Showing papers on "Data Authentication Algorithm published in 2003"

Mobile account authentication service

Abstract: A payment authentication service authenticates the identity of a payer during online transactions. The authentication service allows a card issuer to verify a cardholder's (110) identity using a variety of authentication methods, such as with the use of tokens. Authenticating the identity of a cardholder (110) during an online transaction involves querying an access control server to determine if a cardholder (110) is enrolled in the payment authentication service, requesting a password from the cardholder, verifying the password, and notifying a merchant whether the cardholder's (110) authenticity has been verified. Systems for imp lementing the authentication service in which a cardholder (110) uses a mobile device capable of transmitting messages via the Internet are described. Systems for implementing the authentication service in which a cardholder (110) uses a mobile device capable of transmitting messages through voice and messaging channels is also described.

Identity authentication system and method

Abstract: A method and system for generating an authentication code that depends at least in part on a dynamic value that changes over time, an event state associated with the occurrence of an event, and a secret associated with an authentication device. By generating the authentication code responsive to an event state, an identity authentication code can be used to verify identity and to communicate event state information, and to do so in a secure manner.

Forward-security in private-key cryptography

Abstract: This paper provides a comprehensive treatment of forwardsecurity in the context of shared-key based cryptographic primitives, as a practical means to mitigate the damage caused by key-exposure. We provide definitions of security, practical proven-secure constructions, and applications for the main primitives in this area. We identify forwardsecure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forward-secure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forwardsecure pseudorandom bit generators. We then apply forward-secure message authentication schemes to the problem of maintaining secure access logs in the presence of break-ins.

S-ARP: a secure address resolution protocol

Abstract: Tapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small.

RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)

Abstract: This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method-specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802.

System, apparatus, and method for providing generic internet protocol authentication

Abstract: Generic Internet Protocol (IP) authentication is provided by authentication server (134). Application Programming Interface (API) (310) detects the protocol type of an incoming authentication request and invokes one of a number of authentication mechanisms (318-326) depending on the protocol type detected. A localized repository (520) is provided to store Subscriber Identity Module (SIM) information and other algorithm data as required to facilitate the authentication session.

Authentication method for fast handover in a wireless local area network

Abstract: Disclosed is a method for authenticating a mobile node in a wireless local area network including at least two access points and an authentication server. When the mobile node associates with a first access point and performs initial authentication, the mobile node receives a first session key for secure communication from the authentication server by using a first private key generated with a secret previously shared with the authentication server, and the first access point receives the first session key from the authentication server by using a second private key previously shared with the authentication server. When the mobile node is handed over from the first access point to a second access point and performs re-authentication, the mobile node receives a second session key for secure communication from the authentication server by using a third private key generated with authentication information generated during previous authentication and shared with the authentication server and the second access point receives the second session key from the authentication server by using the second private key previously shared with the authentication server.

Systems and methods for enrolling a token in an online authentication program

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

A remote user authentication scheme using smart cards with forward secrecy

Abstract: In 2000, Hwang and Li proposed a new remote user authentication scheme using smart cards. Chan and Chang showed that the masquerade attack is successful on this scheme. Recently Shen, Lin and Hwang pointed out a different type of attack on this scheme and presented a modified scheme to remove these defects. In this paper we present a new scheme which also overcomes these attacks. In this scheme previously generated passwords are secure even if the secret key of the system is leaked or is stolen.

Inter-authentication method and device

Abstract: An inter-authentication method capable of safely and easily performing inter-authentication In the inter-authentication process, a private key K0 of the initial value is stored in a client and a server (Pc0, Ps0) The client generates a random number R, calculates password data C and authentication data A, and transmits the result to the server (Pc1) The server receives the authentication data A and the password data C from the client, generates a random number R, calculates and returns password data S and authentication data Q, and updates the private key K0 to a new private key K1 (Ps1) The client receives the authentication data B and the password data S from the server, generates a random number R, calculates the password data C2 and the authentication data A2, returns the results to the server, and updates the private key K0 to the new private key K1 (Pc2) The client and the server check whether validity is satisfied

Selecting the Advanced Encryption Standard

Abstract: The USA National Institute of Standards and Technology selected the Advanced Encryption Standard, a new standard symmetric key encryption algorithm, from 15 qualifying algorithms. NIST has also made efforts to update and extend their standard cryptographic modes of operation.

Method and apparatus for authentication in a wireless telecommunications system

Abstract: A method and device for routing data packets of a wireless terminal device in a communication network. When Open system Authentication is used, the system operates similarly as the current Nokia Operator Wireless LAN system, in which the terminal device and the access controller are the parties involved in the authentication. The access controller relays information relating to the authentication between the terminal device and an authenticating server, and it is capable of updating independently the list of users it maintains. When authentication according IEEE 802.1X authentication, the access point operates according to the IEEE 802.1X standard, serving as the authenticating party and relaying information relating to the authentication between the terminal device and the authentication server. In addition, the list maintained by the access controller is updated after a successful authentication, for example by the access point or the authenticating server.

Token for use in online electronic transactions

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

Secure authentication system for public WLAN roaming

Abstract: A serious impediment for seamless roaming between independent wireless LANs (WLANs) is how best to confederate the various WLAN service providers, each having different trust relationships with individuals and each supporting their own authentication schemes which may vary from one provider to the next. We have designed and implemented a comprehensive single sign-on (SSO) authentication architecture that confederates WLAN service providers through trusted identity providers. Users select the appropriate SSO authentication scheme from the authentication capabilities announced by the WLAN service provider, and can block the exposure of their privacy information while roaming. In addition, we have developed a compound layer 2 and Web authentication scheme that ensures cryptographically protected access while preserving pre-existing public WLAN payment models. Our experimental results, obtained from our prototype system, show the total authentication delay are well within 2 seconds. This is dominated primarily by our use of industry-standard XML-based protocols, yet are still small enough for practical use.

Gaming software authentication

Abstract: A method of preparing memory contents of a gaming machine for subsequent authentication and a method of authenticating the prepared memory contents are disclosed. A first memory stores a game data set and a first authentication code generated from the game data set. The game data set includes game data files and second authentication codes generated from the respective data files. A second memory stores an authentication program for authenticating the first memory's contents, as well as a third authentication code generated from the second memory's contents. To authenticate the memory contents, the second memory's contents are first authenticated and, if deemed authentic, the game data set as a whole and each data file in the first memory are authenticated. The authentication process involves generating fresh authentication codes using the authentication program and comparing the fresh codes with appropriate ones of the stored authentication codes.

Proactive Two-Party Signatures for User Authentication.

Abstract: We study proactive two-party signature schemes in the context of user authentication. A proactive two-party signature scheme (P2SS) allows two parties—the client and the server—jointly to produce signatures and periodically to refresh their sharing of the secret key. The signature generation remains secure as long as both parties are not compromised between successive refreshes. We construct the first such proactive scheme based on the discrete log assumption by efficiently transforming Schnorr’s popular signature scheme into a P2SS. We also extend our technique to the signature scheme of Guillou and Quisquater (GQ), providing two practical and efficient P2SSs that can be proven secure in the random oracle model under standard discrete log or RSA assumptions. We demonstrate the usefulness of P2SSs (as well as our specific constructions) with a new user authentication mechanism for the Self-certifying File System (SFS) [28]. Based on a new P2SS we call 2Schnorr, the new SFS authentication mechanism lets users register the same public key in many different administrative realms, yet still recover easily if their passwords are compromised. Moreover, an audit trail kept by a secure authentication server tells users exactly what file servers an attacker may have accessed— including even accounts the user may have forgotten about.

Extension of authentication protocol for GSM

Abstract: An extension of the authentication protocol for GSM is proposed to improve some drawbacks of the current GSM authentication protocol including: not supporting bilateral authentication; huge bandwidth consumption between VLR and HLR; stored space overhead in VLR; and overloaded HLR with authentication of mobile stations. As a result, this new extension of the authentication protocol not only improves these drawbacks but also achieves the requirements: mutual authentication, reduction of bandwidth consumption, less storage of VLR database, security, and efficiency. The merit of the proposed protocol is that it does not cause problems and alter the existing architecture of GSM at all. The robustness of the new protocol is also based on security algorithms A3, A5 and A8.

Method and system to support network port authentication from out-of-band firmware

Abstract: Methods and systems for performing network port authentication without requiring any operating system (OS) complicity are disclosed. Under one method, port authentication instructions are loaded into a protected memory space during a pre-boot of a supplicant system. In response to a port authentication request, the supplicant system's processor is switched to a hidden execution mode and executes the port authentication instructions to authenticate a network port hosted by an authenticator system to which the supplicant system is linked. One authentication process employs an authentication server that authenticates the supplicant via one of various authentication schemes, including an access challenge. Port authentication may also be performed via an out-of-band base management controller that operates independently from an operating system running on the supplicant.

Dynamic security authentication for wireless communication networks

Abstract: In a first embodiment, a dynamic computer system security method and system using dynamic encryption and full synchronization between system nodes. A data record created by a source user is encrypted with an initial dynamic session key. A new dynamic session key is generated based upon a data record and a previous dynamic session key. A central authority is used to synchronize and authenticate both source and destination users with constantly regenerated dynamic authentication keys. In a second embodiment, a method of providing dynamic security authentication between wireless communication network nodes. An initial authentication key and an address are assigned to certain of the nodes. The address along with information encrypted by the initial authentication key is sent to an authentication server. The authentication server and node or nodes synchronously regenerate authentication keys based upon the initial authentication key. Secure handovers occur between nodes via an authentication key.

Secure storage device for transfer of digital camera data

Abstract: A secure storage device with the external dimensions of a PCMCIA card, for securing digital camera data at the acquisition stage. Original digital camera data is saved in the memory of the secure storage device which has the capability of performing one or more security functions, including encryption, creation of an authentication file, adding data to the image data such as fingerprinting, and adding secure annotations such as separate data included in an image-header. The device prepares original authentication data from original digital camera data, and encrypts and stores both the original authentication data and the original image data. The use of the device includes downloading the original image data to a first computer, and encrypted original authentication data to a second computer. The second computer can be programmed with software whereby the encrypted original authentication data can be decrypted by a user having a key. The software then allows the user to prepare corresponding second authentication data from second image data of questionable authenticity. If the second authentication data is the same as the original authentication data, the questionable second image data is deemed to be an accurate copy of the original image data.

Systems and methods for secure authentication of electronic transactions

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods (218) to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods (210).

Authentication and protection for IP application protocols based on 3GPP IMS procedures

Abstract: The present invention is a system and method which provides authentication for data services for at least one UE (12) using common authentication information based upon information stored in a HSS (16) of a home network (20) of the at least one UE for multiple protocols. At least one proxy server (18) stores authentication information for each of the protocols which may be used to provide data services to the at least one UE. Authentication of the protocols available to the at least one UE uses the authentication information stored at the at least one proxy server obtained from the protocol used in the home network of the at least one UE.

Message formatting, authentication, and error detection in home control systems

Abstract: A system for communicating over electrical wiring in a house or other building is presented. Components are grouped and each group is assigned a group identifier code. Components communicates only with components of the same group, using the group identifier code. Each message includes the group identifier code, message data, and a message authentication code (MAC) that is calculated for each message. A receiving component disregards any message whose group identifier code is not the same as that of the receiving component. MACs are calculated using a shared key value and a one-way hash function. The shared key value, in turn, is taken from an ordered sequence of key values that is defined for each component group based on a counter value. To change to a new key value, one component of the group simply starts using the new key value. When a receiving component receives a message that does not.

Authentication in a communication system

Abstract: A method and apparatus for providing Cellular Authentication Voice Encryption (102, CAVE) in an Extensible Authentication Protocol (104, EAP) format.

Method and system for authenticating user and providing service

Abstract: A service providing method which uses a user terminal, a service providing apparatus, and an authentication apparatus is disclosed. In the method, authentication data is generated and encrypted by using an encryption key which is stored in the user terminal. The encrypted authentication data is transmitted from the authentication apparatus to the user terminal through the service providing apparatus. The encrypted authentication data is decrypted in the user terminal by using the encryption key. The decrypted authentication data is returned to the authentication apparatus through the service providing apparatus, and an authentication is executed in the authentication apparatus by comparing the decrypted authentication data transmitted from the user terminal with the authentication data before encryption. The service providing apparatus provides a service to the user in accordance with a result of the authentication.

Strong authentication systems built on combinations of "what user knows" authentication factors

Abstract: A system for authentication of a client includes logic supporting combinations of more than one a “what user knows” authentication factors for strong authentication of a client, such as a static password, random partial pattern recognition factor and a random partial digitized path recognition factor. An interactive method for authentication of a client in a network environment utilizes two or more “what user knows” authentication factors. The two or more “what user knows” authentication factors are algorithmically and parametrically independent. The client is prompted to provide a server the first “what user knows” authentication factor over a communication medium. The server verifies the first “what user knows” authentication factor. If successful, then the client is prompted to provide the server the second “what user knows” authentication factor. The server verifies the second “what user knows” authentication factor, and so on, to complete the authentication process.

Authentication method and system for public wireless local area network system

Abstract: An authentication method and system for a public wireless local area network (WLAN) service system are provided. An authentication method for a public WLAN service system, which includes a WLAN user terminal, an access point (AP) for relaying communications to and from the user terminal, and an authentication server for processing authentication in response to a request for authentication from the user terminal, includes the steps of the user terminal asking the AP for access to the public WLAN; the AP searching for authentication information stored in the AP; if the authentication information is found, the AP performing an authentication process; and if the authentication information is not found, the AP asking the authentication server for authentication, and the authentication server performing the authentication process.

System and method of inkblot authentication

Abstract: A system and method that uses authentication inkblots to help computer system users first select and later recall authentication information from high entropy information spaces. An inkblot authentication module generates authentication inkblots from authentication inkblot seeds. On request, a security authority generates, stores and supplies an authentication inkblot seed set for a user. In response to an authentication inkblot, a user inputs one or more alphanumeric characters. The responses to one or more authentication inkblots serve as authentication information. A user-computable hash of the natural language description of the authentication inkblot is utilized to speed authentication information entry and provide for compatibility with conventional password-based authentication. Authentication with an authentication information match ratio of less than 100% is possible. Authentication inkblot generation methods are disclosed, as well as a detailed inkblot authentication protocol which makes it difficult for users to opt-out of high entropy authentication information generation.

Data updating method and data updating system

Abstract: The present invention provides a data updating method and a data updating system which can update data of an IC card through a network without mistaking the IC card targeted for updating. When each of issuer client authentication, personal authentication, issuer server authentication and device authentication is performed, a server transmits update data encrypted by a public key used for the device authentication to a client. Then, the client outputs the encrypted update data to an IC card. In the IC card, the update data is decrypted by a secret key used for the device authentication. Based on the decrypted update data, rewriting is carried out in the IC card.