Showing papers on "Data Authentication Algorithm published in 2007"

Systems and methods for multi-factor authentication

Abstract: Requests to gain access to secure resources are adjudicated according to authentication policies that include rules based on user-states derived from multiple heterogeneous access- control systems.

An application of the Goldwasser-Micali cryptosystem to biometric authentication

Abstract: This work deals with the security challenges in authentication protocols employing volatile biometric features, where the authentication is indeed a comparison between a fresh biometric template and that enrolled during the enrollment phase. We propose a security model for biometric-based authentication protocols by assuming that the biometric features to be public. Extra attention is paid to the privacy issues related to the sensitive relationship between a biometric feature and the relevant identity. Relying on the Goldwasser-Micali encryption scheme, we introduce a protocol for biometric-based authentication and prove its security in our security model.

Multi-channel user authentication apparatus system and method

Abstract: An apparatus, system, and method are disclosed for authenticating users through multiple communication channels. The authentication method of the present invention may be used to supplement password systems or replace password authentication, effectively enabling secure sharing, auditing, delegation, and revocation of authority.

Proof-infused streams: enabling authentication of sliding window queries on streams

Abstract: As computer systems are essential components of many critical commercial services, the need for secure online transactions is now becoming evident. The demand for such applications, as the market grows, exceeds the capacity of individual businesses to provide fast and reliable services, making outsourcing technologies a key player in alleviating issues of scale. Consider a stock broker that needs to provide a real-time stock trading monitoring service to clients. Since the cost of multicasting this information to a large audience might become prohibitive, the broker could outsource the stock feed to third-party providers, who are in turn responsible for forwarding the appropriate sub-feed to clients. Evidently, in critical applications the integrity of the third-party should not be taken for granted. In this work we study a variety of authentication algorithms for selection and aggregation queries over sliding windows. Our algorithms enable the end-users to prove that the results provided by the third-party are correct, i.e., equal to the results that would have been computed by the original provider. Our solutions are based on Merkle hash trees over a forest of space partitioning data structures, and try to leverage key features, like update, query, signing, and authentication costs. We present detailed theoretical analysis for our solutions and empirically evaluate the proposed techniques.

Biometric authentication system, enrollment terminal, authentication terminal and authentication server

Abstract: The present invention captures user's biometric data during enrollment and converts it by a given conversion parameter to create a template. It creates verification information for the conversion parameter, and enrolls it in an authentication server together with the template. The conversion parameter is stored in an IC card or the like for issuance to the user. During authentication, the authentication server verifies that the authentication terminal knows the conversion parameter, using conversion parameter verification information. Next, the authentication terminal converts user's biometric data newly captured by a conversion parameter to create matching information, and transmits it to the authentication server. The authentication server matches the matching information with the template to determine whether the user is a principal.

Single-Party, Secure Multi-Channel Authentication for Access to a Resource

Abstract: A method for using multiple channels to access a resource, wherein an authenticated user requests a resource that requires a second authentication parameter over a first channel, a token value is transmitted to the user on the first channel, and the user transmits the token value and a second authentication parameter over a second channel. The token value is used to associate the first authentication parameter to the second authentication parameter, whereby the user is allowed access to the resource on the first or second channel.

Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)

Abstract: We present attacks against two cognitive authentication schemes [9] proposed at the 2006 IEEE Symposium on Security and Privacy. These authentication schemes are designed to be secure against eavesdropping attacks while relying only on human cognitive skills. They achieve authentication via challenge response protocols based on a shared secret set of pictures. Our attacks use a SAT solver to recover a user's secret key in a few seconds, after observing only a small number of successful logins. These attacks demonstrate that the authentication schemes of [9] are not secure against an eavesdropping adversary.

Method and system for capwap intradomain authentication using 802.11r

Abstract: A solution for a mobile station to perform intra-domain inter-access controller authentication using an 802.11r protocol in CAPWAP architecture is presented. The access controller is the authenticator that is configured to store a top-level and second level shared authentication keys in a key hierarchy defined in 802.11r. 'The mobile station first-time association and re-association after inter-access-point handoff can be performed through authentication request/response message exchange between the mobile station and the access controller. The new access controller after handoff gets top-level key from the old access controller called an anchor authenticator. The mobile station and the new access controller generate a new second level key and session key to complete the authentication.

Web site authentication

Abstract: A web site can be authenticated by a third party authentication service. A user designates an authentication device that is a shared secret between the user and the authentication service. A web site page includes a URL that points to the authentication service. The URL includes a digital signature by the web site. When the user receives the page, the user's browser issues a request to the authentication service, which attempts to authenticate the digital signature. If the authentication is successful, it sends the authentication device to the user computer.

Methods and apparatus for delegated authentication

Abstract: An authentication-delegating service implemented in an authentication server or other processing device is configured to receive a request from a relying party for delegated authentication information associated with a particular user, to determine a level of trust associated with the relying party, and to provide the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information. The delegated authentication information has the property that the user can be presently authenticated based on such information. The delegated authentication information may comprise, for example, at least one value derived from a one-time password or other authentication credential of the particular user. The authentication-delegating service may be graded to provide different types of delegated authentication information based on respective levels of trust that may be associated with relying parties.

Using the mobile phone as a security token for unified authentication

Abstract: The number of different identities and credentials used for authentication towards services on the Internet has increased beyond the manageable. Still, the most common authentication scheme is based on usernames and passwords. This is a weak authentication mechanism, which can be broken by eavesdropping on the network connection or by sloppy handling by the users (e.g. re-use of the same password for different services, writing down the passwords on paper etc.). Also, management of user credentials is a costly task for most companies, estimated by IDC to around 200-300 USD pr. user/year. Hence, better solutions for simplified, yet secure authentication, is required in the future. This paper proposes and describes an authentication scheme based on a One-Time Password (OTP) MIDlet running on a mobile phone for unified authentication towards any type of service on the Internet.

Method and apparatus for transmitting data using authentication

Abstract: A method and apparatus of transmitting data using authentication between a first device and a second device are provided. The method includes transmitting an encrypted certificate of the first device using a shared key shared by the first device and the second device, receiving authentication key generation information for generating an authentication key, which is received when it is determined that the certificate of the first device is valid and not revoked, generating a first random number and generating an authentication key based on the first random number and the authentication key generation information, and encrypting and transmitting data using the authentication key.

Flexible and adjustable authentication in cyberspace

Abstract: To authenticate a user of a communications network, credentials from the user are centrally receiving. An authentication sequence is retrieved from a plurality of retrievable authentication sequences, and the retrieved authentication sequence is performed to authenticate the user based on the received credentials.

The Flexible Authentication via Secure Tunneling Extensible Authentication Protocol Method (EAP-FAST)

Abstract: This document defines the Extensible Authentication Protocol (EAP) based Flexible Authentication via Secure Tunneling (EAP-FAST) protocol. EAP-FAST is an EAP method that enables secure communication between a peer and a server by using the Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel, Type-Length-Value (TLV) objects are used to convey authentication related data between the peer and the EAP server. This memo provides information for the Internet community.

Device and/or user authentication for network access

Abstract: Various embodiments are described for authenticating a wireless device (101) and / or an associated user subscription. By using a single authentication exchange with the wireless device to obtain a device credential, a connectivity service network (CSN) (231) authenticates and validates the device credential to establish a device identity. For device-identity-based subscription, the device identity may be used to validate a subscription. For user subscription authentication, a second authentication exchange is performed using the encrypted connection established by the first authentication exchange (a.k.a, the outer exchange). By utilizing only one outer authentication exchange, embodiments are made possible that exhibit reduced messaging and lower complexity when compared to known techniques.

SFRIC: A Secure Fast Roaming Scheme in Wireless LAN Using ID-Based Cryptography

Abstract: In a wireless network composed of multiple access points, a long delay during roaming from one access point to another may cause a disruption for streaming traffic. Roaming in wireless LAN is generally composed of two parts, 1) searching for a new access point and 2) performing authentication at the new access point. To reduce the second part delay, we propose an innovative lightweight authentication scheme called SFRIC (secure fast /foaming using ID-based cryptography). SFRIC employs ID-based cryptography to simplify the authentication process. It performs mutual authentication for the mobile client and AP with a 3-way handshake, then generates a PTK (pairwise transient key) directly without pre-distributing PMK (pairwise master key). It does not require contacting an authentication server or exchanging certificates. SFRIC is composed of two phases. In the first phase (the preparation phase), each mobile client obtains a temporary private key from the PKG (private key generator). In the second phase (the roaming authentication phase), mutual authentication and key distribution are performed. Our preliminary analysis indicates that SFRIC can complete the roaming authentication within a period much less than the critical 20 ms threshold, required for maintaining streaming traffic, when the cryptographic operations are performed in hardware.

Single-party, secure multi-channel authentication

Abstract: A method for using multiple channels to authenticate a user, wherein a first authentication parameter from a first device associated with a user is received over a first channel, a token value is transmitted to the user on the first channel, and the user transmits the token value and a second authentication parameter over a second channel. The token value is used to associate the first authentication parameter to the second authentication parameter, whereby the user is authenticated on the first channel.

System and method for securing on-line documents using authentication codes

Abstract: A system and method for providing an authentication code across a network for use in authentication of documents, such as printed lottery tickets. The system includes document-printing terminals that include a key that is used in a mathematical function with the bet information for a specific-game entry to generate a document code that is sent to a central server. The central server stores the received document code and then generates an authentication code for the document desired to be printed at the terminal, and sends the authentication code back to the terminal for printing on the issued document. The authentication code can be a further mathematical processing of the document code. Verification of the document occurs from comparison of the authentication code on the document and stored authentication and/or document codes at the server.

The candidate key protocol for generating secret shared keys from similar sensor data streams

Abstract: Secure communication over wireless channels necessitates authentication of communication partners to prevent man-in-the-middle attacks. For spontaneous interaction between independent, mobile devices, no a priori information is available for authentication purposes. However, traditional approaches based on manual password input or verification of key fingerprints do not scale to tens to hundreds of interactions a day, as envisioned by future ubiquitous computing environments. One possibility to solve this problem is authentication based on similar sensor data: when two (or multiple) devices are in the same situation, and thus experience the same sensor readings, this constitutes shared, (weakly) secret information. This paper introduces the Candidate Key Protocol (CKP) to interactively generate secret shared keys from similar sensor data streams. It is suitable for two-party and multi-party authentication, and supports opportunistic authentication.

Authentication method for wireless transactions

Abstract: An authentication method in which a token is associated with a mobile device and a user of a remote computer, it is established that the token at the mobile device and remote computer match and the token at the mobile device and remote computer is updated during a connection. Preferably a two factor authentication method is employed in which password authentication is the second factor.

Authentication methods and systems

Abstract: A method of generating an authentication token using a cryptographic based application downloaded to a mobile telephony device and a method of authenticating an online transaction using such a token. The method may be employed in a two factor authentication method utilising a user password and an authentication token. The method allows a two factor authentication method to be provided by a wide range of mobile telephony devices operating either online or offline. Other authentication systems and methods of authentication are also disclosed.

Authentication and verification services for third party vendors using mobile devices

Abstract: A method to provide authentication services to third party vendors by a service provider hosting an authentication, authorization and accounting (AAA) server or a similar device that can authenticate users for some other service. This method enables easy and substantially error-free end-user authentication, which forms the basis for enabling electronic transactions (e.g., web-based) that are less vulnerable to fraud.

Cryptographic binding of authentication schemes

Abstract: Methods and apparatus cryptographically bind authentication schemes to verify that a secure authentication sequence was executed for access to sensitive applications/resources. Users execute two login sequences with a strong authentication framework. Upon completion of the first, the framework generates an unencrypted token from underlying data, later hashed into an authentication token. With a private key corresponding to the first sequence, the authentication token is encrypted and passed to the second sequence where it is encrypted again with a private key corresponding to the second sequence. Upon access attempts to the sensitive applications/resources, verification of execution of the two login sequences includes recovering the authentication token from its twice encrypted form and comparing it to a comparison token independently generated by the application/resource via the underlying data. An audit log associated with the application/resource stores the data, the recovered authentication token, etc., for purposes of later non-repudiation.

Improved Efficient Remote User Authentication Schemes

Abstract: Recently, Yoon et al. proposed a new smart card based remote user authentication scheme. We show that this scheme is subject to forgery attacks if the information stored in the smart card is stolen. This violates the ”two-factor security” objective of the smart card based remote user authentication schemes. We propose an amendment to this problem. We further propose two new schemes which are more efficient and secure than Yoon et al.'s scheme.

Privacy-enhanced, attack-resilient access control in pervasive computing environments with optional context authentication capability

Abstract: In pervasive computing environments (PCEs), privacy and security are two important but contradictory objectives. Users enjoy services provided in PCEs only after their privacy issues being sufficiently addressed. That is, users could not be tracked down for wherever they are and whatever they are doing. However, service providers always want to authenticate the users and make sure they are accessing only authorized services in a legitimate way. In PCEs, such user authentication may include context authentication in addition to the entity authentication. In this paper, we propose a novel privacy enhanced anonymous authentication and access control scheme to secure the interactions between mobile users and services in PCEs with optional context authentication capability. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication and allows multiple current sessions between a user and a service, while allowing the user to anonymously interact with the service. The proposed scheme is also designed to be DoS resilient by requiring the user to prove her legitimacy when initializing a service session.

Method of generating message authentication code using stream cipher and authentication/encryption and authentication/decryption methods using stream cipher

Abstract: Provided are a method of generating a Message Authentication Code (MAC) using a stream cipher, and authentication/encryption and authentication/decryption methods using a stream cipher. According to the methods, authentication/encryption is performed using a MAC generated using a stream cipher as an initialization vector of the stream cipher. Therefore, it is unnecessary to use a random number generation algorithm to generate the initialization vector, and thus implementation efficiency can be improved. In addition, upon generation of a MAC, a plurality of key stream generators perform computation for a plurality of message blocks, respectively. Therefore, the message blocks are computed in parallel at a time, and thus computation efficiency is excellent.

Generating keys for protection in next generation mobile networks

Abstract: A set of associated keys for an authentication process to be performed in a second network is calculated based on a random value used in an authentication process of a first network.

Device and method for identification and authentication

Abstract: A device for identification and authentication of a remote user connecting to a service over a network includes a cryptographic processor and at least one cryptographic key and storage means, additional processing means and interface means to generate and transmit a unique authentication code as emulated keystrokes through a standard input, means of a client terminal. The code may be transmitted only by an explicit command of the user.

Multi-module authentication platform

Abstract: Embodiments of the disclosure generally relate to systems and methods for authenticating users of an entity system. In embodiments, an authentication platform receives a request for authentication. The authentication platform interacts with one of several authentication modules to authenticate the user. Each authentication module may use different information or procedures to authenticate the user. If authenticated, the user is allowed access to the system. Having access to two or more authentication modules allows the authentication platform to provide automatically a more robust authentication and alleviates the entity system from needing to integrate the several authentication modules.