US20040103325A1 - Authenticated remote PIN unblock - Google Patents
Authenticated remote PIN unblock Download PDFInfo
- Publication number
- US20040103325A1 US20040103325A1 US10/305,179 US30517902A US2004103325A1 US 20040103325 A1 US20040103325 A1 US 20040103325A1 US 30517902 A US30517902 A US 30517902A US 2004103325 A1 US2004103325 A1 US 2004103325A1
- Authority
- US
- United States
- Prior art keywords
- unblock
- pin
- security token
- token
- secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07F—COIN-FREED OR LIKE APPARATUS
- G07F7/00—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
- G07F7/08—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
- G07F7/10—Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
- G07F7/1016—Devices or methods for securing the PIN and other transaction-data, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2131—Lost password, e.g. recovery of lost or forgotten passwords
Definitions
- the present invention relates generally to a data processing system and method and more specifically to a data processing system and method for unblocking a security token by an authenticated user.
- a security token is used to store an entity, for example a user's digital identity.
- the digital identity has many uses, such as building access, signing of emails, access to computer systems and obtaining monetary trust.
- the inherent security mechanism that protects a user's digital identity from being used fraudulently is a combination of security token characteristics and a Personal Identification Number (PIN) known only to the user.
- PIN Personal Identification Number
- the PIN is usually a four digit number which is used to authenticate the user to the security token. Successful authentication of the user to the security token allows the user access to the resources and data contained in or available using the security token.
- the security mechanism while simple to implement and reasonably effective may inadvertently block out an authorized user due to common keyboarding problems such as a stuck key, incorrectly replaced key cover or difficulty in determining when a keyboard entry has occurred.
- Another increasingly common problem a user will have memorized several PINs for various service providers which lends itself to entry of incorrect PINs. Once blocked, the only way that a user can revive access to his or her security token is to have the security mechanism reset by an appropriate support organization.
- This invention addresses the limitations described above and provides a secure mechanism to allow an authenticated user to securely unblock his or her security token.
- This invention provides the advantages Of utilizing normally existing cryptographic and administrative mechanisms to unblock a security token without having to physically identify the end user or require the assistance of a third party and end-to-end security is maintained throughout the PIN reset process using the existing cryptographic and administrative mechanisms.
- the PIN unblock mechanism utilizes responses to one or more passphrases which must be correctly answered before an administrator level PIN reset mechanism is performed.
- the initial answers to the passphrases are entered during the security token's personalization stage, hashed using a one-way message digest function and stored inside the security token in a maimer not directly accessible via external processes.
- a token PIN unblock applet is installed in the security token and associated with the token's security executive.
- the token PIN unblock applet is the only token based applet that a user can successfully initiate after the security token has been locked due to sequential incorrect PIN entries.
- the unblock applet includes the ability to compare the hashed passphrases results to the existing hashed passphrases answers, securely signal the remote server that the passphrases have been correctly answered, securely access cryptographic functions, receive and utilize administrator PIN unblock secrets and perform replacement of the locked user PIN with a new and unblocked user PIN after the security token is unblocked by the remote server.
- the token PIN unblock applet is written in such a way that it will never return either a cryptographic key or any decrypted data.
- a client PIN unblock application is installed in the user's desktop computer system, preferably as a downloadable browser application, which allows the user to initiate the PIN unblock applet installed in the security token. If the desktop computer system lacks the required client PIN unblock application, the user will need to download the application from a secure website.
- the client PIN unblock application provides the user interface dialogs, securely stores user inputs, causes a secure communications session to be generated between the desktop computer system, requests retrieval of the set of passphrases from a remote server mid securely passes the hashed results to the passphrases and the administrator PIN unblock secrets to the token unblock applet.
- the remote server housing the passphrases includes a server PIN unblock service which retrieves the proper passphrases associated with the security token, provides the unblocking secret to the token PIN unblock applet following receipt of the signal from the token that the passphrases have been correctly answered and generates an audit trail of the PIN unblock transactions.
- the stored passphrases and unblock secrets are retrieved from the remote server using a unique identifier associated with the security token.
- security token refers to hardware based security devices such as smart cards, integrated circuit cards, subscriber identification modules (SIM), wireless identification modules (WIM), identification tokens, secure application modules (SAM), hardware security modules (HSM), secure multi-media card (SMMC) and like devices.
- SIM subscriber identification modules
- WIM wireless identification modules
- SAM secure application modules
- HSM hardware security modules
- SMMC secure multi-media card
- FIG. 1 is a general block diagram illustrating the major components and general arrangement of the invention.
- FIG. 1A is a detailed block diagram illustrating the arrangement of the PIN unblock applet included in a security token.
- FIG. 1B is a detailed block diagram illustrating the arrangement of the client unblock application included in the local client and its interrelationship with the remote unblocked service included in the remote server.
- FIG. 2 is a detailed block diagram illustrating the initiation of a security token PIN unblock process at the local client where an initial set of parameters is passed from the local client to the remote server.
- FIG. 3 is a detailed block diagram illustrating the initiation of a security token PIN unblock process inside the security token where the initial set of parameters is generated by the security token and passed to the client unblock application.
- FIG. 4 is a detailed block diagram illustrating the continuation of the PIN unblock process between the remote server and the local client where a passphrases is retrieved by the remote server using one of the parameters passed by the client unblock application.
- FIG. 5 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the security token where a hash of answers is received from the client unblock application.
- FIG. 6 is a detailed block diagram illustrating the continuation of the PIN unblock process where an initial challenge is padded, encrypted using a private key forming a cryptogram and passed to the client unblock application.
- FIG. 7 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the remote server where the cryptogram containing a padded challenge is returned to the remote server and verified.
- FIG. 8 is a detailed block diagram illustrating the continuation of the PIN unblock process between the remote server and the local client where a cryptogram containing a PIN unblock secret is returned to the local client and passed to the security token.
- FIG. 9 is a detailed block diagram illustrating the continuation of the PIN unblock process between the security token and the local client where the cryptogram containing the PIN unblock secret is decrypted and used to unblock the security token. An affirmative response is passed from the security token to the local client for routing to the remote server.
- FIG. 10 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the remote server where the affirmative response is sent to the remote server signaling successful completion of the PIN unblock process.
- FIG. 11 is a detailed flow chart illustrating the major steps used in the invention to record and store a set of passphrases.
- FIG. 12 is a detailed flow chart illustrating the major steps used in the invention to unblock a user s security token.
- This invention provides a simple and secure PIN unblock mechanism for use with a security token.
- a set of one or more passphrases which must be answered correctly before an administrative PIN unblock secret is passed to the security token.
- the initial answers to the passphrases are entered during the security token's personalization stage, hashed using a one-way message digest function and stored inside the security token in a manner not directly accessible via external processes.
- a security token 5 is shown functionally connected to a local client 10 .
- the security token includes an a token PIN unblock applet 25 which performs the actual PIN unblock functions based on parameters passed form client PIN unblock application 30 operatively installed in the local client,
- the local client 10 operatively connected 50 A to a telecommunications network 20 using a secure messaging protocol
- IPsec is employed.
- Other secure messaging protocols such as secure socket layer (SSL) encryption, secure shell encryption (SSH) or transport layer security (TLS) may be implemented as well.
- SSL secure socket layer
- SSH secure shell encryption
- TLS transport layer security
- the client PIN unblock application 30 provides user interface dialogs and passes messages between the token PIN unblock applet 25 and a server PIN unblock service installed on a remote server 15 .
- the client PIN unblock application 30 is preferably a downloadable browser application or applet, which allows the user to initiate the PIN unblock applet 25 installed in the security token 5 . If the client 10 lacks the required client PIN unblock application 30 , the user may download the application form a secure website.
- the universal resource locator (URL) is usually printed on the back of the security token 5 or is otherwise known to the end user.
- the remote server 15 is shown operatively connected 50 B to the network 20 and in processing communications with the local client 10 using the secure messaging protocol.
- the remote server 15 includes the server PIN unblock service 35 .
- the server PIN unblock service 35 retrieves the applicable passphrases and an administrative unblock secret using parameters supplied or generated by the token PIN unblock applet 25 .
- FIG. 1A the token PIN unblock applet 25 is shown associated with the token's security executive 75 .
- the security executive 75 provides symmetric and asymmetric cryptographic services, random number generation, authentication challenge generation and comparator functions when requested by the PIN unblock applet 25 .
- the security executive 75 includes the ability to pass 150 a unique identifier ID 105 to external resources.
- the unique identifier 105 may be art internally masked token serial number or another obfuscated identifier unique to the security token.
- the token PIN unblock applet 25 communicates 155 with the client unblock application 30 and is the only token based applet that a user can successfully initiate after the security token has been blocked due to sequential incorrect PIN entries.
- a one-way message digest Hash o 110 of the original answers to the set of passphrases is stored inside the security token and associated with the PIN unblock applet 25 .
- the PIN unblock applet 25 includes the ability to compare the reference one-way message digest Hash o 110 passphrases against a later hashed passphrase result passed to the applet by the client unblock application 30 .
- the one-way message digest preferably uses SHA-1, however, other common message digest functions such as MD-5 may be used as well so long as consistency is maintained between the digest function used to create the reference hash and the subsequent response hash.
- An administrative shared secret Secret t 115 is used to unblock an existing PIN block applet 120 .
- the counterpart shared secret is securely stored on the remote sever and is only passed to the PIN unblock applet 25 after a user has correctly entered the proper passphrases and the resulting hash verified against the reference hash Hash o 110 .
- the token PIN unblock applet 25 provides an encrypted message which is passed to the remote PIN unblock service which signaling successful user authentication. The successful verification of the encrypted message by the remote PIN unblock service causes the administrative counterpart shared secret to be securely sent to the PIN unblock applet 25 . This mechanism is discussed in more detail in the discussion that follows herein.
- the administrative shared secret may be a symmetric cryptographic key or an administrative PIN.
- the PIN block applet 120 monitors the number of sequential incorrect PIN entries and prevents access to end user applets 130 and cryptographic keys 145 when the user's PIN PIN b 125 has become been blocked.
- the token PIN unblock applet 25 includes the functionality to replace 160 the blocked PIN PIN b 125 following successful unblocking of the PIN block applet 120 .
- a security mechanism is incorporated into the token PIN unblock applet 25 , which after a predefined number of sequential and unsuccessful attempts to unblock the user's PIN results, in the security token becoming unrecoverable by the end user.
- the token PIN unblock applet 25 may access 165 the user's public and private cryptographic keys Kpri 135 , Kpub 140 and with the exception of the user's digital certificate cert t 142 containing the user's public key Kpub 140 , is prohibited by the security executive 75 from exporting any cryptographic keys or PIN data. Operations involving the token's private key Kpri 135 PIN are tightly controlled to limit its use to only those operations necessary to support the token PIN unblock applet 25 .
- the public key infrastructure (PKI) keys in the preferred embodiment of the invention are intended to utilize 1,024 bit RSA keys but may include pretty good privacy (PGP), Diffie-Helman (DIA) or elliptical curve cryptography (ECC).
- the client PIN unblock application 30 is installed in the user's desktop and provides the user display and input dialogs for entry of a replacement PIN PIN n 179 and displays the set of passphrases 195 retrieved from the remote server by the remote unblock service 35 . If the client 10 lacks the required client PIN unblock application 30 , a copy CUA (Common User Access) downloadlable 176 may retrieved from the remote server as previously described.
- CUA Common User Access
- an authentication challenge Challenge t 182 is generated by the token's security executive 75 and passed 150 along with the token's unique identifier 198 and digital certificate cert. t 210 via the client unblock application 30 to 20 the remote unblock service 35 .
- the remote unblock service temporarily stores the initial challenge Challenge t 182 and the token's digital certificate cert t 210 for future use.
- mutual authentications are performed between the client unblock application 30 and the remote unblock service 35 by sending 200 a server based challenge Challenge s 215 and digital certificate Cert. s 220 to the client unblock application 30 .
- Both digital certificates certificate cert. t 210 and Cert. s 220 conform to X.509 standards.
- the incoming 155 replacement PIN PIN n 179 passed by the client unblock application 30 is shown being temporarily stored by the token unblock applet 25 .
- the challenge Challenge t 182 is generated by the security executive 75 and passed along with the user's digital certificate cert t 142 and unique identifier 105 to the client unblock applet 30 as described above.
- a secure communications session is established 50 A, 50 B between the client unblock application 30 and the remote unblock service 35 based on the latter authentication.
- the remote unblock service 35 retrieves the stored set of passphrases 195 using the token's unique identifier id 198 as a lookup reference.
- the passphrases 195 and counterpart administrative secret Secret s 185 were originally stored in a record 188 associated with the token's unique identifier id 198 at the time the security token was personalized.
- the contents of the record 188 is separately encrypted with the user's public key.
- the remote unblock service generates an audit trail 192 of the PIN unblock transactions.
- the retrieved passphrases 195 are securely passed 20 to the client unblock application 173 where the user is prompted to enter responses 400 to the passphrases 195 .
- the user responses 400 are then hashed Hash n 173 by the client unblock application 30 and securely passed 155 to the token unblock applet 25
- the incoming hashed user responses Hash n 173 passed 155 from the client unblock application 30 are received by the token unblock applet 25 and compared to the reference hash Hash o 110 . If the incoming hash Hash n 173 does not match the reference hash Hash o 110 , the user is alerted that the PIN unblock process has failed by the client unblock application 30 (not shown.)
- the aforementioned security mechanism incorporated into the token PIN unblock applet 25 prevents excessive multiple attempts at unblocking the security token. No other messages are provided which prevents a sophisticated hacker from attempting to determine where in the process the failure has occurred.
- a successful match between the user response Hash n 173 and the reference hash Hash o 110 results in a cryptogram 605 to be generated.
- the cryptogram is comprised of the original challenge Challenge t 182 and padding 600 which is encrypted by the token PIN unblock applet 25 using the private key Kpti 135 .
- the cryptogram is then passed 155 to the client unblock application 30 .
- the random padding 600 is generated by the security executive 75 preferably in accordance with public key cryptographic system (PKCS) # 1 specifications. Padding is employed in the preferred embodiment of the invention to prevent surreptitious capture after receipt fly the client, which is particularly advantageous when using an uncontrolled client.
- the cryptogram will be used by the remote PIN unblock service as a signal that the user has been successfully authenticated.
- the cryptogram 605 is received 155 by the client unblock application and passed 20 using the secure messaging protocol 50 A, 50 B to the remote unblock service 35 .
- the remote unblock service 35 decrypts the cryptogram using the public key Kpub 140 counterpart contained in the previously received digital certificate cert t 210 .
- the remote unblock service 35 compares the decrypted result to the original challenge Challenge t 182 while ignoring the extraneous padding. If the decrypted challenge does not match the original challenge Challenge t 182 , the unblock process ends. As before, no other messages are provided. As before, the relate unblock service generates an audit trail 192 of the PIN unblock transactions.
- the remote unblock service 35 retrieves the counterpart administrative secret Secret s 185 using the token's unique identifier as a lookup reference.
- the retrieved administrative secret Secret s 185 is then encrypted using the public key Kpub 140 .
- the resulting cryptogram 805 is then passed 20 using the secure messaging protocol 50 A, 50 B to the client unblock application 30 .
- the client unblock application 30 securely and transparently passes 155 the cryptogram 805 to the token unblock applet 25 .
- cryptogram 805 is received 155 by the token unblock applet 25 and decrypted using the private key Kpri 135 .
- the resulting administrative secret Secret s 185 is used in combination with the token shared secret Secret t 115 to unblock the PIN block applet 120 .
- the replacement PIN n 179 A is then operatively installed as the active user PIN n 179 B.
- a completion message 905 is generated by the token unblock applet 25 which is passed 155 to the client unblock application 30 .
- the completion message 905 is then passed 20 using the secure messaging protocol 50 A, 50 B to the remote unblock service 35 where the audit trail 192 of the PIN unblock transactions is recorded.
- the initial process for generating and storing the passphrases is shown.
- the process is initiated 1100 by the user being prompted for a PIN 1105 .
- the user is then prompted for entry of one or more passphrases 1110 .
- the passphrases are then stored on a server 1145 indexed by a unique identifier associated with the security token.
- the initial passphrases are encrypted 1120 with the user's public key 1115 then stored and indexed as before 1145 .
- the user is then prompted to enter the answers to the passphrase 1125 .
- the answers are hashed 1135 using a one-way hash 1130 and stored inside the user's security token 1140 .
- the process ends 1150 after storage of the hashed passphrase answers.
- the authenticated PIN unblock process is shown.
- the process is initiated 1200 by requesting the PIN unlock service on a appropriately equipped local client 1205 .
- the local client performs an authentication and establishes a secure path between the local client and a remote server 1215 and transfers necessary parameters to retrieve the stored passphrases 1220 .
- the user is then prompted to enter a new PIN 1230 while the remote server retrieves and passes the user's passphrase to the local client 1240 .
- the passphrases are displayed and the user prompted to enter the appropriate answers 1255 .
- the passphrases are decrypted 1250 using the user's private key 1235 .
- the user's answers are then hashed 1260 using a one-way hash algorithm 1245 and compared with the stored hashed answered 1265 . If the hashed user answers match the stored hashed answers 1270 , a confirmatory message is securely sent to the server 1275 .
- the server retrieves and passes an encrypted unblock secret to the security token 1280 .
- the encrypted unblock secret is decrypted 1285 using the private key 1235 and used to unblock the security token 1290 and the new PIN activated 1210 .
- Another confirmatory message is securely sent to the server 1295 for audit trail purposes and the process ends 1310 . If the hashed user answers do not match the stored hashed answers 1270 and less than n attempts have occurred 1300 , the user is prompted to again enter the proper passphrase as before and the process repeated. If greater than n ties has occurred, the token is disabled 1305 and processing ends 1310 .
Abstract
This invention provides a simple and secure PIN unblock mechanism for use with a security token. A set of one or more passphrases ire stored on a remote sever during personalization. Likewise, the answers to the passphrases are hashed and stored inside the security token for fixture comparison. A local client program provides the user input and display dialogs and ensures a secure communications channel is provided before passphrases are retrieved from the remote server. Retrieval of passphrases and an administrative unblock secret from the remote server are accomplished using a unique identifier associated with the security token, typically the token's serial number. A PIN unblock applet provides the administrative mechanisms to unblock the security token upon receipt of an administrative unblock shared secret. The remote server releases the administrative unblock shared secret only after a non-forgeable confirmatory message is received from the security token that the user has been properly authenticated. The administrative unblock shared secret is encrypted with the token's public key during transport to maximize security.
Description
- The present invention relates generally to a data processing system and method and more specifically to a data processing system and method for unblocking a security token by an authenticated user.
- A security token is used to store an entity, for example a user's digital identity. The digital identity has many uses, such as building access, signing of emails, access to computer systems and obtaining monetary trust. The inherent security mechanism that protects a user's digital identity from being used fraudulently is a combination of security token characteristics and a Personal Identification Number (PIN) known only to the user. The PIN is usually a four digit number which is used to authenticate the user to the security token. Successful authentication of the user to the security token allows the user access to the resources and data contained in or available using the security token.
- The use of a four digit number has an inherent weakness in today's E-commerce environment. A four digit number has only ten thousand possible combinations. As such, access to a lost or stolen security token could easily be accomplished by entry of random PIN combinations until the correct PIN is determined. To address this inherent weakness, a security mechanism is generally incorporated into the security token which counts the number of sequential incorrect PIN entries and blocks the security token from further access after a predetermined number of sequential incorrect PIN entries has occurred. This is the situation in which the security mechanism is designed to protect against.
- The security mechanism, while simple to implement and reasonably effective may inadvertently block out an authorized user due to common keyboarding problems such as a stuck key, incorrectly replaced key cover or difficulty in determining when a keyboard entry has occurred. Another increasingly common problem, a user will have memorized several PINs for various service providers which lends itself to entry of incorrect PINs. Once blocked, the only way that a user can revive access to his or her security token is to have the security mechanism reset by an appropriate support organization.
- This becomes problematic in large organizations as the time and effort to reset the security mechanism usually involves physical presentation of the security token by the user to the support organization. The physical presentation requirement allows the support organization to visually identify the authorized user and maintains close control over post issuance security token management. As is apparent, this process negatively impacts the productivity of both the user and the support organization and increases overall administrative costs to the organization.
- Alternatives to physical presentation of the security token include the use of a telephone support call center. An example of which is disclosed in U.S. Pat. No. 6,360,092 to Carrarra. The '092 patent requires a user to telephone a maintenance center to telemetrically reset the security mechanisms in the token. This method alleviates the physical presentation requirement but does not significantly reduce the productivity loss to the user and the support organization
- Thus, it would be highly advantageous to provide a mechanism which allows an authenticated user to unblock their own security token, while ensuring that the user initiated unblocking procedure is securely performed to prevent fraudulent unblocking or otherwise compromising the resources or data contained in or available using the security token.
- This invention addresses the limitations described above and provides a secure mechanism to allow an authenticated user to securely unblock his or her security token. This invention provides the advantages Of utilizing normally existing cryptographic and administrative mechanisms to unblock a security token without having to physically identify the end user or require the assistance of a third party and end-to-end security is maintained throughout the PIN reset process using the existing cryptographic and administrative mechanisms.
- The PIN unblock mechanism utilizes responses to one or more passphrases which must be correctly answered before an administrator level PIN reset mechanism is performed. The initial answers to the passphrases are entered during the security token's personalization stage, hashed using a one-way message digest function and stored inside the security token in a maimer not directly accessible via external processes.
- To practice this invention, a token PIN unblock applet is installed in the security token and associated with the token's security executive. The token PIN unblock applet is the only token based applet that a user can successfully initiate after the security token has been locked due to sequential incorrect PIN entries.
- The unblock applet includes the ability to compare the hashed passphrases results to the existing hashed passphrases answers, securely signal the remote server that the passphrases have been correctly answered, securely access cryptographic functions, receive and utilize administrator PIN unblock secrets and perform replacement of the locked user PIN with a new and unblocked user PIN after the security token is unblocked by the remote server. The token PIN unblock applet is written in such a way that it will never return either a cryptographic key or any decrypted data.
- A client PIN unblock application is installed in the user's desktop computer system, preferably as a downloadable browser application, which allows the user to initiate the PIN unblock applet installed in the security token. If the desktop computer system lacks the required client PIN unblock application, the user will need to download the application from a secure website. The client PIN unblock application provides the user interface dialogs, securely stores user inputs, causes a secure communications session to be generated between the desktop computer system, requests retrieval of the set of passphrases from a remote server mid securely passes the hashed results to the passphrases and the administrator PIN unblock secrets to the token unblock applet.
- The remote server housing the passphrases includes a server PIN unblock service which retrieves the proper passphrases associated with the security token, provides the unblocking secret to the token PIN unblock applet following receipt of the signal from the token that the passphrases have been correctly answered and generates an audit trail of the PIN unblock transactions. The stored passphrases and unblock secrets are retrieved from the remote server using a unique identifier associated with the security token.
- All communications between the client and the server are performed using a secure messaging protocol preferably IPsec, Mutual authentication is preferred and utilizes PKI credentials provided by a digital certificate contained in the security token and a separate digital certificated received from the server. The use of mutual authentication provides the additional advantage of preventing denial of service attacks (DoS.)
- All unblock secrets sent from the server PIN unblock service are encrypted with the token's public key obtained from the digital certificate received during mutual authentication.
- The term “security token” as defined herein refers to hardware based security devices such as smart cards, integrated circuit cards, subscriber identification modules (SIM), wireless identification modules (WIM), identification tokens, secure application modules (SAM), hardware security modules (HSM), secure multi-media card (SMMC) and like devices.
- The features and advantages of the invention will become apparent from the following detailed description when considered in conjunction with the accompanying drawings. Where possible, the same reference numerals and characters are used to denote like features, elements, components or portions of the invention. It is intended that changes and mollifications can be made to the described embodiment without departing from the true scope and spirit of the subject invention as defined in the claims.
- FIG. 1 is a general block diagram illustrating the major components and general arrangement of the invention.
- FIG. 1A is a detailed block diagram illustrating the arrangement of the PIN unblock applet included in a security token.
- FIG. 1B is a detailed block diagram illustrating the arrangement of the client unblock application included in the local client and its interrelationship with the remote unblocked service included in the remote server.
- FIG. 2 is a detailed block diagram illustrating the initiation of a security token PIN unblock process at the local client where an initial set of parameters is passed from the local client to the remote server.
- FIG. 3 is a detailed block diagram illustrating the initiation of a security token PIN unblock process inside the security token where the initial set of parameters is generated by the security token and passed to the client unblock application.
- FIG. 4 is a detailed block diagram illustrating the continuation of the PIN unblock process between the remote server and the local client where a passphrases is retrieved by the remote server using one of the parameters passed by the client unblock application.
- FIG. 5 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the security token where a hash of answers is received from the client unblock application.
- FIG. 6 is a detailed block diagram illustrating the continuation of the PIN unblock process where an initial challenge is padded, encrypted using a private key forming a cryptogram and passed to the client unblock application.
- FIG. 7 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the remote server where the cryptogram containing a padded challenge is returned to the remote server and verified.
- FIG. 8 is a detailed block diagram illustrating the continuation of the PIN unblock process between the remote server and the local client where a cryptogram containing a PIN unblock secret is returned to the local client and passed to the security token.
- FIG. 9 is a detailed block diagram illustrating the continuation of the PIN unblock process between the security token and the local client where the cryptogram containing the PIN unblock secret is decrypted and used to unblock the security token. An affirmative response is passed from the security token to the local client for routing to the remote server.
- FIG. 10 is a detailed block diagram illustrating the continuation of the PIN unblock process between the local client and the remote server where the affirmative response is sent to the remote server signaling successful completion of the PIN unblock process.
- FIG. 11 is a detailed flow chart illustrating the major steps used in the invention to record and store a set of passphrases.
- FIG. 12 is a detailed flow chart illustrating the major steps used in the invention to unblock a user s security token.
- This invention provides a simple and secure PIN unblock mechanism for use with a security token. A set of one or more passphrases which must be answered correctly before an administrative PIN unblock secret is passed to the security token. The initial answers to the passphrases are entered during the security token's personalization stage, hashed using a one-way message digest function and stored inside the security token in a manner not directly accessible via external processes.
- Referring to FIG. 1, a
security token 5 is shown functionally connected to alocal client 10. The security token includes an a tokenPIN unblock applet 25 which performs the actual PIN unblock functions based on parameters passed form client PIN unblockapplication 30 operatively installed in the local client, - The
local client 10 operatively connected 50A to atelecommunications network 20 using a secure messaging protocol In the preferred embodiment of the invention, IPsec is employed. Other secure messaging protocols such as secure socket layer (SSL) encryption, secure shell encryption (SSH) or transport layer security (TLS) may be implemented as well. The client PIN unblockapplication 30 provides user interface dialogs and passes messages between the tokenPIN unblock applet 25 and a server PIN unblock service installed on aremote server 15. - The client PIN unblock
application 30 is preferably a downloadable browser application or applet, which allows the user to initiate thePIN unblock applet 25 installed in thesecurity token 5. If theclient 10 lacks the required client PIN unblockapplication 30, the user may download the application form a secure website. The universal resource locator (URL) is usually printed on the back of thesecurity token 5 or is otherwise known to the end user. - The
remote server 15 is shown operatively connected 50B to thenetwork 20 and in processing communications with thelocal client 10 using the secure messaging protocol. Theremote server 15 includes the serverPIN unblock service 35. The serverPIN unblock service 35 retrieves the applicable passphrases and an administrative unblock secret using parameters supplied or generated by the tokenPIN unblock applet 25. - In FIG. 1A the token
PIN unblock applet 25 is shown associated with the token'ssecurity executive 75. Thesecurity executive 75 provides symmetric and asymmetric cryptographic services, random number generation, authentication challenge generation and comparator functions when requested by thePIN unblock applet 25. - The
security executive 75 includes the ability to pass 150 aunique identifier ID 105 to external resources. Theunique identifier 105 may be art internally masked token serial number or another obfuscated identifier unique to the security token. - The token
PIN unblock applet 25 communicates 155 with the client unblockapplication 30 and is the only token based applet that a user can successfully initiate after the security token has been blocked due to sequential incorrect PIN entries. A one-way message digestHash o 110 of the original answers to the set of passphrases is stored inside the security token and associated with thePIN unblock applet 25. ThePIN unblock applet 25 includes the ability to compare the reference one-way message digestHash o 110 passphrases against a later hashed passphrase result passed to the applet by the client unblockapplication 30. The one-way message digest preferably uses SHA-1, however, other common message digest functions such as MD-5 may be used as well so long as consistency is maintained between the digest function used to create the reference hash and the subsequent response hash. - An administrative shared
secret Secret t 115 is used to unblock an existingPIN block applet 120. The counterpart shared secret is securely stored on the remote sever and is only passed to thePIN unblock applet 25 after a user has correctly entered the proper passphrases and the resulting hash verified against thereference hash Hash o 110. The tokenPIN unblock applet 25 provides an encrypted message which is passed to the remote PIN unblock service which signaling successful user authentication. The successful verification of the encrypted message by the remote PIN unblock service causes the administrative counterpart shared secret to be securely sent to thePIN unblock applet 25. This mechanism is discussed in more detail in the discussion that follows herein. - The administrative shared secret may be a symmetric cryptographic key or an administrative PIN. The
PIN block applet 120 monitors the number of sequential incorrect PIN entries and prevents access toend user applets 130 andcryptographic keys 145 when the user'sPIN PIN b 125 has become been blocked. The tokenPIN unblock applet 25 includes the functionality to replace 160 the blockedPIN PIN b 125 following successful unblocking of thePIN block applet 120. A security mechanism is incorporated into the tokenPIN unblock applet 25, which after a predefined number of sequential and unsuccessful attempts to unblock the user's PIN results, in the security token becoming unrecoverable by the end user. - The token
PIN unblock applet 25 may access 165 the user's public and privatecryptographic keys Kpri 135,Kpub 140 and with the exception of the user'sdigital certificate cert t 142 containing the user'spublic key Kpub 140, is prohibited by thesecurity executive 75 from exporting any cryptographic keys or PIN data. Operations involving the token'sprivate key Kpri 135 PIN are tightly controlled to limit its use to only those operations necessary to support the tokenPIN unblock applet 25. The public key infrastructure (PKI) keys in the preferred embodiment of the invention are intended to utilize 1,024 bit RSA keys but may include pretty good privacy (PGP), Diffie-Helman (DIA) or elliptical curve cryptography (ECC). - Referring to FIG. 1B, the client PIN unblock
application 30 is installed in the user's desktop and provides the user display and input dialogs for entry of areplacement PIN PIN n 179 and displays the set ofpassphrases 195 retrieved from the remote server by theremote unblock service 35. If theclient 10 lacks the required client PIN unblockapplication 30, a copy CUA (Common User Access) downloadlable 176 may retrieved from the remote server as previously described. - Referring to FIG. 2, once the client unblock
application 30 is initiated, the user is prompted to enter areplacement PIN PIN n 179 which is securely passed 155 to thetoken unblock applet 25. Concurrently, anauthentication challenge Challenge t 182 is generated by the token'ssecurity executive 75 and passed 150 along with the token'sunique identifier 198 and digital certificate cert.t 210 via the client unblockapplication 30 to 20 theremote unblock service 35. The remote unblock service temporarily stores theinitial challenge Challenge t 182 and the token'sdigital certificate cert t 210 for future use. In alternate embodiment of the invention, mutual authentications are performed between the client unblockapplication 30 and theremote unblock service 35 by sending 200 a server basedchallenge Challenge s 215 and digital certificate Cert.s 220 to the client unblockapplication 30. Both digital certificates certificate cert.t 210 and Cert.s 220 conform to X.509 standards. - Referring to FIG. 3, the incoming155
replacement PIN PIN n 179 passed by the client unblockapplication 30 is shown being temporarily stored by thetoken unblock applet 25. Thechallenge Challenge t 182 is generated by thesecurity executive 75 and passed along with the user'sdigital certificate cert t 142 andunique identifier 105 to theclient unblock applet 30 as described above. - In FIG. 4, a secure communications session is established50A, 50B between the client unblock
application 30 and theremote unblock service 35 based on the latter authentication. Theremote unblock service 35 retrieves the stored set ofpassphrases 195 using the token'sunique identifier id 198 as a lookup reference. Thepassphrases 195 and counterpart administrativesecret Secret s 185 were originally stored in arecord 188 associated with the token'sunique identifier id 198 at the time the security token was personalized. - In an alternative embodiment of the invention, the contents of the
record 188 is separately encrypted with the user's public key. The remote unblock service generates anaudit trail 192 of the PIN unblock transactions. The retrievedpassphrases 195 are securely passed 20 to the client unblockapplication 173 where the user is prompted to enterresponses 400 to thepassphrases 195. Theuser responses 400 are then hashedHash n 173 by the client unblockapplication 30 and securely passed 155 to thetoken unblock applet 25 - Referring to FIG. 5, the incoming hashed
user responses Hash n 173 passed 155 from the client unblockapplication 30 are received by thetoken unblock applet 25 and compared to thereference hash Hash o 110. If theincoming hash Hash n 173 does not match thereference hash Hash o 110, the user is alerted that the PIN unblock process has failed by the client unblock application 30 (not shown.) The aforementioned security mechanism incorporated into the tokenPIN unblock applet 25 prevents excessive multiple attempts at unblocking the security token. No other messages are provided which prevents a sophisticated hacker from attempting to determine where in the process the failure has occurred. - In FIG. 6, a successful match between the
user response Hash n 173 and thereference hash Hash o 110 results in acryptogram 605 to be generated. The cryptogram is comprised of theoriginal challenge Challenge t 182 andpadding 600 which is encrypted by the tokenPIN unblock applet 25 using theprivate key Kpti 135. The cryptogram is then passed 155 to the client unblockapplication 30. Therandom padding 600 is generated by thesecurity executive 75 preferably in accordance with public key cryptographic system (PKCS) #1 specifications. Padding is employed in the preferred embodiment of the invention to prevent surreptitious capture after receipt fly the client, which is particularly advantageous when using an uncontrolled client. The cryptogram will be used by the remote PIN unblock service as a signal that the user has been successfully authenticated. - In FIG. 7, the
cryptogram 605 is received 155 by the client unblock application and passed 20 using thesecure messaging protocol remote unblock service 35. Theremote unblock service 35 decrypts the cryptogram using thepublic key Kpub 140 counterpart contained in the previously receiveddigital certificate cert t 210. - The
remote unblock service 35 then compares the decrypted result to theoriginal challenge Challenge t 182 while ignoring the extraneous padding. If the decrypted challenge does not match theoriginal challenge Challenge t 182, the unblock process ends. As before, no other messages are provided. As before, the relate unblock service generates anaudit trail 192 of the PIN unblock transactions. - In FIG. 8, if the decrypted challenge does match the
original challenge Challenge t 182, theremote unblock service 35 retrieves the counterpart administrativesecret Secret s 185 using the token's unique identifier as a lookup reference. The retrieved administrativesecret Secret s 185 is then encrypted using thepublic key Kpub 140. The resultingcryptogram 805 is then passed 20 using thesecure messaging protocol application 30. The client unblockapplication 30 securely and transparently passes 155 thecryptogram 805 to thetoken unblock applet 25. - Referring to FIG. 9,
cryptogram 805 is received 155 by thetoken unblock applet 25 and decrypted using theprivate key Kpri 135. The resulting administrativesecret Secret s 185 is used in combination with the token sharedsecret Secret t 115 to unblock thePIN block applet 120. Thereplacement PIN n 179A is then operatively installed as the activeuser PIN n 179B. After the unblocking process has successfully completed, acompletion message 905 is generated by thetoken unblock applet 25 which is passed 155 to the client unblockapplication 30. - FIG. 10, the
completion message 905 is then passed 20 using thesecure messaging protocol remote unblock service 35 where theaudit trail 192 of the PIN unblock transactions is recorded. - In FIG. 11, the initial process for generating and storing the passphrases is shown. The process is initiated1100 by the user being prompted for a
PIN 1105. The user is then prompted for entry of one ormore passphrases 1110. The passphrases are then stored on aserver 1145 indexed by a unique identifier associated with the security token. In an alternative embodiment of the invention, the initial passphrases are encrypted 1120 with the user'spublic key 1115 then stored and indexed as before 1145. The user is then prompted to enter the answers to thepassphrase 1125. The answers are hashed 1135 using a one-way hash 1130 and stored inside the user'ssecurity token 1140. The process ends 1150 after storage of the hashed passphrase answers. - Lastly, referring to FIG. 12, the authenticated PIN unblock process is shown. The process is initiated1200 by requesting the PIN unlock service on a appropriately equipped
local client 1205. The local client performs an authentication and establishes a secure path between the local client and aremote server 1215 and transfers necessary parameters to retrieve the storedpassphrases 1220. The user is then prompted to enter anew PIN 1230 while the remote server retrieves and passes the user's passphrase to thelocal client 1240. The passphrases are displayed and the user prompted to enter theappropriate answers 1255. In an alternate embodiment of the invention, the passphrases are decrypted 1250 using the user'sprivate key 1235. - The user's answers are then hashed1260 using a one-
way hash algorithm 1245 and compared with the stored hashed answered 1265. If the hashed user answers match the stored hashedanswers 1270, a confirmatory message is securely sent to theserver 1275. The server retrieves and passes an encrypted unblock secret to thesecurity token 1280. The encrypted unblock secret is decrypted 1285 using theprivate key 1235 and used to unblock thesecurity token 1290 and the new PIN activated 1210. - Another confirmatory message is securely sent to the
server 1295 for audit trail purposes and the process ends 1310. If the hashed user answers do not match the stored hashedanswers 1270 and less than n attempts have occurred 1300, the user is prompted to again enter the proper passphrase as before and the process repeated. If greater than n ties has occurred, the token is disabled 1305 and processing ends 1310. - The foregoing described embodiments of the invention are provided is illustrations and descriptions. They are not intended to limit the invention to precise form described. In particular, it is contemplated that functional implementation of the invention described herein may be implemented equivalently in hardware, software, firmware, and/or other available functional components or building blocks. No specific limitation is intended to a particular security token operating environment. Other variations and embodiments are possible in light of above teachings, and it is not intended that this Detailed Description limit the scope of invention, but rather by the Claims following herein.
Claims (24)
1. A system which facilitates an authenticated user to unblock a temporarily blocked security token comprising:
a security executive associated with said token,
an unblock applet associated with said security executive,
a first secret associated with at least one unblock inquiry, and
a first shared secret associated with said unblock applet;
a client functionally connected to said security token including;
at least one client application for initiating an unblock procedure with said security token and a remote server,
said remote server in processing communications with said client including;
said at least one unblock inquiry,
at least one unblock service application, responsive to said at least one client application, and
a second shared secret,
wherein said at least one unblock inquiry and said second shared secret are progressively sent to said unlock applet for unblocking said security token.
2. The system according to claim 1 wherein said first secret is a one way hash of an answer to said at least one unblock inquiry.
3. The system according to claim 2 wherein said security token further includes a private asymmetric key.
4. The system according to claim 3 wherein said server further includes a public asymmetric key counterpart to said private asymmetric key.
5. The system according to claim 4 wherein said at least one unblock inquiry is encrypted with said public asymmetric key.
6. The system according to claim 1 wherein said first shared secret is equal to said second shared secret.
7. The system according to claim 5 wherein said second shared secret is encrypted with said public asymmetric key.
8. The system according to claim 7 wherein said second shared secret is an administrative PIN.
9. The system according to claim 8 wherein said second shared secret is a synthetic key.
10. The system according to claim 7 wherein said second shared secret is decrypted with said private asymmetric key.
11. The remote server according to claim 1 further including means for providing an audit trail of said unblock procedure.
12. The system according to claim 1 wherein said second shared secret is sent to said security token upon receipt of a properly encoded message by said at least one unblock service application.
13. The system according to claim 1 wherein said at least one unblock inquiry includes a passphrase.
14. The system according to claim 1 wherein said processing communications includes a secure communications protocol.
15. A method for generating and storing at least one passphrase and answers associated with said at least one passphrase, facilitating an authenticated user to unblock a temporarily blocked security token comprising:
generating said at least one passphrase,
associating said at least one passphrase with a unique identifier,
storing said at least one passphrase on a server in a manner retrievable using said unique identifier,
generating said answers associated with said at least one passphrase,
performing a message digest function on said answers associated with said at least one passphrase,
storing a result of said message digest function in a security token associated with said authenticated user, and
wherein said unique identifier is associated with said security token.
16. The method according to claim 15 further including the step of encrypting said at least one passphrase with a public asymmetric key associated with said security token.
17. A method which facilitates an authenticated user to unblock a temporarily blocked security token composing:
a. executing a PIN unblock application on a local client in which said security token operatively is connected,
b. passing a set of parameters from said security token via said PIN unblock application to a remote PIN unblock service,
c. using at least one of said set of parameters for retrieving and locally displaying at least one passphrase from said PIN unblock service,
d. entering an appropriate response to said at least one passphrase,
e. performing a mathematical function on said appropriate response,
f. comparing said result of said mathematical function to an existing reference,
g. sending a confirmatory message to said remote PIN unblock service if said result of said mathematical function matches said existing reference or ending processing if no match is found,
h. retrieving an unblocking secret using said at least one of said set of parameters upon receipt of said confirmatory message,
i. sending said unblocking secret to said security token,
j. unblocking said security token using said unblocking secret.
18. The method according to claim 17 further including the step of using said at least one of said set of parameters to establish a secure communications channel between said remote PIN unblock service and said PIN unblock application
19. The method according to claim 18 further including the step of entering a replacement PIN when prompted by said PIN unlock application.
20. The method according to claim 17 wherein said at least one of said set of parameters includes an authentication challenge, a unique identifier and a digital certificate.
21. A computer program product embodied in a tangible form which provides computer executable instructions to perform the steps of:
a. generating user display and input dialogs,
b. passing a set of parameters from said security token via said PIN unblock application to a remote PIN unblock service,
c. using at least one of said set of parameters for retrieving and locally displaying at least one passphrase from said PIN unblock service,
d. prompting for entry of an appropriate response to said at least one passphrase,
e. performing a mathematical function on said appropriate response,
f. comparing said result of said mathematical function to an existing reference,
g. sending a confirmatory message to said remote PIN unblock service if said result of said mathematical function matches said existing reference or ending processing if no match is found,
h. retrieving an unblocking secret using said at least one of said set of parameters upon receipt of said confirmatory message,
i. sending said unblocking secret to said security token,
j. unblocking said security token using said unblocking secret.
22. The computer program product according to claim 21 further including the step of using said at least one of said set of parameters to establish a secure communications channel between said remote PIN unblock service and said PIN unblock application.
23. The computer program product according to claim 22 further including the step of prompting for the entry of a replacement PIN.
24. The computer program product according to claim 21 wherein said at least one of said set of parameters includes an authentication challenge, a unique identifier and a digital certificate.
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/305,179 US20040103325A1 (en) | 2002-11-27 | 2002-11-27 | Authenticated remote PIN unblock |
EP03292918A EP1429229A1 (en) | 2002-11-27 | 2003-11-25 | Authenticated remote unblock of a PIN |
US11/834,560 US8495381B2 (en) | 2002-11-27 | 2007-08-06 | Authenticated remote PIN unblock |
US13/922,582 US9118668B1 (en) | 2002-11-27 | 2013-06-20 | Authenticated remote pin unblock |
US14/800,807 US9560041B2 (en) | 2002-11-27 | 2015-07-16 | Authenticated remote pin unblock |
US15/381,332 US9893892B2 (en) | 2002-11-27 | 2016-12-16 | Authenticated remote pin unblock |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/305,179 US20040103325A1 (en) | 2002-11-27 | 2002-11-27 | Authenticated remote PIN unblock |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/834,560 Continuation US8495381B2 (en) | 2002-11-27 | 2007-08-06 | Authenticated remote PIN unblock |
Publications (1)
Publication Number | Publication Date |
---|---|
US20040103325A1 true US20040103325A1 (en) | 2004-05-27 |
Family
ID=32325375
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/305,179 Abandoned US20040103325A1 (en) | 2002-11-27 | 2002-11-27 | Authenticated remote PIN unblock |
US11/834,560 Expired - Fee Related US8495381B2 (en) | 2002-11-27 | 2007-08-06 | Authenticated remote PIN unblock |
US13/922,582 Expired - Fee Related US9118668B1 (en) | 2002-11-27 | 2013-06-20 | Authenticated remote pin unblock |
US14/800,807 Expired - Lifetime US9560041B2 (en) | 2002-11-27 | 2015-07-16 | Authenticated remote pin unblock |
US15/381,332 Expired - Lifetime US9893892B2 (en) | 2002-11-27 | 2016-12-16 | Authenticated remote pin unblock |
Family Applications After (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/834,560 Expired - Fee Related US8495381B2 (en) | 2002-11-27 | 2007-08-06 | Authenticated remote PIN unblock |
US13/922,582 Expired - Fee Related US9118668B1 (en) | 2002-11-27 | 2013-06-20 | Authenticated remote pin unblock |
US14/800,807 Expired - Lifetime US9560041B2 (en) | 2002-11-27 | 2015-07-16 | Authenticated remote pin unblock |
US15/381,332 Expired - Lifetime US9893892B2 (en) | 2002-11-27 | 2016-12-16 | Authenticated remote pin unblock |
Country Status (2)
Country | Link |
---|---|
US (5) | US20040103325A1 (en) |
EP (1) | EP1429229A1 (en) |
Cited By (66)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030051146A1 (en) * | 2001-09-11 | 2003-03-13 | Akihiro Ebina | Security realizing system in network |
US20040221169A1 (en) * | 2003-01-30 | 2004-11-04 | Lee Stephen J. | Computer-implemented method for controlling execution of application software by a computer terminal |
US20050138421A1 (en) * | 2003-12-23 | 2005-06-23 | Fedronic Dominique L.J. | Server mediated security token access |
US20050289652A1 (en) * | 2004-06-25 | 2005-12-29 | Sun Microsystems, Inc. | Server authentication in non-secure channel card pin reset methods and computer implemented processes |
US20060005037A1 (en) * | 2004-02-26 | 2006-01-05 | Metavante Corporation | Non-algorithmic vectored steganography |
US20060088164A1 (en) * | 2004-10-04 | 2006-04-27 | Recht Benjamin H | Cryptographic system and methods using a one way multidimensional function |
US20070016743A1 (en) * | 2005-07-14 | 2007-01-18 | Ironkey, Inc. | Secure storage device with offline code entry |
US20070067620A1 (en) * | 2005-09-06 | 2007-03-22 | Ironkey, Inc. | Systems and methods for third-party authentication |
US20070101434A1 (en) * | 2005-07-14 | 2007-05-03 | Ironkey, Inc. | Recovery of encrypted data from a secure storage device |
US20070288747A1 (en) * | 2006-06-07 | 2007-12-13 | Nang Kon Kwan | Methods and systems for managing identity management security domains |
US20070300031A1 (en) * | 2006-06-22 | 2007-12-27 | Ironkey, Inc. | Memory data shredder |
US20070300052A1 (en) * | 2005-07-14 | 2007-12-27 | Jevans David A | Recovery of Data Access for a Locked Secure Storage Device |
US20080005339A1 (en) * | 2006-06-07 | 2008-01-03 | Nang Kon Kwan | Guided enrollment and login for token users |
US20080022086A1 (en) * | 2006-06-06 | 2008-01-24 | Red. Hat, Inc. | Methods and system for a key recovery plan |
US20080022122A1 (en) * | 2006-06-07 | 2008-01-24 | Steven William Parkinson | Methods and systems for entropy collection for server-side key generation |
US20080019526A1 (en) * | 2006-06-06 | 2008-01-24 | Red Hat, Inc. | Methods and systems for secure key delivery |
US20080046982A1 (en) * | 2006-06-07 | 2008-02-21 | Steven William Parkinson | Methods and systems for remote password reset using an authentication credential managed by a third party |
US20080059790A1 (en) * | 2006-08-31 | 2008-03-06 | Steven William Parkinson | Methods, apparatus and systems for smartcard factory |
US20080059793A1 (en) * | 2006-08-31 | 2008-03-06 | Lord Robert B | Methods and systems for phone home token registration |
US20080069338A1 (en) * | 2006-08-31 | 2008-03-20 | Robert Relyea | Methods and systems for verifying a location factor associated with a token |
US20080069341A1 (en) * | 2006-08-23 | 2008-03-20 | Robert Relyea | Methods and systems for strong encryption |
US20080133514A1 (en) * | 2006-12-04 | 2008-06-05 | Robert Relyea | Method and Apparatus for Organizing an Extensible Table for Storing Cryptographic Objects |
US20080189543A1 (en) * | 2007-02-02 | 2008-08-07 | Steven William Parkinson | Method and system for reducing a size of a security-related data object stored on a token |
US20080209225A1 (en) * | 2007-02-28 | 2008-08-28 | Robert Lord | Methods and systems for assigning roles on a token |
US20080209224A1 (en) * | 2007-02-28 | 2008-08-28 | Robert Lord | Method and system for token recycling |
US20080229401A1 (en) * | 2007-03-13 | 2008-09-18 | John Magne | Methods and systems for configurable smartcard |
US20080263656A1 (en) * | 2005-11-29 | 2008-10-23 | Masaru Kosaka | Device, System and Method of Performing an Administrative Operation on a Security Token |
US20090119215A1 (en) * | 2007-11-07 | 2009-05-07 | Microsoft Corporation | Secure e-payments |
US7536722B1 (en) * | 2005-03-25 | 2009-05-19 | Sun Microsystems, Inc. | Authentication system for two-factor authentication in enrollment and pin unblock |
US20090276623A1 (en) * | 2005-07-14 | 2009-11-05 | David Jevans | Enterprise Device Recovery |
US20090276837A1 (en) * | 2008-04-30 | 2009-11-05 | Microsoft Corporation | Credential equivalency and control |
US20090300756A1 (en) * | 2008-05-30 | 2009-12-03 | Kashyap Merchant | System and Method for Authentication |
US20100228906A1 (en) * | 2009-03-06 | 2010-09-09 | Arunprasad Ramiya Mothilal | Managing Data in a Non-Volatile Memory System |
US7822209B2 (en) | 2006-06-06 | 2010-10-26 | Red Hat, Inc. | Methods and systems for key recovery for a token |
US20110035574A1 (en) * | 2009-08-06 | 2011-02-10 | David Jevans | Running a Computer from a Secure Portable Device |
US20110131639A1 (en) * | 2009-11-27 | 2011-06-02 | International Business Machines Corporation | Secure PIN Management of a User Trusted Device |
US7992203B2 (en) | 2006-05-24 | 2011-08-02 | Red Hat, Inc. | Methods and systems for secure shared smartcard access |
US8042163B1 (en) * | 2004-05-20 | 2011-10-18 | Symatec Operating Corporation | Secure storage access using third party capability tokens |
US20110270762A1 (en) * | 2010-04-30 | 2011-11-03 | Gsimedia Corporation | Secure Data Transfer From a Vending Device to Portable Data Storage Devices |
US20110271119A1 (en) * | 2010-04-30 | 2011-11-03 | Gsimedia Corporation | Secure Data Storage and Transfer for Portable Data Storage Devices |
US20120084855A1 (en) * | 2010-10-01 | 2012-04-05 | Omnikey Gmbh | Secure pin reset process |
US8180741B2 (en) | 2006-06-06 | 2012-05-15 | Red Hat, Inc. | Methods and systems for providing data objects on a token |
US8266378B1 (en) | 2005-12-22 | 2012-09-11 | Imation Corp. | Storage device with accessible partitions |
US8332637B2 (en) | 2006-06-06 | 2012-12-11 | Red Hat, Inc. | Methods and systems for nonce generation in a token |
US8356342B2 (en) | 2006-08-31 | 2013-01-15 | Red Hat, Inc. | Method and system for issuing a kill sequence for a token |
US8381294B2 (en) | 2005-07-14 | 2013-02-19 | Imation Corp. | Storage device with website trust indication |
US8412927B2 (en) | 2006-06-07 | 2013-04-02 | Red Hat, Inc. | Profile framework for token processing system |
US20130097427A1 (en) * | 2011-10-12 | 2013-04-18 | Goldkey Security Corporation | Soft-Token Authentication System |
US8495380B2 (en) | 2006-06-06 | 2013-07-23 | Red Hat, Inc. | Methods and systems for server-side key generation |
US8639873B1 (en) | 2005-12-22 | 2014-01-28 | Imation Corp. | Detachable storage device with RAM cache |
US20140044265A1 (en) * | 2012-08-10 | 2014-02-13 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US8683088B2 (en) | 2009-08-06 | 2014-03-25 | Imation Corp. | Peripheral device data integrity |
US8806219B2 (en) | 2006-08-23 | 2014-08-12 | Red Hat, Inc. | Time-based function back-off |
US20150195273A1 (en) * | 2007-09-28 | 2015-07-09 | Pulse Secure, Llc | Updating stored passwords |
US20150235211A1 (en) * | 2006-04-05 | 2015-08-20 | Simon Hurry | System and method for account identifier obfuscation |
US20150242595A1 (en) * | 2014-02-25 | 2015-08-27 | Hui Lin | Secure data storage and transfer for portable data storage devices |
US20170054560A1 (en) * | 2015-08-23 | 2017-02-23 | Hui Lin | Secure data storage and transfer for portable data storage devices |
US9887978B2 (en) | 2015-06-23 | 2018-02-06 | Veritas Technologies Llc | System and method for centralized configuration and authentication |
CN108696870A (en) * | 2018-04-26 | 2018-10-23 | 越亮传奇科技股份有限公司 | A kind of mobile terminal authentication method based on SWP-SIM technologies |
US10152530B1 (en) | 2013-07-24 | 2018-12-11 | Symantec Corporation | Determining a recommended control point for a file system |
US10574463B2 (en) * | 2015-02-06 | 2020-02-25 | eStorm Co., LTD | Authentication method and system |
US10599877B2 (en) * | 2017-04-13 | 2020-03-24 | At&T Intellectual Property I, L.P. | Protecting content on a display device from a field-of-view of a person or device |
US10757104B1 (en) | 2015-06-29 | 2020-08-25 | Veritas Technologies Llc | System and method for authentication in a computing system |
EP3783938A1 (en) * | 2019-08-19 | 2021-02-24 | Thales Dis France SA | A method for resetting a personal code of a user of a telecommunication terminal and corresponding applet and server |
EP3975012A1 (en) * | 2020-09-29 | 2022-03-30 | Thales DIS France SA | Method for managing a pin code in a biometric smart card |
US11844144B2 (en) * | 2017-10-27 | 2023-12-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Customized PIN/PUK remote provisioning |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102005045886A1 (en) * | 2005-09-26 | 2007-04-12 | Giesecke & Devrient Gmbh | Unlock mobile phone cards |
DE102005045887A1 (en) * | 2005-09-26 | 2007-04-12 | Giesecke & Devrient Gmbh | Unlock mobile phone cards |
US10778417B2 (en) * | 2007-09-27 | 2020-09-15 | Clevx, Llc | Self-encrypting module with embedded wireless user authentication |
US10181055B2 (en) * | 2007-09-27 | 2019-01-15 | Clevx, Llc | Data security system with encryption |
US10783232B2 (en) | 2007-09-27 | 2020-09-22 | Clevx, Llc | Management system for self-encrypting managed devices with embedded wireless user authentication |
US11190936B2 (en) * | 2007-09-27 | 2021-11-30 | Clevx, Llc | Wireless authentication system |
US8832815B2 (en) * | 2009-09-09 | 2014-09-09 | T-Mobile Usa, Inc. | Accessory based data distribution |
US8933813B2 (en) * | 2010-01-19 | 2015-01-13 | T-Mobile Usa, Inc. | Interactive electronic device shell |
US8924733B2 (en) * | 2010-06-14 | 2014-12-30 | International Business Machines Corporation | Enabling access to removable hard disk drives |
CN103326857B (en) * | 2013-05-22 | 2016-06-29 | 天地融科技股份有限公司 | The writing method of sequence number of E-token dynamic password card and E-token dynamic password card |
DE102015210294A1 (en) * | 2015-06-03 | 2016-12-08 | Siemens Aktiengesellschaft | Client device and server device for secure activation of functions of a client |
US10796311B2 (en) | 2017-03-31 | 2020-10-06 | Mastercard International Incorporated | Authentication using transaction history |
CN107483509B (en) * | 2017-10-09 | 2019-12-03 | 武汉斗鱼网络科技有限公司 | A kind of auth method, server and readable storage medium storing program for executing |
TWI652597B (en) * | 2017-12-05 | 2019-03-01 | 緯創資通股份有限公司 | Electronic device and unlocking method thereof |
US20230237501A1 (en) * | 2022-01-25 | 2023-07-27 | Dell Products, L.P. | Online warranty updating system and method of using the same |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5719941A (en) * | 1996-01-12 | 1998-02-17 | Microsoft Corporation | Method for changing passwords on a remote computer |
US5768373A (en) * | 1996-05-06 | 1998-06-16 | Symantec Corporation | Method for providing a secure non-reusable one-time password |
US5953422A (en) * | 1996-12-31 | 1999-09-14 | Compaq Computer Corporation | Secure two-piece user authentication in a computer network |
US5991882A (en) * | 1996-06-03 | 1999-11-23 | Electronic Data Systems Corporation | Automated password reset |
US6216229B1 (en) * | 1993-10-04 | 2001-04-10 | Addison M. Fischer | Method for preventing inadvertent betrayal by a trustee of escrowed digital secrets |
US6360092B1 (en) * | 1997-05-20 | 2002-03-19 | Gemplus | Remote unblocking of access to a telecommunication service |
US6360322B1 (en) * | 1998-09-28 | 2002-03-19 | Symantec Corporation | Automatic recovery of forgotten passwords |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5201000A (en) * | 1991-09-27 | 1993-04-06 | International Business Machines Corporation | Method for generating public and private key pairs without using a passphrase |
US6012307A (en) * | 1997-12-24 | 2000-01-11 | Ratheon Commercial Laundry Llc | Dry-cleaning machine with controlled agitation |
CA2344448A1 (en) * | 1998-09-17 | 2000-03-23 | Kenneth S. Hancock | Apparatus and methods for unlocking password protected software systems to recover master password |
JP3586787B2 (en) * | 1999-08-02 | 2004-11-10 | ミネベア株式会社 | Coordinate input device |
US6725382B1 (en) * | 1999-12-06 | 2004-04-20 | Avaya Technology Corp. | Device security mechanism based on registered passwords |
DE10124427A1 (en) * | 2000-07-07 | 2002-01-17 | Ibm | Communication device authentication method compares hash values of transmission and reception devices provided using hash value algorithm |
US7219235B2 (en) * | 2001-03-22 | 2007-05-15 | Bridgepoint Systems, Inc. | Locked portal unlocking control apparatus and method |
US7162736B2 (en) * | 2001-08-20 | 2007-01-09 | Schlumberger Omnes, Inc. | Remote unblocking with a security agent |
KR101047641B1 (en) * | 2002-10-07 | 2011-07-08 | 텔레폰악티에볼라겟엘엠에릭슨(펍) | Enhance security and privacy for security devices |
US8429724B2 (en) * | 2006-04-25 | 2013-04-23 | Seagate Technology Llc | Versatile access control system |
US8639940B2 (en) * | 2007-02-28 | 2014-01-28 | Red Hat, Inc. | Methods and systems for assigning roles on a token |
EP2108628A1 (en) * | 2008-04-10 | 2009-10-14 | TRICOSAL GmbH & Co. KG | Set retarder for hydraulic setting compositions |
GB2480581B (en) * | 2009-03-12 | 2014-05-07 | Hewlett Packard Development Co | Dynamic remote peripheral binding |
US8838982B2 (en) * | 2011-09-21 | 2014-09-16 | Visa International Service Association | Systems and methods to secure user identification |
EP2665295B1 (en) * | 2012-05-14 | 2018-02-21 | Uros Technology S.à r.l. | Security code(s) of apparatus having at least one SIM |
-
2002
- 2002-11-27 US US10/305,179 patent/US20040103325A1/en not_active Abandoned
-
2003
- 2003-11-25 EP EP03292918A patent/EP1429229A1/en not_active Withdrawn
-
2007
- 2007-08-06 US US11/834,560 patent/US8495381B2/en not_active Expired - Fee Related
-
2013
- 2013-06-20 US US13/922,582 patent/US9118668B1/en not_active Expired - Fee Related
-
2015
- 2015-07-16 US US14/800,807 patent/US9560041B2/en not_active Expired - Lifetime
-
2016
- 2016-12-16 US US15/381,332 patent/US9893892B2/en not_active Expired - Lifetime
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6216229B1 (en) * | 1993-10-04 | 2001-04-10 | Addison M. Fischer | Method for preventing inadvertent betrayal by a trustee of escrowed digital secrets |
US5719941A (en) * | 1996-01-12 | 1998-02-17 | Microsoft Corporation | Method for changing passwords on a remote computer |
US5768373A (en) * | 1996-05-06 | 1998-06-16 | Symantec Corporation | Method for providing a secure non-reusable one-time password |
US5991882A (en) * | 1996-06-03 | 1999-11-23 | Electronic Data Systems Corporation | Automated password reset |
US5953422A (en) * | 1996-12-31 | 1999-09-14 | Compaq Computer Corporation | Secure two-piece user authentication in a computer network |
US6360092B1 (en) * | 1997-05-20 | 2002-03-19 | Gemplus | Remote unblocking of access to a telecommunication service |
US6360322B1 (en) * | 1998-09-28 | 2002-03-19 | Symantec Corporation | Automatic recovery of forgotten passwords |
Cited By (112)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030051146A1 (en) * | 2001-09-11 | 2003-03-13 | Akihiro Ebina | Security realizing system in network |
US20040221169A1 (en) * | 2003-01-30 | 2004-11-04 | Lee Stephen J. | Computer-implemented method for controlling execution of application software by a computer terminal |
US20050138421A1 (en) * | 2003-12-23 | 2005-06-23 | Fedronic Dominique L.J. | Server mediated security token access |
US20060005037A1 (en) * | 2004-02-26 | 2006-01-05 | Metavante Corporation | Non-algorithmic vectored steganography |
WO2005082104A3 (en) * | 2004-02-26 | 2007-02-01 | Metavante Corp | Non-algorithmic vectored steganography |
US7222365B2 (en) * | 2004-02-26 | 2007-05-22 | Metavante Corporation | Non-algorithmic vectored steganography |
US8042163B1 (en) * | 2004-05-20 | 2011-10-18 | Symatec Operating Corporation | Secure storage access using third party capability tokens |
US20050289652A1 (en) * | 2004-06-25 | 2005-12-29 | Sun Microsystems, Inc. | Server authentication in non-secure channel card pin reset methods and computer implemented processes |
US7617390B2 (en) * | 2004-06-25 | 2009-11-10 | Sun Microsystems, Inc. | Server authentication in non-secure channel card pin reset methods and computer implemented processes |
US20060088164A1 (en) * | 2004-10-04 | 2006-04-27 | Recht Benjamin H | Cryptographic system and methods using a one way multidimensional function |
US8041037B2 (en) * | 2004-10-04 | 2011-10-18 | Massachusetts Institute Of Technology | Cryptographic system and methods using a one way multidimensional function |
US7536722B1 (en) * | 2005-03-25 | 2009-05-19 | Sun Microsystems, Inc. | Authentication system for two-factor authentication in enrollment and pin unblock |
US8505075B2 (en) | 2005-07-14 | 2013-08-06 | Marble Security, Inc. | Enterprise device recovery |
US20090276623A1 (en) * | 2005-07-14 | 2009-11-05 | David Jevans | Enterprise Device Recovery |
US8438647B2 (en) | 2005-07-14 | 2013-05-07 | Imation Corp. | Recovery of encrypted data from a secure storage device |
US8381294B2 (en) | 2005-07-14 | 2013-02-19 | Imation Corp. | Storage device with website trust indication |
US8335920B2 (en) | 2005-07-14 | 2012-12-18 | Imation Corp. | Recovery of data access for a locked secure storage device |
US8321953B2 (en) * | 2005-07-14 | 2012-11-27 | Imation Corp. | Secure storage device with offline code entry |
US20070300052A1 (en) * | 2005-07-14 | 2007-12-27 | Jevans David A | Recovery of Data Access for a Locked Secure Storage Device |
US20070101434A1 (en) * | 2005-07-14 | 2007-05-03 | Ironkey, Inc. | Recovery of encrypted data from a secure storage device |
US20070016743A1 (en) * | 2005-07-14 | 2007-01-18 | Ironkey, Inc. | Secure storage device with offline code entry |
US20070067620A1 (en) * | 2005-09-06 | 2007-03-22 | Ironkey, Inc. | Systems and methods for third-party authentication |
US8387125B2 (en) * | 2005-11-29 | 2013-02-26 | K.K. Athena Smartcard Solutions | Device, system and method of performing an administrative operation on a security token |
US20080263656A1 (en) * | 2005-11-29 | 2008-10-23 | Masaru Kosaka | Device, System and Method of Performing an Administrative Operation on a Security Token |
US8266378B1 (en) | 2005-12-22 | 2012-09-11 | Imation Corp. | Storage device with accessible partitions |
US8639873B1 (en) | 2005-12-22 | 2014-01-28 | Imation Corp. | Detachable storage device with RAM cache |
US8543764B2 (en) | 2005-12-22 | 2013-09-24 | Imation Corp. | Storage device with accessible partitions |
US20150235211A1 (en) * | 2006-04-05 | 2015-08-20 | Simon Hurry | System and method for account identifier obfuscation |
US7992203B2 (en) | 2006-05-24 | 2011-08-02 | Red Hat, Inc. | Methods and systems for secure shared smartcard access |
US8495380B2 (en) | 2006-06-06 | 2013-07-23 | Red Hat, Inc. | Methods and systems for server-side key generation |
US8762350B2 (en) | 2006-06-06 | 2014-06-24 | Red Hat, Inc. | Methods and systems for providing data objects on a token |
US20080022086A1 (en) * | 2006-06-06 | 2008-01-24 | Red. Hat, Inc. | Methods and system for a key recovery plan |
US8364952B2 (en) | 2006-06-06 | 2013-01-29 | Red Hat, Inc. | Methods and system for a key recovery plan |
US20080019526A1 (en) * | 2006-06-06 | 2008-01-24 | Red Hat, Inc. | Methods and systems for secure key delivery |
US9450763B2 (en) | 2006-06-06 | 2016-09-20 | Red Hat, Inc. | Server-side key generation |
US8332637B2 (en) | 2006-06-06 | 2012-12-11 | Red Hat, Inc. | Methods and systems for nonce generation in a token |
US7822209B2 (en) | 2006-06-06 | 2010-10-26 | Red Hat, Inc. | Methods and systems for key recovery for a token |
US8180741B2 (en) | 2006-06-06 | 2012-05-15 | Red Hat, Inc. | Methods and systems for providing data objects on a token |
US8098829B2 (en) | 2006-06-06 | 2012-01-17 | Red Hat, Inc. | Methods and systems for secure key delivery |
US8412927B2 (en) | 2006-06-07 | 2013-04-02 | Red Hat, Inc. | Profile framework for token processing system |
US20080046982A1 (en) * | 2006-06-07 | 2008-02-21 | Steven William Parkinson | Methods and systems for remote password reset using an authentication credential managed by a third party |
US8589695B2 (en) | 2006-06-07 | 2013-11-19 | Red Hat, Inc. | Methods and systems for entropy collection for server-side key generation |
US20070288747A1 (en) * | 2006-06-07 | 2007-12-13 | Nang Kon Kwan | Methods and systems for managing identity management security domains |
US9769158B2 (en) | 2006-06-07 | 2017-09-19 | Red Hat, Inc. | Guided enrollment and login for token users |
US8099765B2 (en) * | 2006-06-07 | 2012-01-17 | Red Hat, Inc. | Methods and systems for remote password reset using an authentication credential managed by a third party |
US20080005339A1 (en) * | 2006-06-07 | 2008-01-03 | Nang Kon Kwan | Guided enrollment and login for token users |
US8707024B2 (en) | 2006-06-07 | 2014-04-22 | Red Hat, Inc. | Methods and systems for managing identity management security domains |
US20080022122A1 (en) * | 2006-06-07 | 2008-01-24 | Steven William Parkinson | Methods and systems for entropy collection for server-side key generation |
US20070300031A1 (en) * | 2006-06-22 | 2007-12-27 | Ironkey, Inc. | Memory data shredder |
US8806219B2 (en) | 2006-08-23 | 2014-08-12 | Red Hat, Inc. | Time-based function back-off |
US20080069341A1 (en) * | 2006-08-23 | 2008-03-20 | Robert Relyea | Methods and systems for strong encryption |
US8787566B2 (en) | 2006-08-23 | 2014-07-22 | Red Hat, Inc. | Strong encryption |
US8074265B2 (en) | 2006-08-31 | 2011-12-06 | Red Hat, Inc. | Methods and systems for verifying a location factor associated with a token |
US20080059790A1 (en) * | 2006-08-31 | 2008-03-06 | Steven William Parkinson | Methods, apparatus and systems for smartcard factory |
US8356342B2 (en) | 2006-08-31 | 2013-01-15 | Red Hat, Inc. | Method and system for issuing a kill sequence for a token |
US9762572B2 (en) | 2006-08-31 | 2017-09-12 | Red Hat, Inc. | Smartcard formation with authentication |
US9038154B2 (en) | 2006-08-31 | 2015-05-19 | Red Hat, Inc. | Token Registration |
US20080059793A1 (en) * | 2006-08-31 | 2008-03-06 | Lord Robert B | Methods and systems for phone home token registration |
US8977844B2 (en) | 2006-08-31 | 2015-03-10 | Red Hat, Inc. | Smartcard formation with authentication keys |
US20080069338A1 (en) * | 2006-08-31 | 2008-03-20 | Robert Relyea | Methods and systems for verifying a location factor associated with a token |
US20080133514A1 (en) * | 2006-12-04 | 2008-06-05 | Robert Relyea | Method and Apparatus for Organizing an Extensible Table for Storing Cryptographic Objects |
US8693690B2 (en) | 2006-12-04 | 2014-04-08 | Red Hat, Inc. | Organizing an extensible table for storing cryptographic objects |
US8813243B2 (en) * | 2007-02-02 | 2014-08-19 | Red Hat, Inc. | Reducing a size of a security-related data object stored on a token |
US20080189543A1 (en) * | 2007-02-02 | 2008-08-07 | Steven William Parkinson | Method and system for reducing a size of a security-related data object stored on a token |
US20080209225A1 (en) * | 2007-02-28 | 2008-08-28 | Robert Lord | Methods and systems for assigning roles on a token |
US20080209224A1 (en) * | 2007-02-28 | 2008-08-28 | Robert Lord | Method and system for token recycling |
US8832453B2 (en) * | 2007-02-28 | 2014-09-09 | Red Hat, Inc. | Token recycling |
US8639940B2 (en) * | 2007-02-28 | 2014-01-28 | Red Hat, Inc. | Methods and systems for assigning roles on a token |
US20080229401A1 (en) * | 2007-03-13 | 2008-09-18 | John Magne | Methods and systems for configurable smartcard |
US9081948B2 (en) | 2007-03-13 | 2015-07-14 | Red Hat, Inc. | Configurable smartcard |
US9401913B2 (en) * | 2007-09-28 | 2016-07-26 | Pulse Secure, Llc | Updating stored passwords |
US10075432B2 (en) | 2007-09-28 | 2018-09-11 | Pulse Secure, Llc | Updating stored passwords |
US20150195273A1 (en) * | 2007-09-28 | 2015-07-09 | Pulse Secure, Llc | Updating stored passwords |
US20090119215A1 (en) * | 2007-11-07 | 2009-05-07 | Microsoft Corporation | Secure e-payments |
US20090276837A1 (en) * | 2008-04-30 | 2009-11-05 | Microsoft Corporation | Credential equivalency and control |
US9183370B2 (en) | 2008-05-30 | 2015-11-10 | Google Technology Holdings LLC | System for authenticating a user to a portable electronic device using an authentication token transmitted to a smart card reader |
US20090300756A1 (en) * | 2008-05-30 | 2009-12-03 | Kashyap Merchant | System and Method for Authentication |
US8522326B2 (en) * | 2008-05-30 | 2013-08-27 | Motorola Mobility Llc | System and method for authenticating a smart card using an authentication token transmitted to a smart card reader |
US20100228906A1 (en) * | 2009-03-06 | 2010-09-09 | Arunprasad Ramiya Mothilal | Managing Data in a Non-Volatile Memory System |
US8745365B2 (en) | 2009-08-06 | 2014-06-03 | Imation Corp. | Method and system for secure booting a computer by booting a first operating system from a secure peripheral device and launching a second operating system stored a secure area in the secure peripheral device on the first operating system |
US20110035574A1 (en) * | 2009-08-06 | 2011-02-10 | David Jevans | Running a Computer from a Secure Portable Device |
US8683088B2 (en) | 2009-08-06 | 2014-03-25 | Imation Corp. | Peripheral device data integrity |
US8423783B2 (en) * | 2009-11-27 | 2013-04-16 | International Business Machines Corporation | Secure PIN management of a user trusted device |
CN102576398A (en) * | 2009-11-27 | 2012-07-11 | 国际商业机器公司 | Secure PIN management of a user trusted device |
US20110131639A1 (en) * | 2009-11-27 | 2011-06-02 | International Business Machines Corporation | Secure PIN Management of a User Trusted Device |
TWI553473B (en) * | 2010-04-30 | 2016-10-11 | 全球商業網股份有限公司 | Secure data storage and transfer for portable data storage devices |
US20110270762A1 (en) * | 2010-04-30 | 2011-11-03 | Gsimedia Corporation | Secure Data Transfer From a Vending Device to Portable Data Storage Devices |
US20110271119A1 (en) * | 2010-04-30 | 2011-11-03 | Gsimedia Corporation | Secure Data Storage and Transfer for Portable Data Storage Devices |
US20120084855A1 (en) * | 2010-10-01 | 2012-04-05 | Omnikey Gmbh | Secure pin reset process |
US8584222B2 (en) * | 2010-10-01 | 2013-11-12 | Hid Global Gmbh | Secure pin reset process |
US10263782B2 (en) * | 2011-10-12 | 2019-04-16 | Goldkey Corporation | Soft-token authentication system |
US20130097427A1 (en) * | 2011-10-12 | 2013-04-18 | Goldkey Security Corporation | Soft-Token Authentication System |
US11695749B2 (en) | 2012-08-10 | 2023-07-04 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US20140044265A1 (en) * | 2012-08-10 | 2014-02-13 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US10084771B2 (en) | 2012-08-10 | 2018-09-25 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US10666641B2 (en) | 2012-08-10 | 2020-05-26 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US10771448B2 (en) * | 2012-08-10 | 2020-09-08 | Cryptography Research, Inc. | Secure feature and key management in integrated circuits |
US10152530B1 (en) | 2013-07-24 | 2018-12-11 | Symantec Corporation | Determining a recommended control point for a file system |
US20150242595A1 (en) * | 2014-02-25 | 2015-08-27 | Hui Lin | Secure data storage and transfer for portable data storage devices |
US11876908B2 (en) | 2015-02-06 | 2024-01-16 | eStorm Co., LTD | Authentication method and system |
US10574463B2 (en) * | 2015-02-06 | 2020-02-25 | eStorm Co., LTD | Authentication method and system |
US9887978B2 (en) | 2015-06-23 | 2018-02-06 | Veritas Technologies Llc | System and method for centralized configuration and authentication |
US10757104B1 (en) | 2015-06-29 | 2020-08-25 | Veritas Technologies Llc | System and method for authentication in a computing system |
US20170054560A1 (en) * | 2015-08-23 | 2017-02-23 | Hui Lin | Secure data storage and transfer for portable data storage devices |
US11080434B2 (en) | 2017-04-13 | 2021-08-03 | At&T Intellectual Property I, L.P. | Protecting content on a display device from a field-of-view of a person or device |
US10599877B2 (en) * | 2017-04-13 | 2020-03-24 | At&T Intellectual Property I, L.P. | Protecting content on a display device from a field-of-view of a person or device |
US11844144B2 (en) * | 2017-10-27 | 2023-12-12 | Telefonaktiebolaget Lm Ericsson (Publ) | Customized PIN/PUK remote provisioning |
CN108696870A (en) * | 2018-04-26 | 2018-10-23 | 越亮传奇科技股份有限公司 | A kind of mobile terminal authentication method based on SWP-SIM technologies |
WO2021032682A1 (en) * | 2019-08-19 | 2021-02-25 | Thales Dis France Sa | A method for resetting a personal code of a user of a telecommunication terminal and corresponding applet and server |
EP3783938A1 (en) * | 2019-08-19 | 2021-02-24 | Thales Dis France SA | A method for resetting a personal code of a user of a telecommunication terminal and corresponding applet and server |
EP3975012A1 (en) * | 2020-09-29 | 2022-03-30 | Thales DIS France SA | Method for managing a pin code in a biometric smart card |
WO2022069313A1 (en) * | 2020-09-29 | 2022-04-07 | Thales Dis France Sa | Method for managing a pin code in a biometric smart card |
Also Published As
Publication number | Publication date |
---|---|
US8495381B2 (en) | 2013-07-23 |
US9560041B2 (en) | 2017-01-31 |
US20170214528A1 (en) | 2017-07-27 |
US9893892B2 (en) | 2018-02-13 |
US20080028229A1 (en) | 2008-01-31 |
US20160044027A1 (en) | 2016-02-11 |
US9118668B1 (en) | 2015-08-25 |
EP1429229A1 (en) | 2004-06-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9893892B2 (en) | Authenticated remote pin unblock | |
US10595201B2 (en) | Secure short message service (SMS) communications | |
EP1500226B1 (en) | System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients | |
US9148420B2 (en) | Single sign-on process | |
US8904180B2 (en) | Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys | |
US7895437B2 (en) | Augmented single factor split key asymmetric cryptography-key generation and distributor | |
US8051297B2 (en) | Method for binding a security element to a mobile device | |
US20190238334A1 (en) | Communication system, communication client, communication server, communication method, and program | |
JP2011515961A (en) | Authentication storage method and authentication storage system for client side certificate authentication information | |
CN113472793B (en) | Personal data protection system based on hardware password equipment | |
CN112766962A (en) | Method for receiving and sending certificate, transaction system, storage medium and electronic device | |
US20220029819A1 (en) | Ssl communication system, client, server, ssl communication method, and computer program | |
CN112765626A (en) | Authorization signature method, device and system based on escrow key and storage medium | |
WO2008053279A1 (en) | Logging on a user device to a server | |
US8806216B2 (en) | Implementation process for the use of cryptographic data of a user stored in a data base | |
TW200803392A (en) | Method, device, server arrangement, system and computer program products for securely storing data in a portable device | |
US11451376B2 (en) | Systems and methods for secure communication | |
US11184339B2 (en) | Method and system for secure communication | |
CN116346497A (en) | Mechanism for supporting audit of end-to-end encryption |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ACTIVCARD, FRANCE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PRIEBATSCH, MARK;REEL/FRAME:013675/0272 Effective date: 20020111 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |