Showing papers on "Data Authentication Algorithm published in 2006"

Improving Cost, Performance, and Security of Memory Encryption and Authentication

Abstract: Protection from hardware attacks such as snoopers and mod chips has been receiving increasing attention in computer architecture. This paper presents a new combined memory encryption/authentication scheme. Our new split counters for counter-mode encryption simultaneously eliminate counter overflow problems and reduce per-block counter size, and we also dramatically improve authentication performance and security by using the Galois/Counter Mode of operation (GCM), which leverages counter-mode encryption to reduce authentication latency and overlap it with memory accesses. Our results indicate that the split-counter scheme has a negligible overhead even with a small (32KB) counter cache and using only eight counter bits per data block. The combined encryption/authentication scheme has an IPC overhead of 5% on average across SPEC CPU 2000 benchmarks, which is a significant improvement over the 20% overhead of existing encryption/authentication schemes.

Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM) Subscriber Identity Modules (EAP-SIM)

Abstract: This document specifies an Extensible Authentication Protocol (EAP) mechanism for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM). GSM is a second generation mobile network standard. The EAP-SIM mechanism specifies enhancements to GSM authentication and key agreement whereby multiple authentication triplets can be combined to create authentication responses and session keys of greater strength than the individual GSM triplets. The mechanism also includes network authentication, user anonymity support, result indications, and a fast re-authentication procedure. This memo provides information for the Internet community.

Two-channel challenge-response authentication method in random partial shared secret recognition system

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.

Universal authentication token

Abstract: A universal authentication token is configured to securely acquire security credentials from other authentication tokens and/or devices. In this manner, a single universal authentication token can store the authentication credentials required to access a variety of resources, services and applications for a user. The universal authentication token includes a user interface, memory for storing a plurality of authentication records for a user, and a secure processor. The secure processor provides the required cryptographic operations to encrypt, decrypt, and/or authenticate data that is sent or received by universal token. For example, secure processor may be used to generate authentication data from seed information stored in memory.

System and method of using two or more multi-factor authentication mechanisms to authenticate online parties

Abstract: A system and method for authentication that comprises the use of at least one multiple multi-factor authentication with the optional addition of, mutual (site) authentication, transaction/behavior analysis, that utilizes user-facing geolocation communications and/or information about user device ownership periods, and/or a combination thereof to help prevent fraud.

System and method for dynamic multifactor authentication

Abstract: A method of authenticating a user. The method comprises the step of sending an authentication request to a remote authentication device and generating a first piece of authentication information. A mobile device receives the first piece of authentication information from either an access terminal or the remote authentication device. The mobile device of the user generating a second piece of authentication information which is at least partially based on the received first piece of authentication information. The second piece of authentication information is sent to the remote authentication devices and the second piece of authentication information validated. If the second piece of authentication information is successfully validated an authentication signal is generated.

Method and system of integrating third party authentication into internet browser code

Abstract: A method and system for using an Internet client's local authentication mechanism in systems having updated browser code, so as to enable third party authentication according to an authentication scheme specified by a participating server on clients with updated browser code, while not breaking clients with legacy browser code. A redirect response from a server has authentication data added thereto such that updated browser code can detect the data's presence and enable the use of local security mechanisms for authentication purposes with the server-specified authentication scheme, including local credential entry for verification at a third party login server. At the same time, if such a redirect response is received by prior browser code, the added data is ignored while conventional redirection occurs, such that third party authentication may be performed via redirection to a third party's Internet page that provides a form for credential entry.

Method and Devices For User Authentication

Abstract: For authenticating a user using a communication terminal (1 ) to access a server (4) via a telecommunications network, a personal identification code is received from the user. From secure session establishment protocol messages exchanged (S1 , S2, S3) between the communication terminal (1) and the server (4), a data set is generated (S4). Based on the data set, a transaction authentication number is generated (S52) using the personal identification code. The transaction authentication number is transmitted (S54) from the communication terminal (1 ) to the server (4). In the server (4), the transaction authentication number received is verified (S20) based on the secure session establishment protocol messages exchanged with the communication terminal (1). The transaction authentication number enables session aware user authentication that protects online users against real-time man-in-the-middle attacks.

Analysis and design of secure watermark-based authentication systems

Abstract: This paper focuses on a coding approach for effective analysis and design of secure watermark-based multimedia authentication systems. We provide a design framework for semi-fragile watermark-based authentication such that both objectives of robustness and fragility are effectively controlled and achieved. Robustness and fragility are characterized as two types of authentication errors. The authentication embedding and verification structures of the semi-fragile schemes are derived and implemented using lattice codes to minimize these errors. Based on the specific security requirements of authentication, cryptographic techniques are incorporated to design a secure authentication code structure. Using nested lattice codes, a new approach, called MSB-LSB decomposition, is proposed which we show to be more secure than previous methods. Tradeoffs between authentication distortion and implementation efficiency of the secure authentication code are also investigated. Simulations of semi-fragile authentication methods on real images demonstrate the effectiveness of the MSB-LSB approach in simultaneously achieving security, robustness, and fragility objectives.

HB and Related Lightweight Authentication Protocols for Secure RFID Tag/Reader Authentication

Abstract: Lightweight authentication protocols are necessary in Radio-Frequency Identication (RFID) applications due to tag-level constraints. Over the past few years, several such protocols have been proposed and analyzed. We focus on the HB protocol and its variants. We show the vulnerability of some of these to attacks on tags, where the adversary pretends to be a valid reader, and propose a modied protocol that avoids this type of attack.

The AES-CMAC Algorithm

Abstract: The National Institute of Standards and Technology (NIST) has recently specified the Cipher-based Message Authentication Code (CMAC), which is equivalent to the One-Key CBC MAC1 (OMAC1) submitted by Iwata and Kurosawa. This memo specifies an authentication algorithm based on CMAC with the 128-bit Advanced Encryption Standard (AES). This new authentication algorithm is named AES-CMAC. The purpose of this document is to make the AES-CMAC algorithm conveniently available to the Internet Community. This memo provides information for the Internet community.

Using one-time passwords with single sign-on authentication

Abstract: A method, computer program product, authentication proxy server, and system for enabling a user to use a one-time password in conjunction with single sign-on authentication and external authentication, such as provided by the Kerberos protocol, are provided.

Wireless authentication protocol

Abstract: A wireless authentication protocol. Access to a network is managed by providing a challenge-handshake protocol within the Extensible Authentication Protocol for authentication between a client and the network.

Authentication method and apparatus utilizing proof-of-authentication module

Abstract: A single sign-on technique allows multiple accesses to one or more applications or other resources using a proof-of-authentication module operating in conjunction with a standard authentication component. The application or other resource issues an authentication information request to the standard authentication component responsive to an access request from the user. The application or other resource receives, responsive to the authentication information request, a proof-of-authentication value from the standard authentication component, and authenticates the user based on the proof-of-authentication value. The standard authentication component interacts with the proof-of-authentication module to obtain the proof- of-authentication value. The proof-of-authentication module is configured to generate multiple proof-of-authentication values for authentication of respective access requests of the user.

Terminal Identification Method, Authentication Method, Authentication System, Server, Terminal, Wireless Base Station, Program, and Recording Medium

Abstract: A terminal identification method is provided which enables two-way communications between terminals and a network while identifying terminal IDs and protecting privacy. Also, authentication method and system are provided which require no complicated calculating process, less steps and smaller amount for wireless communications, and less power consumption. A server and terminal share a hash function and an initial value determined for each terminal, calculate the same temporary ID by hashing the initial value the same number of times with the hash function, and identify the terminal using the calculated temporary ID. The server and the terminal also hold a common hash function and authentication information, acquire an authenticating communication parameter from communication parameters temporarily common during communication, and generate an authentication key using the authentication information, the authenticating communication parameter, and the hash function. Then at least one of the server and terminal performs authentication using the generated authentication key.

UMAC: Message Authentication Code using Universal Hashing

Abstract: This specification describes how to generate an authentication tag using the UMAC message authentication algorithm. UMAC is designed to be very fast to compute in software on contemporary uniprocessors. Measured speeds are as low as one cycle per byte. UMAC relies on addition of 32-bit and 64-bit numbers and multiplication of 32-bit numbers, operations well-supported by contemporary machines. To generate the authentication tag on a given message, a "universal" hash function is applied to the message and key to produce a short, fixed- length hash value, and this hash value is then xor'ed with a key- derived pseudorandom pad. UMAC enjoys a rigorous security analysis, and its only internal "cryptographic" component is a block cipher used to generate the pseudorandom pads and internal key material. This memo provides information for the Internet community.

Detecting and preventing replay in authentication systems

Abstract: A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

Systems and methods for remote user authentication

Abstract: Systems for methods for remote user authentication by using a cellular phone and an authentication system that generates and uses transient pass codes. The Authentication system is used to store a user's existing passwords; alternatively, the authentication system creates on demand a transient random pass code that is good for a limited duration. The transient pass codes may also be used in the packets that enable each packet to be individually authenticated in the firewall. When the user has forgotten the password in a traditional system, alternatively, without the need to create or remember passwords, user can use transient pass codes. The user retrieves the password or the pass code via a cell telephone call to the authentication system, before logging on to the system.

Mobile communication terminal, authentication method and authentication program

Abstract: A mobile communication terminal having a security function using biological information for authentication includes: authentication units for performing authentication based on at least two kinds of biological information; and a control unit for performing operational control of the authentication units. The control unit has a function of proceeding with capturing of biological information and authentication processing based on the captured biological information, performed for the respective kinds of biological information by the authentication units, in parallel.

Authenticating server device, terminal device, authenticating system and authenticating method

Abstract: It is an object to identify, for example, a subject who generates a certain event in addition to certifying a time and/or a location of the event. A terminal device 200 sends positioning information and a time from a GPS satellite 103 and biometric information of a user to an authentication server device 300 to request for issuance of a certification code 104. The authentication server device 300 carries out biometric authentication of the user by comparing the biometric information received from the terminal device 200 with reference data of the user which is maintained beforehand. When the biometric authentication succeeds, the authentication server device 300 generates the certification code 104 by combining the reference data, the time, a hashed value of a weather satellite image, and the positioning information used for the biometric authentication. The terminal device 200 receives the certification code 104 from the authentication server device 300 and uses the certification code 104 received by outputting to a label, a photo, an IC (integrated circuit) tag, etc.

Breaking a remote user authentication scheme for multi-server architecture

Abstract: Lin et al., (2003) proposed a remote user authentication scheme for multi-server architecture. In this paper, we breaks this scheme by giving an attack. Our attack allows an adversary to impersonate any user in the system, as long as a single authentication message of that user is observed

The NTMAC for authentication of noisy messages

Abstract: This paper introduces a new construct, called the Noise Tolerant Message Authentication Code (NTMAC), for noisy message authentication. The NTMAC can tolerate a small number of errors, such as might be caused by a noisy communications channel. The NTMAC uses a conventional Message Authentication Code (MAC) in its constructions and it inherits the conventional MAC's resistance to forgeries. Furthermore, the NTMAC gives an indication of the number and locations of the errors.

Authentication method and key generating method in wireless portable internet system

Abstract: An authentication method and authorization key generation method in a wireless portable Internet system is provided. In a wireless portable Internet system, the base station and the subscriber station share an authorization key when an authentication process is performed according to a predetermined authentication method negotiated therebetween. Particularly, the subscriber station and the base station perform an additional authentication process including an authorization key-related parameter and a security-related parameter and exchanges a security algorithm and SA (Security Association) information. In addition, an authorization key is derived from one or more basic key obtained through various authentication processes as an input key of an authorization key generation algorithm. Therefore, reliability of a security related parameter received from the receiving node can be enhanced and an authorization key having a hierarchical and secure structure can be provided.

Method and apparatus for providing bootstrapping procedures in a communication network

Abstract: An approach is provided for performing authentication in a communication system. In one embodiment, a key is established with a terminal in a communication network according to a key agreement protocol. The agreed key is tied to an authentication procedure to provide a security association that supports reuse of the key. A master key is generated based on the agreed key. In another embodiment, digest authentication is combined with key exchange parameters (e.g., Diffie-Hellman parameters) in the payload of the digest message, in which a key (e.g., SMEKEY or MN-AAA) is utilized as a password. In yet another embodiment, an authentication algorithm (e.g., Cellular Authentication and Voice Encryption (CAVE)) is employed with a key agreement protocol with conversion functions to support bootstrapping.

Systems and methods for third-party authentication

Abstract: A third-party authentication system can comprise a third-party digital device configured to receive an authentication signal to establish a secure link between a first-party device and a second-party network site, transmit a request to the first-party device for security information, the security information comprising a digital certificate, receive the security information, authenticate the digital certificate, and transmit an authentication file to the first-party device.

A new authentication protocol for UMTS mobile networks

Abstract: This paper analyzes the authentication and key agreement (AKA) protocol for universal mobile telecommunications system (UMTS) mobile networks, where a new protocol is proposed. In our proposed protocol, the mobile station is responsible for generating of authentication token (AUTN) and random number (RAND). The home location register is responsible for comparison of response and expected response to take a decision. Therefore, the bottleneck at authentication center is avoided by reducing the number of messages between mobile and authentication center. The authentication time delay, call setup time, and signalling traffic are minimized in the proposed protocol. A fluid mobility model is used to investigate the performance of signalling traffic and load transaction messages between mobile database, such as home location register (HLR) and visitor location register (VLR) for both the current protocol and the proposed protocol. The simulation results show that the authentication delay and current load transaction messages between entities and bandwidth are minimized as compared to current protocol. Therefore, the performance and the authentication delay time have been improved significantly.

Processing device, helper data generating device, terminal device, authentication device and biometrics authentication system

Abstract: When biometric information is registered, master helper data is created from user's biometric information and is saved in an IC card (120). When a user is registered in an authentication server (140), a password is created and registered in the server (140), the master helper data is converted to create helper data corresponding to the password, and the helper data is saved in an authentication terminal (100). When a user is authenticated, the authentication terminal (100) generates an authentication password from the helper data and newly acquired user's biometric information, sends the generated authentication password to the authentication server (140), and the authentication server (140) compares the authentication password with a registration password to authenticate the user.

Authentication method, authentication apparatus and authentication program storage medium

Abstract: When only a fingerprint authentication approach is set, it is displayed that only authentication by the fingerprint authentication approach is accepted, and authentication by the fingerprint authentication approach is performed. Meanwhile, at least a system administrator is enabled to perform authentication by a password authentication approach.

Proxy authentication methods and apparatus

Abstract: A proxy authentication method and apparatus is described for use in user authentication, eg for payment transactions The authentication is carried out before the transaction between a electronic, eg digital identification device and a person terminal Verification information is entered at the personal terminal to authenticate the user and if this is successful a verification flag is set in the digital identification device The status of this flag, or an encrypted version thereof can be used by a transaction terminal of evidence that the user has been authenticated without having to transmit any secret identification information to the transaction terminal