstract: A system determines whether to grants access to a network server by a user. Initially, a user attempts to gain access to a network server, such as a web server. Prior to granting access to the network server, the network server authenticates the user by sending an authentication request to an authentication server. The authentication server determines whether the user was already authenticated by the authentication server. If the user was already authenticated by the authentication server, then the network server is notified that the user is authenticated. The network server then grants the user access to the network server. If the user was not already authenticated by the authentication server, then login information is retrieved from the user and compared to authentication information maintained by the authentication server. If the retrieved login information matches the authentication information, then the network server is notified that the user is authenticated. The retrieved login information and the authentication information is concealed from the network server. If the user is authenticated, then a user profile is communicated to the network server along with the notification that the user is authenticated. If the user is successfully authenticated, then a cookie is provided to an Internet browser operated by the user. The cookie contains information regarding user authentication, the user's profile, and a list of network servers previously visited by the user.

System for secure controlled electronic memory updates via networks

Abstract: A system and method for updating software for a remote unit over a network is disclosed herein. The system and method includes the remote unit, an authentication server and an update server. The remote unit may have a flasher host for communicating over the network and for transmitting commands to the remote unit. The system and method allows for the verification of a request message from the remote unit, and a response from the authentication server. The response message to the remote unit from the authentication server will contain an decryption key to decrypt the update file that will be sent by the update server. Such an authentication process prevents rogue programs from being sent to the remote unit thereby decreasing the potential for cellular fraud.

Controlling access to a network server using an authentication ticket

Abstract: A system determines whether to grant a user access to a network server. Prior to granting access to the network server, the network server authenticates the user by sending an authentication request to an authentication server. The authentication server determines whether the user was already authenticated by the authentication server. If the user is authenticated by the authentication server, then the network server is notified that the user is authenticated through the use of an authentication ticket, and the network server grants the network server user access. If the user is not authenticated by the authentication server, then login information is retrieved from the user and compared to authentication information maintained by the authentication server. If the retrieved login information matches the authentication information, then the network server is notified that the user is authenticated by using the authentication ticket.

System and method for secure distribution of digital information to a chain of computer system nodes in a network

Abstract: Described are a system and method for securely distributing session keys over a network to each node in a chain of computer system nodes. The chain of nodes recursively constructs and presents a nested request to the authentication server. The nested request includes a request from each of the nodes in the chain requiring a session key to communicate with a neighboring node. The authentication server recursively unravels the request and recursively prepares a response that includes a session key for each node that submitted a request. The response traverses the chain of nodes in the reverse order taken by the nested request to reach the authentication server. Each node receiving the response extracts the portion of the response directed to that node, and forwards the remainder of the response, if any, to the next node in the chain. Thus, with a single traversal of the chain of nodes each node receives at least one session key. The forward and reverse protocols easily generalize for any number of nodes in the chain. The protocols can employ one-way hash functions to seal requests and responses and to encode session keys.

Enhanced security for applications employing downloadable executable content

Abstract: Method and computer network for enhanced security for applications using downloadable executable content is described. More particularly, a client is operatively coupled to an authentication server and a remote host through a gateway. In an initial login session, authentication information is provided from the client to the gateway for obtaining client-authenticating credentials from the authentication server. These client-authenticating credentials may be encoded to be in a form of a data string and provided to the client, for example as the value of an HTTP cookie. The encoded data string may be provided to the client as one or more parameter values. These parameter values may be employed along with requested downloadable executable content, such as one or more Java classes, for running on the client. The Java classes may communicate the parameter values to an execution server of the gateway for decoding the encoded data string in order to extract the client-authenticating credentials therefrom. These client-authenticating credentials may then be used to obtain from the authentication server one or more keys and/or other authenticating credentials to establish a remote login session or other interactive communication with the remote host.

Public-key cryptography and password protocols: the multi-user case

Abstract: The problem of password authentication over an insecure network when the user holds only a human-memorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied off-line password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the two-user case.Propose a new definition of security for the multi-user case, expressed in terms of transcripts of the entire system, rather than individual protocol executions.Suggest several ways of achieving this security against both static and dynamic adversaries.In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multi-user case. We expose a weakness in their revised definition.

Authentication method and system

Abstract: The present invention relates to an authentication method and system for identifying a subscriber (1) of a first network (2) in a second network (9), wherein an address of the second network (9) is allocated to the subscriber (1). An information about a mapping between the address of the second network (9) and a subscriber identity is generated and transmitted to the second network (9). Thereby, an authentication server connection is provided between the first network (2) and the second network (9), such that the subscriber identity can be handled over to the second network (9). Thus, a VAS platform of the second network (9) can receive the address of the second network and the subscriber identity of the subscriber (1), such that subscriber accessing services of the VAS platform can be identified for charging and/or addressing purposes.

Authenticating method in radio lan system and authentication device

Abstract: PROBLEM TO BE SOLVED: To provide structure, capable of safely performing authentication by connecting many subscriber stations (STA) with an access point(AP) for an encipher authenticating method and an authentication device of a radio LAN system in compliance with IEEE 802.11. SOLUTION: An authentication request is transmitted from many STAs 1, consisting of a data terminal 10 and a radio LAN card 20, to the AP 2 (S1). A MAC address is transmitted to an authentication server (RADIUS) 3 by a protocol of the authentication server 3 (S8) by the AP 2. The authentication server 3 transmits a challenge text to the AP 2 (S10), after executing authentication of the MAC address (S9). Encipher authentication is performed with the STAs 1 (S2) to (S6) according to a processing of WEP algorithm determined by the IEEE 802.11 by the AP 2. COPYRIGHT: (C)2001,JPO

Method and system for authentication and authentication processing program recording medium

Abstract: PROBLEM TO BE SOLVED: To exclude any illegal access by identifying any legal access with a small calculation quantity in single sign on type authentication for permitting plural times of access by single user authentication. SOLUTION: Secrecy information 4 is shared by a client means 1 and an authentication server means 2. The authentication server means 2 issues an authentication ticket 5 including collation information obtained by performing an irreversible arithmetic operation (f) on the secrecy information 4 (n) times. The client means 1 indicates this authentication ticket and presentation information obtained by performing an irreversible arithmetic operation (f) on the secrecy information 4 (n-k) times to a permission server means 3. The permission server means 3 performs the irreversible arithmetic operation (f) on the presented information (k) times, and checks whether or not this presented information matches the collation information. In this case, (k) is increased from 1 to (n) so that the authentication ticket 5 can be used for the maximum (n) times of access without calculating the next presented information from the past presented information.

Mobile communication terminal, communication network and user authentication method

Abstract: PROBLEM TO BE SOLVED: To provide a mobile communication terminal, a communication network and a user authentication method that can easily and surely authenticate a user with security. SOLUTION: A user authentication means (authentication server) 60 has authenticated video data relating to a video image of each legal user of each of one mobile communication terminal or over in advance as authentication data, the server 60 requests output of video data of the user to a mobile communication terminal 10 via an exchange 30 upon the receipt of a line connection request from any of one mobile communication terminal or over, and the user authentication means authenticates the user on the basis of the video data of the user supplied from the mobile communication terminal. Furthermore, the user authentication means 60 authenticates the user making a line connection request from the mobile communication terminal as a legal user whose authentication data are stored in the user authentication means when a prescribed video pattern of the video data of the user supplied from the mobile communication terminal is nearly coincident or just coincident with the prescribed video pattern of the authentication data stored in the user authentication means.

Method, arrangement and apparatus for authentication

Abstract: The present invention relates to a method and apparatus for authenticating communications in telecommunications networks. The method comprises the steps of storing authentication data and user interface identification data in an authentication server such that the identification data is bound with associated authentication data. An identification data of a communicating user interface is transmitted to the authentication server, whereafter the identification data is received in the authentication server. Such authentication data is retrieved from the stored authentication data which is bound to the received identification data. At least a part of the retrieved authentication data is then transmitted from the authentication server as a response to the received identification data.

Authentication system and authentication method

Abstract: PROBLEM TO BE SOLVED: To provide an authentication system that can prevent leakage of passwords and conduct retransmission of authentication data, by pretending of a 3rd party to be a legal party SOLUTION: When a user uses a client 3 to a log in an AP server 1, the AP server 1 generates encrypted communication data (i) and transmits the data as an authentication request to an authentication server 2 by the use of redirection through the client 3 The authentication server 2 makes request to the client 3 to enter its password and authenticates the user, on the basis of the password and the authentication request Then the server 2 transmits encrypted communication data (iv), including the result of authentication to the AP server 1 by the use of redirection via the client 3 Furthermore, the AP server 1 generates a session ID in the case of log on of the user and registers it to a common key table 11 with a common key and detects the retransmission by comparing the ID with a session ID in the communication data (iv)

System and method for decentralized authentication of server

Abstract: PROBLEM TO BE SOLVED: To facilitate authentication even when the number of registered users increases by allowing an index server to retrieve the index of an authentication request and determine one of a plurality of authentication servers, and making the determined authentication server to authenticate the authentication request. SOLUTION: The index server 240 is connected to a network and receives user authentication requests from network access servers 1, 2, 3, 4, and 5. Authentication servers 220 and 223 are connected to the index server 240 and the index server 240 determines an authentication server to perform authentication between the authentication servers 220 and 223. Then the authentication requests received from the network access servers 1, 2, 3, 4, and 5 are transferred to the determined authentication server. Consequently, the authentication can be facilitated even when the number of registered users increases.

RADIUS Authentication Server MIB

Abstract: This memo defines a set of extensions which instrument RADIUS authentication server functions. These extensions represent a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. Using these extensions IP-based management stations can manage RADIUS authentication servers.

Network authentication system using individual services providers and an authentication server

Abstract: A network system includes a plurality of individual Internet service providers each having access points, and a parallel Internet service provider connected to the plurality of individual Internet service providers, the individual Internet service providers and the parallel Internet service provider each include an authentication server. When the access point of a provider receives a connection request from a user who contracts with the parallel service provider, the provider transfers a connection ID and a password to an authentication server of the parallel Internet service provider to perform user authentication. When a result of the authentication is good, the user terminal is connected to the user terminal through the access point.

Method and apparatus for network authentication

Abstract: An ID entered from a personal computer or a mobile terminal is sent to an authentication server via a proxy server. In response to the ID, the authentication server sends current encrypting information to the proxy server. The proxy server provides the user terminal with one-time data input program based on the encrypting information. The program encrypts the password entered on the user terminal and sends it to the authentication server, and the authentication server then checks the validity. The intervention of the proxy server ensures the security of the authentication server. The provision of the one-time program in the form of a JAVA applet prevents illegal access by those intercepting the session.

Operation system for card authentication type service

Abstract: PROBLEM TO BE SOLVED: To reduce the period when the card authentication type service is completely stopped even when a failure occur in an authentication card and to ensure security related to reissuing of the card. SOLUTION: An authentication server 11 transmits a tentative terminal authentication tag B to a user terminal 21, when a failure occurs in an authentication IC card 22 in the user terminal 21 to transit to a tentative service operation mode. Authentication in the tentative service operation mode is conducted by using the tentative terminal authentication tag B and a terminal individual key X between the authentication service 11 and the user terminal 21. When a reissued, new IC card 22' is loaded to the user terminal 21, an N-bit tentative IC card authentication tag C stored in advance in the IC card 22' is added to the low-order bits of the tentative terminal authentication tag B in the IC card 22' to generate data D', which are encrypted and sent to the authentication server 11. The authentication server 11 decodes the data D' and collates the decoded data with data A0, based on the IC card authentication tag D.

Identity confirmation method and system by means of encipherment of secret data

Abstract: PROBLEM TO BE SOLVED: To provide an authentication system of high safety by using a public key encipherment system in a system where the client of a transmitter is connected to the server of a receiver via a network. SOLUTION: A server 12 generates a random number and sends it to a client 11, and the client 11 enciphers the secret data inherent to a transmitter and the received random number and sends them to the sever 12. The sever 12 checks whether the received random number is coincident with the transmitted one. If both random numbers are coincident with each other, the server 12 sends to enciphered secret data to an authentication server 13. The server 13 decodes the received secret data and decides whether the data can be correctly decoded. If the secret data are correctly decoded, the secret data are collated with the secret data on the transmitter which are stored in an authentication information database 14. Then the server 12 sends the authentication result to the server 12 which decides to provide the service or not based on the authentication result.

Apparatus and method for authenticating web using user fingerprint information

Abstract: PURPOSE: An apparatus and method for authenticating a web using information on a user's fingerprint is provided to confirm whether to authenticate a user by receiving information on a user's fingerprint through a fingerprint recognition device in case that it is necessary for the user to be authenticated, and by checking whether an ID of the user is identical to the information. CONSTITUTION: A fingerprint recognition device(24) recognizes a user's fingerprint. An authentication client(22) makes a request for an authentication on information on the user's fingerprint and an ID of the user. An authentication server(30) confirms whether the information and the ID are identical to information in a database(32), and determines whether to authenticate the user. A CGI program unit(28) provides information for a work to a web client(20) through a web server(26) in case that the authentication is succeeded.

A nested mutual authentication protocol

Abstract: This paper describes an authentication protocol that is suited to modern, object-based, client-server systems. Each object in a chain, whether acting in a client or server role, handles authentication with its neighbours, without any need to be aware of the resultant global behaviour. Session keys are returned by an authentication server which services a client-server chain as a whole: nested requests are built along the forward chain; the final server presents the whole package to the authentication server; and sessions keys are delivered back down the chain. The protocol, as described, avoids entanglement with the politics of cryptography by using One-Way-Hash-Functions throughout. The authentication chain might traverse different legal jurisdictions, but adjacent applications can use returned session keys for any legitimate purpose, including message sealing or encryption.

Secure distribution of session keys to a chain of network nodes

Abstract: A chain of nodes 14, 22, 26 recursively constructs steps 94, 96, 98 and presents steps 100 a nested request to the authentication server 18, which includes a sealed or encrypted portion. The nested request includes a request from each of the nodes in the chain requiring a session key to communicate with a neighboring node. The authentication server recursively unravels the request and recursively prepares a response that includes a session key for each node that submitted a request Figs. 5, 6, 7. The response traverses the chain of nodes in the reverse order taken by the nested request to reach the authentication server. Each node receiving the response extracts the portion of the response directed to that node, and forwards the remainder of the response, if any, to the next node in the chain Fig 8. Thus, with a single traversal of the chain of nodes each node receives at least one session key. The forward and reverse protocols easily generalize for any number of nodes in the chain. The protocols can employ one-way hash functions to seal requests and responses and to encode encipher session keys. Portions of the response may be encrypted using the session keys.

User authentication system and method using sound password

Abstract: PURPOSE: A user authentication system and method using sound password are provided in which a user sounds his password to transmit the sound password to a server and the server analyzes the transmitted sound to confirm the user, thereby improving reliability of user authentication. CONSTITUTION: A user authentication system includes a client terminal(10) and an authentication server(16). The client terminal transmits sound information obtained by pre-processing basic information related with user authentication and a sound password input by a user to a network and provides information from the network to the user. The authentication server is connected to the client terminal through the network. The server performs the first authentication using the user basic information input by the client terminal, and analyzes the transmitted sound information to carry out the second authentication, thereby confirming the user. The server sends the confirmed result to the client terminal.

Public-Key Cryptography and Password Protocols: The Multi-User Case.

Abstract: The problem of password authentication over an insecure network when the user holds only a human-memorizable password has received much attention in the literature. The first rigorous treatment was provided by Halevi and Krawczyk, who studied off-line password guessing attacks in the scenario in which the authentication server possesses a pair of private and public keys. In this work we: Show the inadequacy of both the HK formalization and protocol in the case where there is more than a single user: using a simple and realistic attack, we prove failure of the HK solution in the two-user case.Propose a new definition of security for the multi-user case, expressed in terms of transcripts of the entire system, rather than individual protocol executions.Suggest several ways of achieving this security against both static and dynamic adversaries.In a recent revision of their paper, Halevi and Krawczyk again attempted to handle the multi-user case. We expose a weakness in their revised definition.

Authentication system, method and recording medium

Abstract: PROBLEM TO BE SOLVED: To provide an authentication system, a method and a recording medium which authenticate the private information of a person which is authenticated, which is necessary for authentication without transferring it on a communication line that is opened to the public SOLUTION: An authentication provides records private information that is used for comparison in authentication and a program that is for performing primary authentication on a CDROM 31 and transfers them to a person which is authenticated The client (computer) 30 of the person who is authenticated uses the CDROM 31 and authenticates the private information of the person which is authenticated In the case of succeeding in the primary authentication, an authentication server 10 of an authentication center performs secondary authentication about the authenticity of the CDROM 31 In the case of succeeding in the primary and secondary authentication, a program for electronic transaction which is recorded on the CDROM 31 becomes available

Network computing system, communication control method in the system and storage medium with the method storied therein

Abstract: PROBLEM TO BE SOLVED: To realize restoration of a previously accessed page in a reconnection case, access control over the page and a toll charge for the access without damaging operability nor newly adding software to a terminal when accessing a WWW server through dial-up connection from a terminal provided with a browser function. SOLUTION: An access server 120a to be connected to a public network, an authentication server 130, a session management server 140 and a WWW relay server 150 are provided on a network 170, and transmission and reception control with a terminal 110a performing dial-up connection through the public network 180 is performed. This operation can be realized without forcing a user special work nor having to additionally loading new software on the terminal.

Registered terminal identification method and device therefor

Abstract: PROBLEM TO BE SOLVED: To discriminate the communication terminals without using plural different user IDs, password numbers, etc, by adding a discrimination ID to a user ID when an access is carried out via a 1st terminal and using only a user ID when an access is carried out via a 2nd terminal SOLUTION: A member 11 who is previously registered at an information management center 1 acquires a navigation CD-ROM to receive the services of the center 1 and also decides a user ID and a password number When a navigation device 8 sends a message to the center 1, the user ID and password number are authenticated by an authentication server 3 via an access server 2 of the center 1 When the member 11 accesses the center 1 via a personal computer 9, he starts a personal computer CD-ROM to input the same user ID and password number as those which are used by the device 8 Then a discrimination ID is automatically added to the user ID of the personal computer CD-ROM

Password integration management system

Abstract: PROBLEM TO BE SOLVED: To provide a password integration management system which efficiently manages an access to a distribution connected processor. SOLUTION: An ID number and a password are inputted from an input device 2 connected to a terminal 1 for displaying a job screen. A job server 3 has an ID storage part 31 for storing the ID number and a cryptographic key encoding part 32 for decoding the cryptographic key, and executes job processing. An authentication server 4 has an ID/password storage part 41 for storing association between the ID number and the password and a cryptographic key generation part 42 for generating the cryptographic key, and stores authentication information. In this structure, it is integrally managed whether or not it is valid to start job processing in a distribution connected processor. Thus, in jog start processing in plural job system, job start of all system is enabled by a single user ID/password without a system user being conscious of all the user ID/password managed by individual system and using them for different purposes.