US20100100724A1 - System and method for increasing the security of encrypted secrets and authentication - Google Patents

System and method for increasing the security of encrypted secrets and authentication Download PDF

Info

Publication number
US20100100724A1
US20100100724A1 US09/802,485 US80248501A US2010100724A1 US 20100100724 A1 US20100100724 A1 US 20100100724A1 US 80248501 A US80248501 A US 80248501A US 2010100724 A1 US2010100724 A1 US 2010100724A1
Authority
US
United States
Prior art keywords
secret
client
server
encrypted
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US09/802,485
Other versions
US7716484B1 (en
Inventor
Burton S. Kaliski, Jr.
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EMC Corp
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US09/802,485 priority Critical patent/US7716484B1/en
Assigned to RSA SECURITY INC. reassignment RSA SECURITY INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KALISKI, BURTON S., JR.
Assigned to RSA SECURITY HOLDING, INC. reassignment RSA SECURITY HOLDING, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RSA SECURITY LLC
Assigned to EMC CORPORATION reassignment EMC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RSA SECURITY HOLDING, INC.
Assigned to RSA SECURITY LLC reassignment RSA SECURITY LLC MERGER (SEE DOCUMENT FOR DETAILS). Assignors: RSA SECURITY INC.
Assigned to EMC CORPORATION reassignment EMC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RSA SECURITY HOLDING, INC.
Assigned to RSA SECURITY HOLDING, INC. reassignment RSA SECURITY HOLDING, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: RSA SECURITY LLC
Publication of US20100100724A1 publication Critical patent/US20100100724A1/en
Publication of US7716484B1 publication Critical patent/US7716484B1/en
Application granted granted Critical
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: ASAP SOFTWARE EXPRESS, INC., AVENTAIL LLC, CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL SOFTWARE INC., DELL SYSTEMS CORPORATION, DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., MAGINATICS LLC, MOZY, INC., SCALEIO LLC, SPANNING CLOUD APPS LLC, WYSE TECHNOLOGY L.L.C.
Assigned to EMC IP Holding Company LLC reassignment EMC IP Holding Company LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: EMC CORPORATION
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to DELL SYSTEMS CORPORATION, DELL SOFTWARE INC., EMC CORPORATION, DELL PRODUCTS L.P., WYSE TECHNOLOGY L.L.C., FORCE10 NETWORKS, INC., EMC IP Holding Company LLC, AVENTAIL LLC, DELL INTERNATIONAL, L.L.C., ASAP SOFTWARE EXPRESS, INC., SCALEIO LLC, CREDANT TECHNOLOGIES, INC., DELL MARKETING L.P., MOZY, INC., MAGINATICS LLC, DELL USA L.P. reassignment DELL SYSTEMS CORPORATION RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Assigned to DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), DELL INTERNATIONAL L.L.C., DELL PRODUCTS L.P., EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), SCALEIO LLC, DELL USA L.P., DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC) reassignment DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.) RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Assigned to DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), DELL PRODUCTS L.P., EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), DELL INTERNATIONAL L.L.C., SCALEIO LLC, DELL USA L.P., DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.) reassignment DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.) RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/50Oblivious transfer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • This invention relates generally to the field of cryptographic protocols and, more particularly, to a system and method for increasing the security of secrets used to decrypt encrypted secrets and secrets used to authenticate users to a server.
  • FIG. 1 shows a prior art system 100 in which a user 3 stores secrets 5 on a remote server computer 10 , where the term secrets is used broadly to mean any data or information that the owner wishes to keep private.
  • the user 3 accesses the secrets 5 using a client computer 15 that is connected to the server computer 10 via a data or telecommunications network 20 , such as the Internet.
  • Storage of the secrets 5 on the server 10 allows the user 3 to access the secrets 5 from any client computer connected to the network 20 .
  • the secrets 5 are typically encrypted. Encrypting the secrets 5 , for example, by use of a key 24 , prevents someone who has access to the secrets 5 from learning the secrets 5 , for example, by compromise of the server or by observing the user's communications with the server 10 over the network 20 .
  • the encryption of the secrets 5 can be performed according to various known techniques including symmetric encryption in which the same decryption key 24 is used for both encryption and decryption, and/or asymmetric encryption, in which different keys are used for encryption and decryption respectively.
  • the “key space” As the number of possible values from which a key 24 might be chosen (the “key space”) is increased by changing the encryption implementation, it becomes increasingly more difficult for an attacker to try every possible decryption key 24 . At some point, the number of possible of keys is so great that an encrypted secret 5 cannot feasibly be decrypted by trying each possible key 24 . This is referred to as a strong encryption, because the large key space makes the encryption stronger. For example, a key that is chosen from the set of all known English words is much weaker than a key that is chosen from the set of all 1024-bit numbers.
  • An encryption and/or decryption key 24 that is selected from a large key space is typically cumbersome for a user 3 to employ, however, because long sequences of characters are difficult for humans to remember. Users 3 may be inclined to write down such sequences, thereby making the key available to an attacker. To ease the memory burden on users 3 , shorter decryption keys 24 are frequently used, with the disadvantage that it may be feasible for a party that has access to the encrypted secrets 5 to decrypt the encrypted secrets 5 by trying every possible key.
  • the invention in general, in one aspect, relates to a method for accessing encrypted data by a client.
  • the method includes receiving from the client by a server client information derived from a first secret wherein the client information is derived such that the server can not feasibly determine the first secret.
  • the method also includes providing to the client by the server intermediate data that is derived responsive to the received client information, a server secret, and possibly other information.
  • the intermediate data is derived such that the client cannot feasibly determine the server secret.
  • the method also includes authenticating the client by a device that stores encrypted secrets and is configured not to provide the encrypted secrets without authentication.
  • the method also includes, after the authenticating step, the step of providing the encrypted secrets to the client.
  • the encrypted secrets are capable of being decrypted using a third secret that is derived from the intermediate data.
  • the third secret is derived from the intermediate data by use of a key derivation function. In one embodiment, the third secret is the intermediate data. In one embodiment, the first secret includes one or more of a PIN, a password, and biometric information.
  • the intermediate data is derived from at least the first secret and the server secret by the use of a blind function evaluation protocol.
  • the blind function evaluation protocol involves the use of the RSA cryptosystem.
  • the security of the blind function evaluation protocol is based on the principles of discrete logarithms.
  • the blind function evaluation protocol involves the use of a one-way function that is calculated using a multiparty secure computation technique.
  • the authenticating step can include authenticating the client based on one or more of a PIN, a password, a token code, a time-dependent code, and biometric information, alone or in combination.
  • the authenticating step includes authenticating the client based on a secret other than the first secret.
  • the authenticating step includes using a secret derived from the intermediate data.
  • the device includes at least one of a file server, a directory server, a key server, a PDA, a mobile telephone, a smart card, and a desktop computer.
  • the device includes at least one secure data store, which requires authentication before allowing the client access to the data store.
  • the encrypted secrets include a private key of a public/private key pair used for asymmetric cryptography.
  • the private key is a signature key used-for creating a digital signature.
  • the authenticating step involves authenticating the client based on a secret other than the first secret, so that the user provides different information to access the device and to access the signature key.
  • the user authenticates to a computer using one authentication mechanism, and uses a password different than the authentication mechanism to digitally sign a document.
  • the password is used in a blind function evaluation protocol, the result of which is used to decrypt the signature key. This procedure can be used to satisfy digital signature requirements that a different password be used to digitally sign a document.
  • the encrypted secrets include a secret key used for symmetric cryptography.
  • the encrypted secrets include at least one unit of digital currency.
  • the encrypted secrets function as an electronic wallet, containing digital currency and/or other information, such as keys and identification numbers.
  • the encrypted secrets include one or more usernames and passwords that can be used to authenticate to one or more other servers. In this way the user can remotely access the collection of access codes, and use them to access other servers.
  • the method also includes the step of verifying that the client has not exceeded a predetermined number of unsuccessful attempts to obtain the intermediate data.
  • the verifying step also includes the steps of transmitting a challenge code to the client and receiving the result of a cryptographic operation using the challenge code as an input and using a cryptographic key derived from at least one of the encrypted secrets.
  • the verification comprises showing knowledge of some item of information contained in the encrypted secrets.
  • the invention in general, in another aspect, relates to a system for accessing encrypted data by a client.
  • the system includes a first server.
  • the first server includes a first server receiver for receiving from a client client information derived from a first secret.
  • the client information is derived such that the first server can not feasibly determine the first secret.
  • the system includes a server secret.
  • the system includes a first server output for providing to the client by the server intermediate data.
  • the intermediate data is derived from at least the received client information and a server secret.
  • the intermediate data is derived such that the client can not feasibly determine the server secret.
  • the system also includes a second device.
  • the second device includes a data store storing an encrypted secret.
  • the encrypted secret is capable of being decrypted using a third secret that is derived from the intermediate data.
  • the device includes an authentication subsystem for authenticating the client by the device.
  • the device includes a device output for providing to the client by the device
  • the third secret is derived from the intermediate data by use of a key derivation function.
  • the intermediate data is derived from at least the first secret and the server secret by use of a blind function evaluation protocol.
  • the intermediate data is derived from at least the first secret and the server secret and the security of the blind function evaluation protocol is based on the principles of the RSA cryptosystem, the problem of extracting roots modulo a composite.
  • the intermediate data is derived from at least the first secret and the server secret and the security of the blind function evaluation protocol is based on the principles of discrete logarithms.
  • the authentication subsystem authenticates the client based on a secret other than the first secret. In one embodiment, the authentication subsystem authenticates the client using a secret derived from the intermediate data.
  • the second device comprises at least one of a file server, a directory server, a key server, a PDA, a mobile telephone, a smart card, and a desktop computer.
  • the encrypted secret is one of a private key of a public/private key pair used for asymmetric cryptography, a signature key used for creating a digital signature, a secret key used for symmetric cryptography, and at least one unit of digital currency.
  • the first server also includes a verifier for verifying that the client has not exceeded a predetermined number of unsuccessful attempts to obtain the intermediate data.
  • the invention in general, in another aspect, relates to a method for generating a password for a user to use for authenticating to a server.
  • the method includes specifying a server secret, and receiving from a client a server identifier and client information derived from a first secret wherein the client information is derived such that the first server can not feasibly determine the first secret.
  • the method includes generating a password derived from at least the server identifier, the client information, and the server secret wherein the password is derived such that the client can not feasibly determine the server secret from knowledge of the first secret, the web server identifier, and the generated password.
  • the method also includes transmitting the generated password to the client. In another embodiment, the method also includes transmitting an attempt identifier to the client with the generated password. In another embodiment, the method also includes receiving from the server verification that the user has authenticated successfully to the server.
  • the invention in general, in another aspect, relates to a password for a user to use for accessing a web server.
  • the system includes a server secret and a receiver for receiving from a client a web server identifier and client information derived from a first secret wherein the client information is derived such that the first server can not feasibly determine the first secret.
  • the system also includes a password generator for generating a password derived from at least the web server identifier, the client information, and the server secret wherein the password is derived such that the client can not feasibly determine the server secret from knowledge of the first secret, the web server identifier, and the generated password.
  • FIG. 1 is block diagram of a prior art system 100 for accessing encrypted secrets
  • FIG. 2 is block diagram of a system 200 according to an embodiment of the invention for accessing encrypted secrets
  • FIG. 3 is block diagram of an embodiment of the system 200 that makes use of a blind function evaluation protocol
  • FIG. 4 is an event trace of an embodiment of a method that employs discrete logarithms in the blind function evaluation protocol
  • FIG. 5 is an event trace of an embodiment of a method that employs the RSA cryptosystem in the blind function evaluation protocol
  • FIG. 6 is a block diagram of an embodiment used to authenticate a user.
  • FIG. 7 is a block diagram showing the data flow in one embodiment of a system used to authenticate a user.
  • an embodiment of a system 200 allows a user 3 to conveniently and securely gain access to encrypted secrets 5 , where the term secrets is used broadly to mean any data or information that the owner wishes to keep private.
  • the encrypted secrets 5 are referred to in the plural, although there may be one or more secrets.
  • the one or more secrets may include any data or information, as examples without limitation, such secrets as a private key 8 of a public/private key pair as used in asymmetric cryptography and/or for providing a digital signature, a secret key used for symmetric cryptography, one or more units of digital currency, or some combination.
  • the security of the encrypted secrets 5 is increased by storing the encrypted secrets 5 in one device that requires authentication for access to the secrets (the second device 10 ′) and storing information used in the decryption process in another device (the first server 30 ).
  • the system 200 includes a client 15 that may interact with a user 3 .
  • the client can be implemented as any sort of device or machine capable of communicating with the second device 10 ′ and the first server 30 .
  • the client 15 may be one or more of a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, and a workstation.
  • PDA personal digital assistant
  • the client 15 is in communication with a first server 30 and a second device 10 ′ over communications links, which may be the same, or different communications links for each of the first server 30 and the second device 10 ′.
  • the client 15 may be a PDA that communicates via a wireless and wired internet protocol network with the first server 30 , and via a direct serial connection to the second device 10 ′.
  • the client 15 may be a personal computer in an airport that communicates with both the first server 30 and the second device 10 ′ over a wired internet protocol network such as the Internet.
  • these examples of types of communications links are not intended to be limiting, and the invention may be used with any suitable wireless or wired communication links.
  • a user 3 provides a first secret 35 to the client 15 .
  • the first secret 35 can be something that is measured or something that the user enters, for example through a user interface 17 .
  • the first secret 35 might be (as examples not intended to be limiting) one or more of a short numerical code such as a PIN, an alphanumeric code such as a password, a token code, a time-based code such as that provided by a RSA SECURID security token manufactured by RSA Security Inc. of Bedford, Mass., biometric information, and data derived from one or more of these.
  • the client derives client information 38 from the first secret 35 that is used to harden (i.e., strengthen) the first secret 35 .
  • the derivation might be that the client 15 uses the first secret 35 directly as the client information 38 .
  • the derivation might be that the client uses the first secret 35 as part of a blind function evaluation protocol to generate the client information 38 .
  • the derivation can include use of one or more of a key derivation function, mask generation function, or another cryptographic function to derive the client information 38 from the first secret 35 .
  • the derivation may be for using the first secret 35 as part of a blind function evaluation protocol.
  • the first server 30 receives the client information 38 from the client.
  • the client information 38 is such that the first server 30 can not feasibly determine the first secret from the client information 38 , with feasibly being used here to mean not without an extraordinary amount of time and/or computational effort.
  • the first server 30 provides the client 15 with intermediate data 22 , which is used by the client 15 (directly or indirectly) to decrypt the encrypted secrets 5 .
  • the first server 30 may derive the intermediate data 22 from a combination of information 38 that the client 15 provides to the first server 30 and a server secret, that is stored on or available to the first server 30 .
  • the intermediate data 22 is preferably derived such that the client can not feasibly determine the server secret, meaning that an attacker posing as the client 15 , or observing the client's interactions with the first server 30 can not determine the server secret without an extraordinary amount of time and/or computational effort.
  • the first server 30 preferably is a server-class computer that is in communication with a network 20 , and that is capable of responding to many requests from clients 15 throughout the network 20 .
  • the first server 30 may be any type of computer or device.
  • the first server may be, as examples not intended to be limiting, a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, or a workstation.
  • the client 15 and the first server 30 interact such that the client 15 is provided with intermediate data 22 that the client 15 can use as part of the process to decrypt the encrypted secrets 5 .
  • the client 15 may use the intermediate data 22 directly as a decryption key, for example, if the decryption key is communicated over a secure channel.
  • the client 15 may derive (possibly in combination with other information) from the intermediate data 22 some portion or all of one or more decryption keys that are used to decrypt the encrypted secrets 5 .
  • the client 15 and the first server 30 may participate in a blind function evaluation protocol, in which the client 15 has some secret information and the first server 30 has some secret information, and together the client 15 and the first server 30 provide their respective secrets as an input to a jointly calculated function, without either the client 15 or the first server 30 revealing their secrets to the other and with only the client 15 obtaining the output of the jointly calculated function.
  • a blind function evaluation protocol in which the client 15 has some secret information and the first server 30 has some secret information, and together the client 15 and the first server 30 provide their respective secrets as an input to a jointly calculated function, without either the client 15 or the first server 30 revealing their secrets to the other and with only the client 15 obtaining the output of the jointly calculated function.
  • the specifics of the particular blind function evaluation protocol, what the first server 30 does with the client information 38 , and what the client 15 does with the intermediate data 22 will vary depending upon the evaluated function and the blinded protocol selected.
  • the interaction between the client 15 and the first server 30 might include only a single data exchange or they might participate in more complicated protocols in which multiple data exchanges take place.
  • a simple blind function evaluation protocol there might be a single communication of client information 38 to the first server 30 , and a single response of the first server 30 back to the client 15 in which the intermediate data 22 is communicated.
  • portions of client information 38 are sent at different times to the first server 30 , and portions of intermediate data 22 are communicated to the client 15 at different times.
  • the use of a blind function evaluation protocol provides additional security benefits resulting from the fact that the first server 30 does not have the decryption key in an unblinded form. Even if the first server 30 is compromised, and a server secret obtained, it will still be necessary for an attacker to do more work to transform the server secret into the decryption key.
  • the first server 30 and client 15 engage in a blind function evaluation protocol that results in the first server 30 providing to the client 15 a blinded key as the intermediate data 22 .
  • the client 15 has information used to unblind the decryption key 24 , which is then used to decrypt the encrypted secrets 5 . Compromise of the first server 30 would still not directly reveal the decryption key 25 to an attacker.
  • a verification is used to prevent attempts to gain access to the intermediate data 22 by repeated guessing of the first secret 35 or client information 38 . Without such a verification, an attacker that compromises the second device 10 ′ and has access to the encrypted secrets 5 could determine the corresponding intermediate data 22 by sending the various possible values of the client information 38 to the first server 30 . By limiting the number of unsuccessful attempts allowed, the first server 30 prevents such an attack. For example, the verification can be made by demonstrating successful decryption of the encrypted secrets 5 . If the encrypted secrets 5 include an encryption key, the encryption key can be used to encrypt a challenge value provided by the first server 30 . If the encrypted secrets 5 include personal information of the user, such information can be provided to the first server 30 .
  • biometric information is used for the first secret 35 , through the use of “fuzzy commitment” techniques such as those described in PCT Patent Application Serial No. PCT/US00/03522 entitled “A Fuzzy Commitment Scheme.”
  • the transformation from initial biometric information to first secret 35 is accomplished with the use of codes that are akin to error correcting codes.
  • the resulting first secret 35 has at least PIN-level security due to the limited amount of uncertainty available in typical biometrics and the accommodation for measurement errors.
  • code information used to correct differences in biometric information is stored on a code server (not shown) connected to the network 20 .
  • the client 15 combines the code information with biometric data to generate the first secret 35 .
  • the code information is stored on the client 15 , the first server 30 , the second device 10 ′, or some combination.
  • the second device 10 ′ stores encrypted secrets 5 for the user 3 .
  • the second device 10 ′ can be implemented as any sort of device or machine capable of storing encrypted secrets and communicating the secrets upon authentication.
  • the second device 10 ′ can be one or more of a file server, a directory server, a key server, a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, and a workstation.
  • the second device 10 ′ is implemented in the client 15 in a cryptographically secure section of memory or on a dedicated cryptographically secure chip.
  • the encrypted secrets 5 are stored in the second device 10 ′ such that a client 15 authenticates to the second device 10 ′ prior to the second device 10 ′ providing the encrypted secrets 5 to the client 15 .
  • the second device 10 ′ may be an already-existing file server or other authenticated data store.
  • the system and method of the invention can be used to provide additional security to secrets stored on such a data store.
  • the second device 10 ′ does not provide encrypted secrets 5 to the client 15 until the client 15 has authenticated to the second device 10 ′.
  • the authentication step can be based on information derived from the intermediate data 22 or the authentication can be based on independent authentication information, such as a PIN, a password, a token code, a time-based code, biometric information, or some combination.
  • the second device 10 ′ can be an already-existing, or standard, authenticating data store, for example, a directory server such as a file server accessed by MICROSOFT WINDOWS NT available from Microsoft Corporation of Redmond, Wash., clients, or a file system accessed by NIS clients, such as those available from Sun Microsystems of Mountain View, Calif.
  • the second device 10 ′ can also be a local device (implemented in hardware or software) on the user's 3 personal computer, or a portable memory device in communication with the client 15 by PCMCIA or serial connection. Because the encrypted secrets 5 can be stored in a conventional manner, the system of the current invention can be integrated with existing systems that provide authenticated access to encrypted secrets 5 to increase the security of the encryption.
  • a user has one mechanism for authenticating to a computer, and another for signing a document.
  • a computer stores an encrypted signature key and the user authenticates to that computer to obtain the encrypted signature key.
  • the user wishes to use the encrypted signature key to sign a document, the user provides a client (which may be the computer) with a password.
  • the client engages in a blind function evaluation protocol with a first server.
  • the result of the blind function evaluation protocol (or a key derived from the result) is used to decrypt the signature key, and the signature key is then used to digitally sign a document.
  • a second mechanism involving an independent server, is used to enable the digital signature of a document. Compromise of the computer does not enable an attacker to make use of the signature key.
  • a client 15 communicates with a first server 30 and a second device 10 ′′ as in FIG. 2 .
  • the second device 10 ′′ is a second server that is accessed over a communications network such as the Internet.
  • the communication between the client 15 and the first server 30 takes place over a computer network 20 such as the Internet
  • the communication between the client 15 and the second server 10 ′′ takes place over a computer network such as the Internet.
  • the system 300 is initialized 33 for use by the user 3 . This initialization may include operations performed on both the client 15 and first server 30 and some initial exchange of data.
  • the user 3 first uses the client 15 and the first server 30 to convert a first secret 35 into a decryption key 25 , which preferably is a stronger key than the first secret 35 .
  • the first secret 35 is a password, that is a sequence of symbols that can be conveniently remembered by the user 3 .
  • the first secret 35 might also be something else, or a combination of a password and something else.
  • the client 15 participates in a blind function evaluation protocol 40 with the first server 30 .
  • the blind function evaluation protocol 40 takes as input client information in the form of the client's secret input 45 , which may be the first secret 35 or information derived by the client 15 from the first secret 35 , and a server secret 50 to produce a hardened (i.e. stronger) secret 25 than the first secret 35 .
  • the hardened secret is stronger at least partially because it is chosen from a much larger key space and so it is more difficult to guess.
  • the blind function evaluation protocol is designed in such a way that the first secret 35 and the hardened secret 25 result are known to the client 15 but not the first server, and the first server secret 50 is known only to the first server 30 , yet both the client 15 and the server 30 participate in the protocol.
  • the function g is constructed such that the client 15 cannot determine the first server's secret 50 given the result 25 , yet the same inputs 45 , 50 consistently produce the same output 25 R.
  • the protocol is also designed such that a third party does not learn any of the three values b, w, and R.
  • blind function evaluation protocols have been developed that are based on different functions. These include, as examples not intended to be limiting, implementations based on discrete-logarithm cryptography and the RSA algorithm which is based on the problem of extracting roots modulo a composite.
  • Blind function evaluation is an instance of multi-party secure computation, introduced by A. Yao in “Protocols for Secure Computations,” IEEE FOCS (1982), pp. 160-164.
  • a function is computed in which the inputs are provided by two or more parties, and the output may be kept private from some parties as well. It has been shown that any polynomial-time-computable function g can be computed securely in polynomial time by representing the function as a logic circuit and evaluating it with what amounts to a gate-by-gate protocol (which tends to be complex).
  • the function g has a special form and the protocol is more efficient, but it is also possible to use another one-way function, for example a hash function, or an encryption function, and apply the general methods.
  • the function g(w, b) should be one-way with respect to b such that it is difficult to determine b, given a set of g(w, b) values for some inputs w. Otherwise, an attacker could participate in the protocol some number of times, each time providing different values of w, and then solve for b.
  • Yao's construction enables two parties, such as the server and the client in this implementation, to compute the output y of any polynomial-computable function g on any pair of secret inputs b and w in the domain of g in such a way that the evaluator learns y, and neither party learns any additional information.
  • parties such as the server and the client in this implementation, to compute the output y of any polynomial-computable function g on any pair of secret inputs b and w in the domain of g in such a way that the evaluator learns y, and neither party learns any additional information.
  • Other variants are also possible.
  • the Yao construction involves two phases.
  • the server decides on a polynomial-sized boolean circuit C.
  • Input to this circuit is a secret v, while the output is g(v, b).
  • the input b is built into the circuit.
  • Let v 1 , v 2 , . . . , v n represent the individual bits of v.
  • the circuit C is constructed in such a way that each bit v i is expressed as one of two random “tags”, y i 0 and y i 1 , the first assigning a ‘0’ bit to v i and the second assigning a ‘1’ bit to v i .
  • the server sends C (in an appropriate representation) to the user. Further details are available in the Yao paper.
  • 1-2 OT is a cryptographic primitive involving two players, a sender and a receiver.
  • the sender sends two values x 0 and x 1 to the receiver.
  • the receiver selects a bit c and receives x c .
  • the sender learns no information about c, while the receiver learns no information about x 1-c .
  • Yao proposed an RSA cryptosystem based 1-2 OT protocol in the paper referenced above, while Goldreich, Micali, and Wigderson extended the protocol to make use of any one-way permutation.
  • the client 15 uses the result 25 R of the blind function evaluation protocol as a decryption key 25 to decrypt the encrypted secrets 5 .
  • the client 15 derives from the result R 25 intermediary strong secrets 60 that can include the decryption key (and possibly other data).
  • the client 15 also authenticates 65 to a second server 10 ′′.
  • Typical authentication measures can include using something the user 3 knows, something the user 3 has, some measured characteristic of the user 3 , or some combination.
  • the authentication 65 thus can take place in various ways, including without limitation by transmission of a PIN, a password, a biometric measurement, a token code, a time-based code (such as, from a SECURID token manufactured by RSA Security Inc.), use of an encryption key, use of a hash-chain approach, such as S/KEY, or some combination. If the authentication to the second device 10 ′′ is successful, then the second device 10 ′′ provides the client 15 access to, or a copy of, the encrypted secrets 5 .
  • the client 15 verifies 55 the successful recovery of the encrypted secrets 5 to the first server 30 .
  • the verification step 55 could be implemented in various ways including using asymmetric cryptography, symmetric cryptography, or a proof of knowledge protocol.
  • An advantage of using asymmetric cryptography is that the initialization step 33 is more straight-forward.
  • Successful decryption of the encrypted secrets 5 implies that the user 3 provided the client 15 with the correct first secret 35 .
  • the first server 30 only allows a client 15 to engage in the blind function evaluation protocol 40 a limited number of times without demonstrating a successful verification 55 that the encrypted secrets 5 were successfully decrypted.
  • the purpose of the verification 55 is to ensure that an attacker could not determine the correct hardened secret 25 through exhaustive searching of the possible client 15 first secret values 35 .
  • the verification 55 can be implemented in various ways.
  • the encrypted secrets 5 include a private key 8 , which the client 15 uses to sign an identifier 70 .
  • the identifier 70 can be a nonce or other data selected by the first server 30 as representing to the first server 30 the particular instantiation of the recovery process.
  • the identifier 70 can thus serve as a challenge, to which the client 15 responds by showing knowledge of the private key 8 .
  • One benefit of the invention is that an attacker has to compromise both the first server 30 and the second device 10 ′′ to obtain a decrypted form of the encrypted secrets 5 .
  • an attacker's best attack on the secrets is on-line guessing of the user's password and other authentication factors, if any.
  • On-line guessing in this context means the attacker attempts to guess by participating in the protocol and providing guessed values to either the first server 30 or the second device 10 ′′.
  • on-line guessing can be severely limited by preventing the attacker from making more than a certain number of guesses, either by halting acceptance of guesses after more than a certain number have been made, or by increasing the delay time before the system responds to an on-line guess after a certain number have been made. In general, if such guess-prevention mechanisms are in place, limiting an attacker to on-line guessing is a sufficient level of security.
  • the user has a first PIN or password and the user has a token, such as a two-factor authentication token that produces a time-based token code in response to the current time, a token code, and a second PIN.
  • the first server 30 merely stores the intermediate data 22 , and transmits it to the client upon receipt of the first PIN or password.
  • the communication takes place over an encrypted communications channel to ensure the security of the first PIN or password and the intermediate data 22 .
  • the client uses the token code to authenticate to the device 10 ′ and accesses the encrypted secrets 5 .
  • the intermediate data 22 is used to decrypt the encrypted secrets 5 .
  • an attacker that has not compromised either the first server 30 or the device 10 ′ needs to perform both on-line password guessing and on-line token-code guessing. If the device 10 ′ is compromised (but not the first server 30 ), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the first PIN or password. If the first server 30 is compromised (but not the device 10 ′), the attacker still has to undertake on-line token-code guessing. If both the first server 30 and the second device 10 ′′ are compromised, then the attacker has direct access to the encrypted secrets and to the intermediate data 22 and thus can immediately decrypt the encrypted secrets 35 .
  • another embodiment makes use of the blind function evaluation protocol and a two-factor token code.
  • the user has a first PIN or password (the first secret 35 ), and the user has a two-factor authentication token as in the previous example.
  • the client participates in the blind function evaluation protocol (also referred to as a password hardening protocol) with the first server.
  • the client provides the first secret 35 as input to the blind function evaluation protocol and obtains the strong secret R 25 .
  • the client then derives one intermediary strong secret value from the strong secret R.
  • the client uses the token to authenticate to the second device 10 ′′ to access the encrypted secrets 5 .
  • the intermediary strong secret T 2 is used to decrypt the encrypted secrets 5 .
  • an attacker that has not compromised either the first server 30 or the second device 10 ′′ needs to perform both on-line password guessing and on-line token-code guessing. If the second device 10 ′′ is compromised (but not the first server 30 ), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the password. If the first server 30 is compromised (but not the second device 10 ′′), the attacker has to undertake on-line token-code guessing and on-line first secret 35 guessing, because the blinding prevents the attacker from knowing the strong secret R 25 . It is only if the both the first server 30 and the second device 10 ′′ are compromised that the attacker can undertake off-line password guessing (but cannot immediately decrypt the encrypted secrets 5 ).
  • the use of the blind function evaluation protocol provides benefits even to a system that uses a two-factor authentication token, because information is hidden from the first server 30 , which information the first server 30 cannot reveal even if the first server 30 is compromised.
  • the user's password still provides a degree of protection. This degree of protection can be increased by increasing the amount of time that an attacker (as well as the actual user) needs to spend to derive the intermediary strong secret value T 2 from the first secret 35 .
  • Increasing the amount of time can be accomplished by increasing the complexity of the derivation of the strong secret R (which in the embodiments described herein is already relatively complex) and by increasing the complexity of the derivation of the intermediary strong secret value T 2 from the strong secret R. If each derivation of T 2 from a guess of the first secret 35 is sufficiently time consuming, even off-line guessing can be made unlikely to succeed.
  • the user has only a single PIN or password.
  • the client participates in the blind function evaluation protocol with the first server and obtains the strong secret R 25 .
  • the client then derives two intermediary strong secret values T 1 and T 2 from the strong secret R.
  • One intermediary strong secret T 1 is used to authenticate with the second device 10 ′′ and the other intermediary strong secret T 2 is used to decrypt the encrypted secrets 5 .
  • an attacker that has not compromised either the first server 30 or the second device 10 ′′ can only perform on-line password guessing. If the second device 10 ′′ is compromised (but not the first server 30 ), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the password. If the first server 30 is compromised (but not the second device 10 ′′), the attacker is still limited to on-line password guessing, because the blinding prevents the attacker from knowing the strong secret R 25 . It is only if the both the first server 30 and the second device 10 ′′ are compromised that the attacker can undertake off-line password guessing. Thus, this embodiment provides security against the compromise of a single server, using only a single (possibly weak) PIN or password.
  • an embodiment of the invention uses discrete logarithm cryptography in the blind function evaluation protocol 40 ′.
  • initialization is performed as in the initialization 33 of FIG. 3 .
  • the value of p is selected in this manner because it is useful to ensure that there is a large sub-group within the multiplicative group Z p * (where Z p * is the group of integers from 1 to (p ⁇ 1) under the operation of multiplication modulo p) for straight forward cryptographic computation with minimal leakage of secret information in protocols, however other arrangements are possible.
  • the first server 30 communicates 80 p to the client 15 .
  • the first server 30 also selects 85 a secret exponent b between 1 and q ⁇ 1 for each user 3 i that can store encrypted secrets 5 E T2 (K 1 , . . . , K n ) on the second device 10 ′.
  • the first server 30 also publishes a function ⁇ that maps weaker secrets 35 , such as passwords, to elements of the multiplicative group Z P *.
  • ⁇ (FS) might be defined as MGF(FS) mod (p) or MGF 2 (FS) mod (p) where MGF is a mask-generation function.
  • MGF is a mask-generation function.
  • MGF is a mask-generation function.
  • MGF is MGF 1 , described in PKCS #1: RSA Cryptography Specifications, Version 2.0 B.
  • mapping should be independent of other cryptographic operations performed and should map to sufficiently randomly distributed values mod p.
  • the function ⁇ might be different for different users or groups of users, so long as it is possible for the client to determine the appropriate function to use.
  • a final step in the initialization is that the first server 30 stores 90 a verification value v U .
  • the verification value v U is the user's 3 public key.
  • the verification value v U is one of the encrypted secret 5 K i known only to the user 3 and the first server 30 , or something derived from the encrypted secret 5 K i .
  • the user 3 can then use the first server 30 to access his or her encrypted secrets 5 .
  • the user 3 provides 95 his or her first secret 35 to the client 15 .
  • the client 15 then generates 100 a random exponent k that satisfies 1 ⁇ k ⁇ q ⁇ 1.
  • the exponentiation 105 by k serves to hide the value of ⁇ (FS) from the first server 30 and from parties observing communications between the client 15 and the first server 30 . In this way, even a party that compromises the first server 30 will not be able to determine the user's 3 underlying first secret 35 .
  • ⁇ (FS) it may not ensure that all values of r are equally likely.
  • ⁇ (FS) is an element in the multiplicative subgroup of Z p * of order q, and all values of r are equally likely.
  • ⁇ (FS) is an element in the multiplicative group Z p *, but not necessarily in the subgroup of order q.
  • the value ⁇ (FS) may either have order q or order 2q.
  • one bit of b may be leaked (specifically, whether it is even or odd) by an attacker who sends values not in the multiplicative group of order q, to determine whether they are mapped into the group or not when raised to the b power.
  • This attack can be overcome by raising to the 2b power, or choosing an even value of b.
  • the first server 30 initializes 120 the access attempt variable n U . If this is not the user's 3 first attempt, then the first server 30 increments 120 the access attempt variable n U .
  • the access attempt variable n U is used by the first server 30 as a mechanism to lock-out or throttle an attacker who is attempting to determine the hardened secret 25 by guessing the first secret 35 . In one embodiment, if the access attempt variable n U exceeds a predetermined number, then further attempts to harden the particular user's 3 first secret 35 are prohibited until either the first secret 35 is changed or a system administrator determines that the failed attempts do not represent a security threat.
  • the first server 30 increasingly delays its communication 125 of s and N (discussed below) as the access attempt variable n U increments. This throttling mechanism makes it impractical for an attacker to determine the hardened secret 25 by searching all possible values of the first secret 35 .
  • the first server 30 returns 125 s and a unique index, or nonce N, for this instantiation of the attempted recovery process.
  • the nonce N is derived from the access attempt variable n U such that the derived value is unique for each instantiation. In another embodiment, the nonce N is chosen at random.
  • KDF is a key derivation function.
  • the key derivation function allows the system 300 to produce multiple intermediary strong secrets 60 from the hardened secret 25 R.
  • the nature of the KDF is that knowledge of T 1 does not make it substantially easier to determine T 2 .
  • PBKDF 1 and PBKDF 2 Two example key derivation functions are PBKDF 1 and PBKDF 2 , described in PKCS #5 by RSA Laboratories, a part of RSA Security Inc., available at http://www.rsalabs.com/pkcs/pkcs-5/index.html.
  • the client 15 then authenticates 65 ′ the user 3 to a second device 10 ′ by transmitting 141 T 1 and downloads 142 the encrypted secrets 5 T 2 (K 1 , . . . , K n ) that have been encrypted with T 2 .
  • the client 15 recovers 145 the secrets K 1 , . . . , K n using T 2 .
  • the client 3 then uses K 1 to produce 150 verification data to verify 55 to the first server 30 that the current secret decryption attempt was successful.
  • K 1 is the user's 3 private key 8 and the client 15 uses this value to sign 150 the nonce N.
  • the first server 30 verifies the signature on the value N by applying 155 the user's 3 stored public key v U .
  • the first server 30 is assured that the client 15 successfully decrypted the secret value K 1 .
  • the access attempt is considered successful and the value of the access attempt variable n U is reset 160 . If the decryption was unsuccessful, the value of n U would remain unchanged to be incremented 120 by any subsequent attempts so that, as mentioned above, if an excessive number of unsuccessful attempts were made, hardening of the particular user's 3 first secret 35 would be prohibited or throttled.
  • the client 15 can be configured to store the encrypted secrets 5 only in active memory so that they will be lost whenever the client 15 is shut down.
  • the client 15 can be configured to purge the encrypted secrets 5 whenever a particular user 3 signs off the client 15 or after a fixed period of time.
  • the authentication protocol between the client 15 and the second device 10 ′ should not provide enough information for an eavesdropper to verify a guess of T 1 and T 2 by examining messages exchanged between the client 15 and the second device 10 ′. Otherwise, an attacker that compromises the first server 30 can verify guesses of the password by deriving R and T 1 and checking whether T 1 is correct. If the second device 10 ′ is physically local to or integrated with the client 15 , this protection may be inherent in the architecture. If the client 15 and the second device 10 ′ are separated by a computer network, however, one way to achieve this is to use a secure communication protocol, such as SSL, which encrypts and integrity-protects the data.
  • SSL secure communication protocol
  • the hardened secret 25 R should be obtained from the password in a manner such that the client can be assured that R has been computed by the first server 30 (and not an attacker) before the client 15 uses a key derived from R to authenticate to the device. Otherwise, an attacker that compromises the device may be able to manipulate the protocol to cause the client 15 to use a different key in a way that leaks information about the user's password. For instance, by manipulating the protocol so that the intermediate value s returned is the same as the value r provided by the client, the attacker can cause the hardened secret R to equal the value ⁇ (FS).
  • the keys T 1 and T 2 would then directly depend on the password.
  • T 1 is used to authenticate to the device in a typical challenge-response protocol, the attacker will be able to verify whether guesses of the password are correct. There is a similar attack if the encrypted secrets 5 are transmitted in the clear. Again, the use of a secure communication channel, such as SSL will provide the necessary security.
  • a “proof of correctness” can be used to so the client can determine whether the correct value of b has been applied.
  • a proof of correctness is stronger than an SSL session as it does not require the client to trust the server to perform the computation correctly, and so provides more than is necessary to meet the protocol's design goal, which is for the client to know that the server was involved.
  • An illustrative example of the embodiment shown in FIG. 4 is given by a cellular telephone that contains a dedicated cryptographic chip containing encrypted secrets 5 .
  • the cellular telephone is the client 15 and the cryptographic chip is the second device 10 ′.
  • the encrypted secrets 5 such as a private key 8 used for digital signatures
  • the decryption key 25 necessary to decrypt strongly encrypted secrets 5 can be difficult for users 3 to remember.
  • the cellular telephone can be configured to employ the embodiment shown in FIG. 4 in which a first secret 35 , such as a PIN, can be used to access strongly encrypted secrets 35 .
  • a user 3 would first enter 95 a numeric PIN as a first secret 35 into the cellular telephone key pad when he or she wanted to, for example, execute a digital signature.
  • the cellular telephone would then modify and blind 105 the PIN and transmit 110 it to a first server 35 .
  • the first server 35 would then apply 115 its secret b and transmit 125 the resulting value, as intermediate data 22 , back to the cellular telephone.
  • the cellular telephone would then unblind the intermediate data thereby generating 135 the hardened secret 25 R.
  • the cellular telephone Using the hardened secret 25 R, the cellular telephone would generate 140 two intermediary strong secrets T 1 and T 2 . Next, the cellular telephone would transmit 141 T 1 to the cryptographic chip for authentication 65 ′. Assuming that the authentication 65 ′ was successful, the cryptographic chip would then download 142 into the cellular telephone's active memory the encrypted secrets 5 . The cellular telephone would then use T 2 to decrypt 145 the encrypted secrets 5 . Using the private key 8 , or employing one of the alternative methods discussed above, the cellular telephone would then verify 55 to the first server 30 that it had successfully accessed the encrypted secrets 5 . With access to the private key 8 , the cellular telephone could then use the private key 8 to form a digital signature to, for example, execute a digital transaction.
  • the blind function evaluation protocol 40 ′′ is based on the RSA cryptosystem, which is based on the problem of extracting roots modulo a composite, and which is described in R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-key Cryptosystems,” Communications of the ACM, 21(2) pp. 120-126, February 1978 and “PKCS #1: RSA Cryptography Specifications,” Version 2.0, by B. Kaliski and J. Staddon, available at http://www.rsalabs.com/pkcs/pkcs-1/index.html.
  • the use of the RSA cryptosystem to perform blind signatures in the context of anonymous digital cash is described in D. Chaum, “Security Without Identification: Transaction Systems to Make Big Brother Obsolete,” Communications of the ACM, 28 (1985), 1030-1044.
  • the authentication 65 ′′ operation employs a time-based token code.
  • the system includes a client 15 that receives a first secret 35 from a user 3 , a first server 30 , and a second device 10 ′.
  • the first server 30 As part of initialization , the first server 30 generates 170 a product n that is the product of two primes, p i and q i for each user 3 i.
  • the values p i and q i are large prime numbers, for example numbers larger than 512 bits in length, and n is the RSA modulus.
  • the first server 30 also selects 175 a value e i that is a small integer that is relatively prime to LCM(p i ⁇ 1, q i ⁇ 1), where LCM stands for Least Common Multiple.
  • the value of e i is the public exponent in the RSA cryptosystem.
  • the public exponent e i is chosen to be relatively prime to LCM(p i ⁇ 1, q i ⁇ 1) so that it is assured that a multiplicative inverse b exists.
  • the value b is the server secret input, which is either computed 180 by the first server or, in an alternative embodiment, stored on the first server 30 after being generated elsewhere, during initialization 33 ( FIG. 3 ).
  • An additional step in the initialization of the client 15 and the first server 30 is that both store 185 , 185 ′ a secret seed SS that is used as part of the authentication 65 ′′ process.
  • a further initialization step is that the first server 30 stores 188 a copy of the public exponent e i and the modulus n i or publishes them so that they can be provided to the client, and initializes 189 the access attempt variable n U .
  • a i is relatively prime to n so that an inverse of a i ei is guaranteed to exist.
  • a i e i is a random element of Z n *, regardless of f(w).
  • ⁇ (w) is in Z n *, so that it does not contain a factor in common with n, the M i will be a random element of Z n *, so all values of M i are equally likely.
  • a i As all values of a i are equally likely, multiplication by the value a i serves to blind the value of w mod n with respect to the first server 30 and with respect to someone observing communications between the client 15 and the first server 30 .
  • the value M i is transmitted 205 to the first server 30 by the client 15 .
  • this operation reverses the exponentiation by e i because e i and b are the multiplicative inverses of each other.
  • the value of w b mod n is blinded from observers (including the first server 30 ) by the multiplication by the random value of a i .
  • the nonce N is returned is returned by the first server 30 to the client 15 to identify this instantiation of the encrypted secrets 5 recovery attempt for verification purposes.
  • the final stage in the blind function evaluation protocol 40 ′′ first involves the client 15 removing the blinding associated with the random value a i .
  • the client 15 achieves this by multiplying 220 c mod n by a i ⁇ 1 mod n.
  • An advantage of the RSA cryptosystem-based blind function evaluation protocol 40 ′′ is that it only involves one short exponentiation, one multiplication, and one modular inversion per user 3 .
  • the modulus may be the same for each user 3 i provided that the exponents e i are different, so that protocol runs are associated with a particular user 3 i and throttling of other account-specific countermeasures can be enabled. If the exponent e i varies for each user 3 i, the set of possible exponents should be pairwise relatively prime to LCM(p ⁇ 1, q ⁇ 1).
  • the security of the RSA cryptosystem-based blind function evaluation protocol 40 ′′ depends on the modulus n and the exponent e forming a valid RSA public exponent such that n is a product of two large primes, and e is relatively prime to ⁇ (n). If n is not a product of two large primes, it may be possible for an attacker to determine the value R from ⁇ (w), and if e is not relatively prime to ⁇ (n), then information about ⁇ (w) may be leaked from the client information a e ⁇ (w).
  • the server provides the n and e values to the client in a certificate, where the certificate associates the n and e values with the particular user.
  • the certificate authority can assure that the n and e values are valid before issuing the certificate. To do this the certificate authority may, for example, use the methods and apparatus described in co-pending U.S. Ser. No. 09/188,963, entitled “Methods and Apparatus for Verifying the Cryptographic Security of a Selected Private and Public Key Pair Without Knowing the Private Key,” by Liskov et al., incorporated herein by reference.
  • proper selection of e may be more critical than selection of n. If a compromised first server selects n such that it does not have prime factors, that will help an attacker who compromises the device. But a improper selection of e will make it possible for someone else (who has not compromised the device 10 ′), to attack the system.
  • the authentication step 65 can be implemented in various ways.
  • the authentication 65 ′′ shows the details of using a time-based token code.
  • the client 15 generates 230 a dynamic password L as a function of a secret seed SS and the current time CT (and optionally a user PIN PP) and sends 235 the dynamic password L to the second device 10 ′.
  • the second device 10 ′ regenerates 240 a version L′ of the dynamic password L from its copy of the secret seed SS, the current time CT (and the user PIN PP, if appropriate).
  • the second device 10 ′ compares 245 the dynamic password L it received from the client to the one L′ that it generated.
  • the second device 10 ′ can be configured to recalculate the regenerated dynamic password L′ utilizing times nearby to its current time CT to synchronize its clock with the client's 15 clock.
  • the second device 10 ′ does not directly verify the dynamic password L but instead employs a third server to generate and verify the client's 15 dynamic password L.
  • the generation of the dynamic password L by the user is implemented as a physical token, such as a RSA SECURID token.
  • the physical token is combined with a PIN to provide additional security through a two-factor authentication process. The use of the token is just one way that authentication could be implemented.
  • biometric information is used for the authentication step 65 ′′.
  • the use of biometric derived information for authentication 65 ′′ could be similar to the use of biometric derived information for the first secret 35 .
  • the initial biometric information such as a fingerprint or iris scan, is here converted into-authentication data.
  • the error correction codes are stored on error correction servers connected to the network 20 and can be signed by an independent server to ensure integrity.
  • the client 15 obtains the error correcting information and verifies its integrity.
  • the client 15 then combines the information with the initial biometric information to generate the authentication data that is used to authenticate 65 ′′ to the second device 10 ′.
  • the error correction codes are stored in other locations including on the client 15 , on the first server 30 , or the second device 10 ′.
  • biometric-derived information for authentication 65 ′′ no error correction codes are utilized.
  • the authentication 65 ′′ process tolerates a range of biometric values.
  • the client 15 transmits the biometric derived information to the second device 10 ′, and if this information falls within the range that the second device 10 ′ is configured to accept, then the second device 10 ′ will consider that the client 15 has successfully been authenticated 65 ′′.
  • the second device 10 ′ provides 250 to the client 15 the encrypted secrets 5 .
  • the client 15 uses the intermediary strong secret T 3 .
  • the client 15 verifies 55 this to the first server 30 as before. That is, the client 15 signs 260 the nonce N with the user's 3 private key 8 and transmits 265 this valve to the first server 30 .
  • the client 15 has access to the user's private key 8 because, as before, the user's private key 8 was one of the encrypted secrets 5 .
  • the first server 30 checks 270 the signature using the user's 3 public key Pub u and verifies 275 that the nonce N representing this instantiation of the access attempt is correct. Assuming the nonce N is verified, the value of the access attempt variable n u is reset 280 for further access attempts.
  • a user 603 uses commercially available web browser software running on a personal computer 615 (the client in this embodiment), to access a web server 610 over a computer network such as the Internet.
  • a web server 610 provides certain personal information, such as the user's name and address, and possibly other information, such as personal preferences, demographic information, financial information (credit card or bank account numbers), and so on, to the web server 610 .
  • This personal information is useful for the interaction of the user 603 with the web server 610 using the client 615 , and the user 603 would typically prefer not to provide the same information to the web server 610 each time the user interacts with the web server 610 .
  • the personal information could be stored on the client 615 , but this may not be practical, for example because the user would like to access the web server 610 from more than one location, or for example because the client 615 is not used by the user 603 exclusively.
  • the user's personal information can be stored as encrypted secrets 605 .
  • a user-provided password or other weak secret
  • the password is likely to be a weak key, and so it will likely afford less than optimal protection to the encrypted secrets.
  • the encrypted secrets are stored such that they can be decrypted with a hardened password.
  • a user's password is used as the input to a blind function evaluation protocol in which either the client or the web server participates with a hardening server 630 .
  • the result of the blind function evaluation protocol is used as or to derive a decryption key for the encrypted secrets.
  • the user communicates 651 with the web server 610 , and the web server 610 directs the browser to communicate 652 with the hardening server 630 .
  • the web browser does not have the appropriate code to engage in the blind function evaluation protocol, either the web server 610 or the hardening server 630 can provide the browser with the necessary code, for example in the form of a Java applet, or in the form of a browser plug-in, or in the form of executable code for the computer.
  • the client 615 and the hardening server 630 engage in a blind function evaluation protocol, with the result that the client derives a hardened password.
  • the hardened password is communicated to the web server, which then decrypts the user's personal information, and so can make the personal information available to the user as part of the user's interaction with the web server 610 .
  • the web server deletes the unencrypted secrets, keeping only the encrypted secrets in its data store. If the data store of the web server 610 is compromised, the attacker has access only to the encrypted secrets, and cannot directly access to the user's personal information.
  • the blind function evaluation protocol takes as input a web server 610 identifier, in addition to the client information and the first server secret.
  • the web server identifier might be, for example, some portion of the URL or network address of the web server, or the web server identifier could be another identifier assigned to one or more web servers.
  • the web server 610 identifier is used in the blind function evaluation protocol, for example as an input to the blind function, and/or as an input to the key derivation function that derives the decryption key from the result of the blind function.
  • the web server 610 communicates the verification information to the hardening server 630 .
  • the web server 610 decrypts the encrypted secrets, it uses some information in the encrypted secrets to prove to the hardening server that successful decryption has occurred.
  • the client communicates to the web server 610 , along with the decryption key, the nonce or other verification information provided by the hardening server.
  • the client 615 provides the client information (derived from the user's password and/or other secret data) directly to the web server 610 , and the web server 610 engages 652 in the blind function evaluation protocol with the hardening server. The web server 610 then derives the decryption key from the hardened password (which may be the hardened password) to decrypt the encrypted secrets. In this way, the client 615 has to do less work, but the web server is able to store data that is only vulnerable to compromise when the user is communicating with the web server 610 .
  • the client 715 uses the password hardening server 730 to generate a hardened password that is used to authenticate the client 715 to the web server 710 .
  • the client 715 receives a web server identifier WSID 771 .
  • the web server identifier might be, for example, some portion of the URL or network address of the web server, or the web server identifier could be another identifier assigned to one or more web servers.
  • the client could derive the WSID from such other information, store a list of WSID's locally, or request the WSID from a server on the network (such as the authentication server 730 ).
  • the client provides 772 the client information (which is derived from the user's secret) to the authentication server 730 as part of the client's participation in a blind function evaluation protocol.
  • the client may also provide the web server identifier WSID, and the client may also provide a user identifier to the authentication server 730 as part of the blind function evaluation protocol.
  • the WSID can be used in the blind function evaluation protocol, for example as an additional input to the blind function, to select a server secret to use in the blind function evaluation protocol. This may be in addition to or instead of the use of the WSID as an input to the key derivation function that derives the decryption key from the result R of the blind function.
  • the user identifier may be used to selected the appropriate server secret, or for other purposes.
  • the authentication server 730 returns the blinded result R to the client 715 , along with a nonce or other session identifier 772 .
  • the client generates a hardened password for use in authenticating to the web site based on the result R of the blind function evaluation protocol and possibly the other information (i.e. user identifier, web site identifier).
  • the web server identifier WSID as an input to the key derivation function (and/or as an input to the blind function evaluation protocol), the user need only have one password, yet the client can generate different passwords for authentication to different web servers.
  • the client communicates 774 the hardened password and the nonce to the web server 710 .
  • the web server 710 sends 775 a message to the authentication server 730 , indicating whether or not the authentication attempt associated with the nonce was successful. If the authentication was successful, the hardening server resets the attempt counter, if it was not successful, the account variable is increased.
  • the message is communicated such that the web server 710 cannot be impersonated.
  • the communication can include the digital signature of the web server on the nonce.

Abstract

In general, in one aspect, the invention relates to a method for accessing encrypted data by a client. The method includes receiving from the client by a server client information derived from a first secret wherein the client information is derived such that the server can not feasibly determine the first secret The method also includes providing to the client by the server intermediate data, which is derived responsive to the received client information, a server secret, and possibly other information. The intermediate data is derived such that the client cannot feasibly determine the server secret. The method also includes authenticating the client by a device that stores encrypted secrets and is configured not to provide the encrypted secrets without authentication. After the authenticating step, the method also includes providing the encrypted secrets to the client. The encrypted secrets 5 are capable of being decrypted using a third secret that is derived from the intermediate data.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims the benefit of U.S. Provisional Patent Application Ser. No. 60/188,834, “Server-Assisted Regeneration of a Strong Secret from a Weak Secret,” by Warwick Ford and Burt Kaliski, filed Mar. 10, 2000; which is incorporated herein by reference.
    • TECHNICAL FIELD
  • This invention relates generally to the field of cryptographic protocols and, more particularly, to a system and method for increasing the security of secrets used to decrypt encrypted secrets and secrets used to authenticate users to a server.
    • BACKGROUND
  • FIG. 1 shows a prior art system 100 in which a user 3 stores secrets 5 on a remote server computer 10, where the term secrets is used broadly to mean any data or information that the owner wishes to keep private. The user 3 accesses the secrets 5 using a client computer 15 that is connected to the server computer 10 via a data or telecommunications network 20, such as the Internet. Storage of the secrets 5 on the server 10 allows the user 3 to access the secrets 5 from any client computer connected to the network 20.
  • To help prevent the secrets 5 from being obtained by others, the secrets 5 are typically encrypted. Encrypting the secrets 5, for example, by use of a key 24, prevents someone who has access to the secrets 5 from learning the secrets 5, for example, by compromise of the server or by observing the user's communications with the server 10 over the network 20. The encryption of the secrets 5 can be performed according to various known techniques including symmetric encryption in which the same decryption key 24 is used for both encryption and decryption, and/or asymmetric encryption, in which different keys are used for encryption and decryption respectively.
  • As the number of possible values from which a key 24 might be chosen (the “key space”) is increased by changing the encryption implementation, it becomes increasingly more difficult for an attacker to try every possible decryption key 24. At some point, the number of possible of keys is so great that an encrypted secret 5 cannot feasibly be decrypted by trying each possible key 24. This is referred to as a strong encryption, because the large key space makes the encryption stronger. For example, a key that is chosen from the set of all known English words is much weaker than a key that is chosen from the set of all 1024-bit numbers. An encryption and/or decryption key 24 that is selected from a large key space is typically cumbersome for a user 3 to employ, however, because long sequences of characters are difficult for humans to remember. Users 3 may be inclined to write down such sequences, thereby making the key available to an attacker. To ease the memory burden on users 3, shorter decryption keys 24 are frequently used, with the disadvantage that it may be feasible for a party that has access to the encrypted secrets 5 to decrypt the encrypted secrets 5 by trying every possible key.
    • SUMMARY
  • There exists a need, therefore, for a convenient and secure means for a user to access data that has been encrypted using strong secrets, and also to authenticate to servers using strong secrets.
  • In general, in one aspect, the invention relates to a method for accessing encrypted data by a client. The method includes receiving from the client by a server client information derived from a first secret wherein the client information is derived such that the server can not feasibly determine the first secret. The method also includes providing to the client by the server intermediate data that is derived responsive to the received client information, a server secret, and possibly other information. The intermediate data is derived such that the client cannot feasibly determine the server secret. The method also includes authenticating the client by a device that stores encrypted secrets and is configured not to provide the encrypted secrets without authentication. The method also includes, after the authenticating step, the step of providing the encrypted secrets to the client. The encrypted secrets are capable of being decrypted using a third secret that is derived from the intermediate data.
  • In one embodiment, the third secret is derived from the intermediate data by use of a key derivation function. In one embodiment, the third secret is the intermediate data. In one embodiment, the first secret includes one or more of a PIN, a password, and biometric information.
  • In another embodiment, the intermediate data is derived from at least the first secret and the server secret by the use of a blind function evaluation protocol. In one variation of this embodiment, the blind function evaluation protocol involves the use of the RSA cryptosystem. In another variation of this embodiment, the security of the blind function evaluation protocol is based on the principles of discrete logarithms. In another embodiment, the blind function evaluation protocol involves the use of a one-way function that is calculated using a multiparty secure computation technique.
  • In various embodiments, the authenticating step can include authenticating the client based on one or more of a PIN, a password, a token code, a time-dependent code, and biometric information, alone or in combination. In one embodiment, the authenticating step includes authenticating the client based on a secret other than the first secret. In another embodiment, the authenticating step includes using a secret derived from the intermediate data.
  • In another embodiment, the device includes at least one of a file server, a directory server, a key server, a PDA, a mobile telephone, a smart card, and a desktop computer. In one such embodiment, the device includes at least one secure data store, which requires authentication before allowing the client access to the data store.
  • In another embodiment, the encrypted secrets include a private key of a public/private key pair used for asymmetric cryptography. In one such embodiment, the private key is a signature key used-for creating a digital signature. In one such embodiment, the authenticating step involves authenticating the client based on a secret other than the first secret, so that the user provides different information to access the device and to access the signature key. In such an embodiment, the user authenticates to a computer using one authentication mechanism, and uses a password different than the authentication mechanism to digitally sign a document. The password is used in a blind function evaluation protocol, the result of which is used to decrypt the signature key. This procedure can be used to satisfy digital signature requirements that a different password be used to digitally sign a document.
  • In still another embodiment, the encrypted secrets include a secret key used for symmetric cryptography. In another additional embodiment, the encrypted secrets include at least one unit of digital currency. In one such embodiment, the encrypted secrets function as an electronic wallet, containing digital currency and/or other information, such as keys and identification numbers. In still another embodiment, the encrypted secrets include one or more usernames and passwords that can be used to authenticate to one or more other servers. In this way the user can remotely access the collection of access codes, and use them to access other servers.
  • In another embodiment, the method also includes the step of verifying that the client has not exceeded a predetermined number of unsuccessful attempts to obtain the intermediate data. In one variation of this embodiment, the verifying step also includes the steps of transmitting a challenge code to the client and receiving the result of a cryptographic operation using the challenge code as an input and using a cryptographic key derived from at least one of the encrypted secrets. In another embodiment, the verification comprises showing knowledge of some item of information contained in the encrypted secrets.
  • In general, in another aspect, the invention relates to a system for accessing encrypted data by a client. The system includes a first server. The first server includes a first server receiver for receiving from a client client information derived from a first secret. The client information is derived such that the first server can not feasibly determine the first secret. The system includes a server secret. The system includes a first server output for providing to the client by the server intermediate data. The intermediate data is derived from at least the received client information and a server secret. The intermediate data is derived such that the client can not feasibly determine the server secret. The system also includes a second device. The second device includes a data store storing an encrypted secret. The encrypted secret is capable of being decrypted using a third secret that is derived from the intermediate data. The device includes an authentication subsystem for authenticating the client by the device. The device includes a device output for providing to the client by the device the encrypted secrets upon authentication.
  • In one embodiment, the third secret is derived from the intermediate data by use of a key derivation function. In another embodiment, the intermediate data is derived from at least the first secret and the server secret by use of a blind function evaluation protocol. In another embodiment, the intermediate data is derived from at least the first secret and the server secret and the security of the blind function evaluation protocol is based on the principles of the RSA cryptosystem, the problem of extracting roots modulo a composite. In another embodiment, the intermediate data is derived from at least the first secret and the server secret and the security of the blind function evaluation protocol is based on the principles of discrete logarithms.
  • In one embodiment, the authentication subsystem authenticates the client based on a secret other than the first secret. In one embodiment, the authentication subsystem authenticates the client using a secret derived from the intermediate data. In one embodiment, the second device comprises at least one of a file server, a directory server, a key server, a PDA, a mobile telephone, a smart card, and a desktop computer. In one embodiment, the encrypted secret is one of a private key of a public/private key pair used for asymmetric cryptography, a signature key used for creating a digital signature, a secret key used for symmetric cryptography, and at least one unit of digital currency. In one embodiment, the first server also includes a verifier for verifying that the client has not exceeded a predetermined number of unsuccessful attempts to obtain the intermediate data.
  • In general, in another aspect, the invention relates to a method for generating a password for a user to use for authenticating to a server. The method includes specifying a server secret, and receiving from a client a server identifier and client information derived from a first secret wherein the client information is derived such that the first server can not feasibly determine the first secret. The method includes generating a password derived from at least the server identifier, the client information, and the server secret wherein the password is derived such that the client can not feasibly determine the server secret from knowledge of the first secret, the web server identifier, and the generated password.
  • In one embodiment, the method also includes transmitting the generated password to the client. In another embodiment, the method also includes transmitting an attempt identifier to the client with the generated password. In another embodiment, the method also includes receiving from the server verification that the user has authenticated successfully to the server.
  • In general, in another aspect, the invention relates to a password for a user to use for accessing a web server. The system includes a server secret and a receiver for receiving from a client a web server identifier and client information derived from a first secret wherein the client information is derived such that the first server can not feasibly determine the first secret. The system also includes a password generator for generating a password derived from at least the web server identifier, the client information, and the server secret wherein the password is derived such that the client can not feasibly determine the server secret from knowledge of the first secret, the web server identifier, and the generated password.
  • The foregoing and other objects, aspects, features, and advantages of the invention will become more apparent from the following description and from the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • In the drawings, like reference characters generally refer to the same parts throughout the different views. Also, the drawings are not necessarily to scale, emphasis instead generally being placed upon illustrating the principles of the invention.
  • FIG. 1 is block diagram of a prior art system 100 for accessing encrypted secrets;
  • FIG. 2 is block diagram of a system 200 according to an embodiment of the invention for accessing encrypted secrets;
  • FIG. 3 is block diagram of an embodiment of the system 200 that makes use of a blind function evaluation protocol;
  • FIG. 4 is an event trace of an embodiment of a method that employs discrete logarithms in the blind function evaluation protocol;
  • FIG. 5 is an event trace of an embodiment of a method that employs the RSA cryptosystem in the blind function evaluation protocol;
  • FIG. 6 is a block diagram of an embodiment used to authenticate a user; and
  • FIG. 7 is a block diagram showing the data flow in one embodiment of a system used to authenticate a user.
    •  DETAILED DESCRIPTION
  • Referring to FIG. 2, an embodiment of a system 200 according to the invention allows a user 3 to conveniently and securely gain access to encrypted secrets 5, where the term secrets is used broadly to mean any data or information that the owner wishes to keep private. Here, for convenience, the encrypted secrets 5 are referred to in the plural, although there may be one or more secrets. The one or more secrets may include any data or information, as examples without limitation, such secrets as a private key 8 of a public/private key pair as used in asymmetric cryptography and/or for providing a digital signature, a secret key used for symmetric cryptography, one or more units of digital currency, or some combination. In this embodiment of the invention, the security of the encrypted secrets 5 is increased by storing the encrypted secrets 5 in one device that requires authentication for access to the secrets (the second device 10′) and storing information used in the decryption process in another device (the first server 30).
  • The system 200 includes a client 15 that may interact with a user 3. The client can be implemented as any sort of device or machine capable of communicating with the second device 10′ and the first server 30. As examples of implementations of clients 15 not intended to be limiting, the client 15 may be one or more of a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, and a workstation.
  • The client 15 is in communication with a first server 30 and a second device 10′ over communications links, which may be the same, or different communications links for each of the first server 30 and the second device 10′. For example, the client 15 may be a PDA that communicates via a wireless and wired internet protocol network with the first server 30, and via a direct serial connection to the second device 10′. As another example, the client 15 may be a personal computer in an airport that communicates with both the first server 30 and the second device 10′ over a wired internet protocol network such as the Internet. Again, these examples of types of communications links are not intended to be limiting, and the invention may be used with any suitable wireless or wired communication links.
  • In an embodiment of the invention, a user 3 provides a first secret 35 to the client 15. The first secret 35 can be something that is measured or something that the user enters, for example through a user interface 17. Typically, the first secret 35 might be (as examples not intended to be limiting) one or more of a short numerical code such as a PIN, an alphanumeric code such as a password, a token code, a time-based code such as that provided by a RSA SECURID security token manufactured by RSA Security Inc. of Bedford, Mass., biometric information, and data derived from one or more of these.
  • The client derives client information 38 from the first secret 35 that is used to harden (i.e., strengthen) the first secret 35. The derivation might be that the client 15 uses the first secret 35 directly as the client information 38. The derivation might be that the client uses the first secret 35 as part of a blind function evaluation protocol to generate the client information 38. The derivation can include use of one or more of a key derivation function, mask generation function, or another cryptographic function to derive the client information 38 from the first secret 35. As described further below, the derivation may be for using the first secret 35 as part of a blind function evaluation protocol.
  • The first server 30 receives the client information 38 from the client. Preferably, the client information 38 is such that the first server 30 can not feasibly determine the first secret from the client information 38, with feasibly being used here to mean not without an extraordinary amount of time and/or computational effort. In response to the client information 38, the first server 30 provides the client 15 with intermediate data 22, which is used by the client 15 (directly or indirectly) to decrypt the encrypted secrets 5.
  • The first server 30 may derive the intermediate data 22 from a combination of information 38 that the client 15 provides to the first server 30 and a server secret, that is stored on or available to the first server 30. The intermediate data 22 is preferably derived such that the client can not feasibly determine the server secret, meaning that an attacker posing as the client 15, or observing the client's interactions with the first server 30 can not determine the server secret without an extraordinary amount of time and/or computational effort.
  • The first server 30 preferably is a server-class computer that is in communication with a network 20, and that is capable of responding to many requests from clients 15 throughout the network 20. In other embodiments, the first server 30 may be any type of computer or device. The first server may be, as examples not intended to be limiting, a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, or a workstation.
  • The client 15 and the first server 30 interact such that the client 15 is provided with intermediate data 22 that the client 15 can use as part of the process to decrypt the encrypted secrets 5. The client 15 may use the intermediate data 22 directly as a decryption key, for example, if the decryption key is communicated over a secure channel. Alternatively, the client 15 may derive (possibly in combination with other information) from the intermediate data 22 some portion or all of one or more decryption keys that are used to decrypt the encrypted secrets 5. The client 15 and the first server 30 may participate in a blind function evaluation protocol, in which the client 15 has some secret information and the first server 30 has some secret information, and together the client 15 and the first server 30 provide their respective secrets as an input to a jointly calculated function, without either the client 15 or the first server 30 revealing their secrets to the other and with only the client 15 obtaining the output of the jointly calculated function. The specifics of the particular blind function evaluation protocol, what the first server 30 does with the client information 38, and what the client 15 does with the intermediate data 22, will vary depending upon the evaluated function and the blinded protocol selected.
  • The interaction between the client 15 and the first server 30 might include only a single data exchange or they might participate in more complicated protocols in which multiple data exchanges take place. For example, in a simple blind function evaluation protocol, there might be a single communication of client information 38 to the first server 30, and a single response of the first server 30 back to the client 15 in which the intermediate data 22 is communicated. In more complex blind function evaluation protocols, portions of client information 38 are sent at different times to the first server 30, and portions of intermediate data 22 are communicated to the client 15 at different times.
  • The use of a blind function evaluation protocol, or other embodiments in which the decryption key is derived from the client information, provides additional security benefits resulting from the fact that the first server 30 does not have the decryption key in an unblinded form. Even if the first server 30 is compromised, and a server secret obtained, it will still be necessary for an attacker to do more work to transform the server secret into the decryption key. Just as one example, in one such embodiment, the first server 30 and client 15 engage in a blind function evaluation protocol that results in the first server 30 providing to the client 15 a blinded key as the intermediate data 22. The client 15 has information used to unblind the decryption key 24, which is then used to decrypt the encrypted secrets 5. Compromise of the first server 30 would still not directly reveal the decryption key 25 to an attacker.
  • In one embodiment, a verification is used to prevent attempts to gain access to the intermediate data 22 by repeated guessing of the first secret 35 or client information 38. Without such a verification, an attacker that compromises the second device 10′ and has access to the encrypted secrets 5 could determine the corresponding intermediate data 22 by sending the various possible values of the client information 38 to the first server 30. By limiting the number of unsuccessful attempts allowed, the first server 30 prevents such an attack. For example, the verification can be made by demonstrating successful decryption of the encrypted secrets 5. If the encrypted secrets 5 include an encryption key, the encryption key can be used to encrypt a challenge value provided by the first server 30. If the encrypted secrets 5 include personal information of the user, such information can be provided to the first server 30.
  • In one embodiment, biometric information is used for the first secret 35, through the use of “fuzzy commitment” techniques such as those described in PCT Patent Application Serial No. PCT/US00/03522 entitled “A Fuzzy Commitment Scheme.” The transformation from initial biometric information to first secret 35 is accomplished with the use of codes that are akin to error correcting codes. Generally, the resulting first secret 35 has at least PIN-level security due to the limited amount of uncertainty available in typical biometrics and the accommodation for measurement errors. In one embodiment, code information used to correct differences in biometric information is stored on a code server (not shown) connected to the network 20. The client 15 combines the code information with biometric data to generate the first secret 35. In other embodiments, the code information is stored on the client 15, the first server 30, the second device 10′, or some combination.
  • The second device 10′ stores encrypted secrets 5 for the user 3. The second device 10′ can be implemented as any sort of device or machine capable of storing encrypted secrets and communicating the secrets upon authentication. As examples of implementations of devices 10′ not intended to be limiting, the second device 10′ can be one or more of a file server, a directory server, a key server, a personal computer, a mobile telephone, a personal digital assistant (PDA), a network appliance, a smart card, a network terminal, and a workstation. In one embodiment, the second device 10′ is implemented in the client 15 in a cryptographically secure section of memory or on a dedicated cryptographically secure chip. The encrypted secrets 5 are stored in the second device 10′ such that a client 15 authenticates to the second device 10′ prior to the second device 10′ providing the encrypted secrets 5 to the client 15. The second device 10′ may be an already-existing file server or other authenticated data store. The system and method of the invention can be used to provide additional security to secrets stored on such a data store.
  • In one embodiment, the second device 10′ does not provide encrypted secrets 5 to the client 15 until the client 15 has authenticated to the second device 10′. The authentication step can be based on information derived from the intermediate data 22 or the authentication can be based on independent authentication information, such as a PIN, a password, a token code, a time-based code, biometric information, or some combination. The second device 10′ can be an already-existing, or standard, authenticating data store, for example, a directory server such as a file server accessed by MICROSOFT WINDOWS NT available from Microsoft Corporation of Redmond, Wash., clients, or a file system accessed by NIS clients, such as those available from Sun Microsystems of Mountain View, Calif. The second device 10′ can also be a local device (implemented in hardware or software) on the user's 3 personal computer, or a portable memory device in communication with the client 15 by PCMCIA or serial connection. Because the encrypted secrets 5 can be stored in a conventional manner, the system of the current invention can be integrated with existing systems that provide authenticated access to encrypted secrets 5 to increase the security of the encryption.
  • In one example embodiment that enables digital signing of documents, a user has one mechanism for authenticating to a computer, and another for signing a document. In this embodiment, a computer stores an encrypted signature key and the user authenticates to that computer to obtain the encrypted signature key. When the user wishes to use the encrypted signature key to sign a document, the user provides a client (which may be the computer) with a password. The client engages in a blind function evaluation protocol with a first server. The result of the blind function evaluation protocol (or a key derived from the result) is used to decrypt the signature key, and the signature key is then used to digitally sign a document. In this way, a second mechanism, involving an independent server, is used to enable the digital signature of a document. Compromise of the computer does not enable an attacker to make use of the signature key.
  • Referring to FIG. 3, in one embodiment, a client 15 communicates with a first server 30 and a second device 10″ as in FIG. 2. In this illustrative embodiment, the second device 10″ is a second server that is accessed over a communications network such as the Internet. In this illustrative embodiment, the communication between the client 15 and the first server 30 takes place over a computer network 20 such as the Internet, and the communication between the client 15 and the second server 10″ takes place over a computer network such as the Internet. Prior to the user 3 attempting to access the encrypted secrets 5, the system 300 is initialized 33 for use by the user 3. This initialization may include operations performed on both the client 15 and first server 30 and some initial exchange of data.
  • To access the encrypted secrets 5, the user 3 first uses the client 15 and the first server 30 to convert a first secret 35 into a decryption key 25, which preferably is a stronger key than the first secret 35. In this example, the first secret 35 is a password, that is a sequence of symbols that can be conveniently remembered by the user 3. As described above, in other embodiments, the first secret 35 might also be something else, or a combination of a password and something else.
  • In this embodiment, the client 15 participates in a blind function evaluation protocol 40 with the first server 30. The blind function evaluation protocol 40 takes as input client information in the form of the client's secret input 45, which may be the first secret 35 or information derived by the client 15 from the first secret 35, and a server secret 50 to produce a hardened (i.e. stronger) secret 25 than the first secret 35. The hardened secret is stronger at least partially because it is chosen from a much larger key space and so it is more difficult to guess. The blind function evaluation protocol is designed in such a way that the first secret 35 and the hardened secret 25 result are known to the client 15 but not the first server, and the first server secret 50 is known only to the first server 30, yet both the client 15 and the server 30 participate in the protocol.
  • A blind function evaluation protocol 40 can be represented mathematically by the expression R=g(w, b) where, R is the result 25 of the blind function evaluation protocol, b is the first server's secret 50, and w is the client's 15 secret input 45. The function g is constructed such that the client 15 cannot determine the first server's secret 50 given the result 25, yet the same inputs 45, 50 consistently produce the same output 25 R. Preferably, the protocol is also designed such that a third party does not learn any of the three values b, w, and R.
  • Various blind function evaluation protocols have been developed that are based on different functions. These include, as examples not intended to be limiting, implementations based on discrete-logarithm cryptography and the RSA algorithm which is based on the problem of extracting roots modulo a composite. Blind function evaluation is an instance of multi-party secure computation, introduced by A. Yao in “Protocols for Secure Computations,” IEEE FOCS (1982), pp. 160-164. In multi-party secure computation, a function is computed in which the inputs are provided by two or more parties, and the output may be kept private from some parties as well. It has been shown that any polynomial-time-computable function g can be computed securely in polynomial time by representing the function as a logic circuit and evaluating it with what amounts to a gate-by-gate protocol (which tends to be complex).
  • In the embodiments described below, using discrete logarithm cryptography and the RSA cryptosystem, the function g has a special form and the protocol is more efficient, but it is also possible to use another one-way function, for example a hash function, or an encryption function, and apply the general methods. Generally, the function g(w, b) should be one-way with respect to b such that it is difficult to determine b, given a set of g(w, b) values for some inputs w. Otherwise, an attacker could participate in the protocol some number of times, each time providing different values of w, and then solve for b. Also, it should be difficult, given a set of g(w, b) values for some inputs w, to determine g(w, b) for other values of w. Otherwise, an attacker could use the results of some password guesses to get other password guesses. The second property implies the first.
  • Yao's construction enables two parties, such as the server and the client in this implementation, to compute the output y of any polynomial-computable function g on any pair of secret inputs b and w in the domain of g in such a way that the evaluator learns y, and neither party learns any additional information. Other variants are also possible.
  • We assume that the server behaves correctly, i.e., adheres to the protocol, but may try to learn additional information. In this case, the Yao construction involves two phases. In the first phase, the server decides on a polynomial-sized boolean circuit C. Input to this circuit is a secret v, while the output is g(v, b). (The input b is built into the circuit.) Let v1, v2, . . . , vn represent the individual bits of v. The circuit C is constructed in such a way that each bit vi is expressed as one of two random “tags”, yi 0 and yi 1, the first assigning a ‘0’ bit to vi and the second assigning a ‘1’ bit to vi. The server sends C (in an appropriate representation) to the user. Further details are available in the Yao paper.
  • In order to evaluate C on the desired secret value w=w1, w2 . . . wn, the user must obtain the correct set of tags {ywi}. On the other hand, to ensure in general that the user learns no information other than y, it is critical that the user learn only these tags, and furthermore that the server not learn which tags the user has obtained. This is accomplished by means of a protocol known as one-out-of-two oblivious transfer, abbreviated 1-2 OT. 1-2 OT is a cryptographic primitive involving two players, a sender and a receiver. The sender sends two values x0 and x1 to the receiver. The receiver selects a bit c and receives xc. The sender learns no information about c, while the receiver learns no information about x1-c. Yao proposed an RSA cryptosystem based 1-2 OT protocol in the paper referenced above, while Goldreich, Micali, and Wigderson extended the protocol to make use of any one-way permutation.
  • In the second phase, the server sends the set of tags yi w i to the user using a 1-2 OT protocol as follows. For each value i, the server sets x0=yi 0 and x1=yi 1, and the user selects z=wi. Once the second phase is complete, the user has all of the necessary tags to compute g(w, b).
  • In one embodiment, the client 15 uses the result 25 R of the blind function evaluation protocol as a decryption key 25 to decrypt the encrypted secrets 5. In another embodiment, the client 15 derives from the result R 25 intermediary strong secrets 60 that can include the decryption key (and possibly other data).
  • The client 15 also authenticates 65 to a second server 10″. Typical authentication measures can include using something the user 3 knows, something the user 3 has, some measured characteristic of the user 3, or some combination. The authentication 65 thus can take place in various ways, including without limitation by transmission of a PIN, a password, a biometric measurement, a token code, a time-based code (such as, from a SECURID token manufactured by RSA Security Inc.), use of an encryption key, use of a hash-chain approach, such as S/KEY, or some combination. If the authentication to the second device 10″ is successful, then the second device 10″ provides the client 15 access to, or a copy of, the encrypted secrets 5.
  • In one embodiment, after successfully authenticating to the second device 10″ and decrypting the encrypted secrets 5, the client 15 verifies 55 the successful recovery of the encrypted secrets 5 to the first server 30. The verification step 55 could be implemented in various ways including using asymmetric cryptography, symmetric cryptography, or a proof of knowledge protocol. An advantage of using asymmetric cryptography is that the initialization step 33 is more straight-forward.
  • Successful decryption of the encrypted secrets 5 implies that the user 3 provided the client 15 with the correct first secret 35. In one embodiment, the first server 30 only allows a client 15 to engage in the blind function evaluation protocol 40 a limited number of times without demonstrating a successful verification 55 that the encrypted secrets 5 were successfully decrypted. The purpose of the verification 55 is to ensure that an attacker could not determine the correct hardened secret 25 through exhaustive searching of the possible client 15 first secret values 35. The verification 55 can be implemented in various ways.
  • In one embodiment, the encrypted secrets 5 include a private key 8, which the client 15 uses to sign an identifier 70. The identifier 70 can be a nonce or other data selected by the first server 30 as representing to the first server 30 the particular instantiation of the recovery process. The identifier 70 can thus serve as a challenge, to which the client 15 responds by showing knowledge of the private key 8.
  • One benefit of the invention is that an attacker has to compromise both the first server 30 and the second device 10″ to obtain a decrypted form of the encrypted secrets 5. Without compromise of both servers, an attacker's best attack on the secrets is on-line guessing of the user's password and other authentication factors, if any. On-line guessing in this context means the attacker attempts to guess by participating in the protocol and providing guessed values to either the first server 30 or the second device 10″. In general, the success of on-line guessing can be severely limited by preventing the attacker from making more than a certain number of guesses, either by halting acceptance of guesses after more than a certain number have been made, or by increasing the delay time before the system responds to an on-line guess after a certain number have been made. In general, if such guess-prevention mechanisms are in place, limiting an attacker to on-line guessing is a sufficient level of security.
  • For example, in a simple implementation involving a first server 30 and a device 10′ (as in FIG. 2), the user has a first PIN or password and the user has a token, such as a two-factor authentication token that produces a time-based token code in response to the current time, a token code, and a second PIN. In this implementation, the first server 30 merely stores the intermediate data 22, and transmits it to the client upon receipt of the first PIN or password. Preferably, the communication takes place over an encrypted communications channel to ensure the security of the first PIN or password and the intermediate data 22. The client uses the token code to authenticate to the device 10′ and accesses the encrypted secrets 5. The intermediate data 22 is used to decrypt the encrypted secrets 5.
  • In this simple implementation, an attacker that has not compromised either the first server 30 or the device 10′ needs to perform both on-line password guessing and on-line token-code guessing. If the device 10′ is compromised (but not the first server 30), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the first PIN or password. If the first server 30 is compromised (but not the device 10′), the attacker still has to undertake on-line token-code guessing. If both the first server 30 and the second device 10″ are compromised, then the attacker has direct access to the encrypted secrets and to the intermediate data 22 and thus can immediately decrypt the encrypted secrets 35.
  • As another example, another embodiment makes use of the blind function evaluation protocol and a two-factor token code. An example of such an embodiment is described in more detail with reference to FIG. 5 below. In this embodiment, the user has a first PIN or password (the first secret 35), and the user has a two-factor authentication token as in the previous example. The client participates in the blind function evaluation protocol (also referred to as a password hardening protocol) with the first server. The client provides the first secret 35 as input to the blind function evaluation protocol and obtains the strong secret R 25. The client then derives one intermediary strong secret value from the strong secret R. The client uses the token to authenticate to the second device 10″ to access the encrypted secrets 5. The intermediary strong secret T2 is used to decrypt the encrypted secrets 5.
  • In this embodiment, an attacker that has not compromised either the first server 30 or the second device 10″ needs to perform both on-line password guessing and on-line token-code guessing. If the second device 10″ is compromised (but not the first server 30), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the password. If the first server 30 is compromised (but not the second device 10″), the attacker has to undertake on-line token-code guessing and on-line first secret 35 guessing, because the blinding prevents the attacker from knowing the strong secret R 25. It is only if the both the first server 30 and the second device 10″ are compromised that the attacker can undertake off-line password guessing (but cannot immediately decrypt the encrypted secrets 5).
  • Thus, the use of the blind function evaluation protocol provides benefits even to a system that uses a two-factor authentication token, because information is hidden from the first server 30, which information the first server 30 cannot reveal even if the first server 30 is compromised. In the event that both the first server 30 and the second device 10′ are compromised, the user's password still provides a degree of protection. This degree of protection can be increased by increasing the amount of time that an attacker (as well as the actual user) needs to spend to derive the intermediary strong secret value T2 from the first secret 35. Increasing the amount of time can be accomplished by increasing the complexity of the derivation of the strong secret R (which in the embodiments described herein is already relatively complex) and by increasing the complexity of the derivation of the intermediary strong secret value T2 from the strong secret R. If each derivation of T2 from a guess of the first secret 35 is sufficiently time consuming, even off-line guessing can be made unlikely to succeed.
  • In still another embodiment, described in more detail below with reference to FIG. 4, the user has only a single PIN or password. The client participates in the blind function evaluation protocol with the first server and obtains the strong secret R 25. The client then derives two intermediary strong secret values T1 and T2 from the strong secret R. One intermediary strong secret T1 is used to authenticate with the second device 10″ and the other intermediary strong secret T2 is used to decrypt the encrypted secrets 5.
  • In this embodiment, an attacker that has not compromised either the first server 30 or the second device 10″ can only perform on-line password guessing. If the second device 10″ is compromised (but not the first server 30), the attacker can either try off-line guessing of the decryption key of the encrypted secrets 5 (the success of which is highly improbable) or the attacker still needs to undertake on-line guessing of the password. If the first server 30 is compromised (but not the second device 10″), the attacker is still limited to on-line password guessing, because the blinding prevents the attacker from knowing the strong secret R 25. It is only if the both the first server 30 and the second device 10″ are compromised that the attacker can undertake off-line password guessing. Thus, this embodiment provides security against the compromise of a single server, using only a single (possibly weak) PIN or password.
  • Referring to FIG. 4, an embodiment of the invention uses discrete logarithm cryptography in the blind function evaluation protocol 40′. Prior to a user 3 attempting to access the encrypted secrets 5, initialization is performed as in the initialization 33 of FIG. 3. One step in this initialization process is that the first server 30 selects 75 a prime p such that p=2q+1 where q is a prime. The value of p is selected in this manner because it is useful to ensure that there is a large sub-group within the multiplicative group Zp* (where Zp* is the group of integers from 1 to (p−1) under the operation of multiplication modulo p) for straight forward cryptographic computation with minimal leakage of secret information in protocols, however other arrangements are possible. The first server 30 communicates 80 p to the client 15.
  • The security of this discrete logarithm embodiment depends upon the parameters p and q being generated appropriately, which may be, as in the embodiment described here, that p and q are prime, and p=2q+1. In other embodiments, there may be more or less requirements on p and q, with the resulting tradeoffs in security benefits. In one embodiment, both p and q are published, or otherwise made available to the client. The client can then directly verify the properties of p and q.
  • The first server 30 also selects 85 a secret exponent b between 1 and q−1 for each user 3 i that can store encrypted secrets 5 ET2(K1, . . . , Kn) on the second device 10′. The first server 30 also publishes a function ƒ that maps weaker secrets 35, such as passwords, to elements of the multiplicative group ZP*. For instance, given the first secret 35 FS, ƒ(FS) might be defined as MGF(FS) mod (p) or MGF2(FS) mod (p) where MGF is a mask-generation function. Various mask generation functions can be used. One suitable MGF is MGF1, described in PKCS #1: RSA Cryptography Specifications, Version 2.0 B. Kaliski and J. Staddon, available at http:/www.rsalabs.com/pkcs/pkcs-1/index.html. For security purposes, the mapping should be independent of other cryptographic operations performed and should map to sufficiently randomly distributed values mod p. The function ƒ might be different for different users or groups of users, so long as it is possible for the client to determine the appropriate function to use.
  • A final step in the initialization is that the first server 30 stores 90 a verification value vU. In the current embodiment, the verification value vU is the user's 3 public key. In an alternative embodiment, the verification value vU is one of the encrypted secret 5 Ki known only to the user 3 and the first server 30, or something derived from the encrypted secret 5 Ki.
  • Having initialized to the first server 30, the user 3 can then use the first server 30 to access his or her encrypted secrets 5. To initiate access to the encrypted secrets 5, the user 3 provides 95 his or her first secret 35 to the client 15. The client 15 then generates 100 a random exponent k that satisfies 1≦k≦q−1. The client 15 next computes 105 r=ƒ(FS)k=wk mod p and transmits 110 this value along to the first server 30. The exponentiation 105 by k serves to hide the value of ƒ(FS) from the first server 30 and from parties observing communications between the client 15 and the first server 30. In this way, even a party that compromises the first server 30 will not be able to determine the user's 3 underlying first secret 35. Depending on the form of ƒ(FS), it may not ensure that all values of r are equally likely.
  • For example, if p=2q+1 and ƒ(FS)=MGF(FS)2 mod p, where MGF(FS) is defined to map to a subset of the integers between 2 and p−2, then ƒ(FS) is an element in the multiplicative subgroup of Zp* of order q, and all values of r are equally likely. As another example, if p=2q+1 and ƒ(FS)=MGF(FS), with the same definition of MGF, then ƒ(FS) is an element in the multiplicative group Zp*, but not necessarily in the subgroup of order q. The value ƒ(FS) may either have order q or order 2q. If it has order q, then all values of r are equally likely, but if it has order 2q, only about half the elements of Zp* are possible, and information about ƒ(FS) is leaked, although it is not clear how to exploit this information. As a result, if ƒ(FS) is defined without squaring, k should range from 1 to 2q−1. A small amount of information may still be leaked (in particular, whether ƒ(FS) is in the subgroup of order q or not), but this is not significant.
  • In any implementation where p=2q+1, one bit of b may be leaked (specifically, whether it is even or odd) by an attacker who sends values not in the multiplicative group of order q, to determine whether they are mapped into the group or not when raised to the b power. This attack can be overcome by raising to the 2b power, or choosing an even value of b. In the more general situation, ƒ(FS)=MGF(FS)a mod p, where p=aq+1, and a>2, and the greatest common divisor of a and q is 1. More bits of b may be leaked in this situation, specifically, the value b mod a. This can be overcome by raising to the a·times b power, or choosing a value of b that is divisible by a. This is described further in U.S. Pat. No. 5,933,502 to Vanstone et al. The general hardening function g(w, b) in the discrete logarithm embodiment is given by g(w, b,)=wb mod p. Upon receiving r, the first server computes 115 s=rb mod p. The term b is the first server's 30 secret input. Exponentiation by this factor transforms the first secret 35 into a recoverable hardened secret. Undoing the exponentiation is not mathematically feasible for sufficiently large valves of b due to the discrete logarithm problem. For the same reason, the term b remains unknown to the client 15. That is, even with knowledge of r and s the client 15 can not feasibly determine b.
  • In addition, if this is the user's 3 first attempt to access the encrypted secrets 5 or first attempt since successfully accessing the encrypted secrets 5, the first server 30 initializes 120 the access attempt variable nU. If this is not the user's 3 first attempt, then the first server 30 increments 120 the access attempt variable nU. The access attempt variable nU is used by the first server 30 as a mechanism to lock-out or throttle an attacker who is attempting to determine the hardened secret 25 by guessing the first secret 35. In one embodiment, if the access attempt variable nU exceeds a predetermined number, then further attempts to harden the particular user's 3 first secret 35 are prohibited until either the first secret 35 is changed or a system administrator determines that the failed attempts do not represent a security threat. In another embodiment, the first server 30 increasingly delays its communication 125 of s and N (discussed below) as the access attempt variable nU increments. This throttling mechanism makes it impractical for an attacker to determine the hardened secret 25 by searching all possible values of the first secret 35.
  • If the allowed number of attempts has not been exceeded, the first server 30 returns 125 s and a unique index, or nonce N, for this instantiation of the attempted recovery process. In one embodiment, the nonce N is derived from the access attempt variable nU such that the derived value is unique for each instantiation. In another embodiment, the nonce N is chosen at random.
  • Upon receiving s and N, the client 15 computes 130 1/k, the multiplicative inverse of k mod q. The client 15 uses this value to generate 135 the hardened secret 25 R according to R=s1/k mod p. This step 135 reverses the blinding factor k that was used to hide communications between the client 15 and the first server 30. In this embodiment, the client 15 uses R to compute 140 the intermediary strong secret values T1 and T2 according to the relationship T1=KDF(R, i) where KDF is a key derivation function. The key derivation function allows the system 300 to produce multiple intermediary strong secrets 60 from the hardened secret 25 R. The nature of the KDF is that knowledge of T1 does not make it substantially easier to determine T2. Two example key derivation functions are PBKDF1 and PBKDF2, described in PKCS #5 by RSA Laboratories, a part of RSA Security Inc., available at http://www.rsalabs.com/pkcs/pkcs-5/index.html.
  • The client 15 then authenticates 65′ the user 3 to a second device 10′ by transmitting 141 T1 and downloads 142 the encrypted secrets 5 T2(K1, . . . , Kn) that have been encrypted with T2. Next, the client 15 recovers 145 the secrets K1, . . . , Kn using T2. The client 3 then uses K1 to produce 150 verification data to verify 55 to the first server 30 that the current secret decryption attempt was successful. In the current embodiment, K1 is the user's 3 private key 8 and the client 15 uses this value to sign 150 the nonce N. The first server 30 verifies the signature on the value N by applying 155 the user's 3 stored public key vU. If the signature verifies, then the first server 30 is assured that the client 15 successfully decrypted the secret value K1. In this case, the access attempt is considered successful and the value of the access attempt variable nU is reset 160. If the decryption was unsuccessful, the value of nU would remain unchanged to be incremented 120 by any subsequent attempts so that, as mentioned above, if an excessive number of unsuccessful attempts were made, hardening of the particular user's 3 first secret 35 would be prohibited or throttled.
  • To help ensure the security of the encrypted secrets 5, the client 15 can be configured to store the encrypted secrets 5 only in active memory so that they will be lost whenever the client 15 is shut down. In addition, the client 15 can be configured to purge the encrypted secrets 5 whenever a particular user 3 signs off the client 15 or after a fixed period of time.
  • If the user's only secret is a PIN or password, as it is in this embodiment, the authentication protocol between the client 15 and the second device 10′ should not provide enough information for an eavesdropper to verify a guess of T1 and T2 by examining messages exchanged between the client 15 and the second device 10′. Otherwise, an attacker that compromises the first server 30 can verify guesses of the password by deriving R and T1 and checking whether T1 is correct. If the second device 10′ is physically local to or integrated with the client 15, this protection may be inherent in the architecture. If the client 15 and the second device 10′ are separated by a computer network, however, one way to achieve this is to use a secure communication protocol, such as SSL, which encrypts and integrity-protects the data.
  • Likewise, the hardened secret 25 R should be obtained from the password in a manner such that the client can be assured that R has been computed by the first server 30 (and not an attacker) before the client 15 uses a key derived from R to authenticate to the device. Otherwise, an attacker that compromises the device may be able to manipulate the protocol to cause the client 15 to use a different key in a way that leaks information about the user's password. For instance, by manipulating the protocol so that the intermediate value s returned is the same as the value r provided by the client, the attacker can cause the hardened secret R to equal the value ƒ(FS). The keys T1 and T2 would then directly depend on the password. If T1 is used to authenticate to the device in a typical challenge-response protocol, the attacker will be able to verify whether guesses of the password are correct. There is a similar attack if the encrypted secrets 5 are transmitted in the clear. Again, the use of a secure communication channel, such as SSL will provide the necessary security.
  • Alternatively, a “proof of correctness” can be used to so the client can determine whether the correct value of b has been applied. A proof of correctness is stronger than an SSL session as it does not require the client to trust the server to perform the computation correctly, and so provides more than is necessary to meet the protocol's design goal, which is for the client to know that the server was involved. In embodiments using the RSA cryptosystem (described further with regard to FIG. 5), the “proof” is built in. The client simply checks that R=ƒ(FS)e (mod n). A proof involves additional computations for the discrete logarithm approach described above. An illustrative example of the embodiment shown in FIG. 4 is given by a cellular telephone that contains a dedicated cryptographic chip containing encrypted secrets 5. In this example the cellular telephone is the client 15 and the cryptographic chip is the second device 10′. As cellular telephones can be lost, it is advantageous to strongly encrypt the encrypted secrets 5, such as a private key 8 used for digital signatures, on the cryptographic chip. As mentioned above, the decryption key 25 necessary to decrypt strongly encrypted secrets 5 can be difficult for users 3 to remember.
  • Given this, the cellular telephone can be configured to employ the embodiment shown in FIG. 4 in which a first secret 35, such as a PIN, can be used to access strongly encrypted secrets 35. According to this embodiment, a user 3 would first enter 95 a numeric PIN as a first secret 35 into the cellular telephone key pad when he or she wanted to, for example, execute a digital signature. The cellular telephone would then modify and blind 105 the PIN and transmit 110 it to a first server 35. The first server 35 would then apply 115 its secret b and transmit 125 the resulting value, as intermediate data 22, back to the cellular telephone. The cellular telephone would then unblind the intermediate data thereby generating 135 the hardened secret 25 R. Using the hardened secret 25 R, the cellular telephone would generate 140 two intermediary strong secrets T1 and T2. Next, the cellular telephone would transmit 141 T1 to the cryptographic chip for authentication 65′. Assuming that the authentication 65′ was successful, the cryptographic chip would then download 142 into the cellular telephone's active memory the encrypted secrets 5. The cellular telephone would then use T2 to decrypt 145 the encrypted secrets 5. Using the private key 8, or employing one of the alternative methods discussed above, the cellular telephone would then verify 55 to the first server 30 that it had successfully accessed the encrypted secrets 5. With access to the private key 8, the cellular telephone could then use the private key 8 to form a digital signature to, for example, execute a digital transaction.
  • Referring to FIG. 5, in another embodiment, the blind function evaluation protocol 40″ is based on the RSA cryptosystem, which is based on the problem of extracting roots modulo a composite, and which is described in R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-key Cryptosystems,” Communications of the ACM, 21(2) pp. 120-126, February 1978 and “PKCS #1: RSA Cryptography Specifications,” Version 2.0, by B. Kaliski and J. Staddon, available at http://www.rsalabs.com/pkcs/pkcs-1/index.html. The use of the RSA cryptosystem to perform blind signatures in the context of anonymous digital cash is described in D. Chaum, “Security Without Identification: Transaction Systems to Make Big Brother Obsolete,” Communications of the ACM, 28 (1985), 1030-1044.
  • Also, in this embodiment, to show an example of this type of authentication, the authentication 65″ operation employs a time-based token code. As before, the system includes a client 15 that receives a first secret 35 from a user 3, a first server 30, and a second device 10′.
  • As part of initialization , the first server 30 generates 170 a product n that is the product of two primes, pi and qi for each user 3 i. The values pi and qi are large prime numbers, for example numbers larger than 512 bits in length, and n is the RSA modulus. The first server 30 also selects 175 a value ei that is a small integer that is relatively prime to LCM(pi−1, qi−1), where LCM stands for Least Common Multiple. The value of ei is the public exponent in the RSA cryptosystem. The public exponent ei is chosen to be relatively prime to LCM(pi−1, qi−1) so that it is assured that a multiplicative inverse b exists. The value of b is defined by b=ei −1 mod LCM(pi−1, qi−1). The RSA cryptosystem makes use of the fact that Mbe mod(n)=Meb mod(n)=M1 mod n, where M is a message to be encrypted. That is, the exponentiation of M to ei and then to b or the exponentiation of M to b and then ei returns M to its original value mod(n).
  • The value b is the server secret input, which is either computed 180 by the first server or, in an alternative embodiment, stored on the first server 30 after being generated elsewhere, during initialization 33 (FIG. 3). An additional step in the initialization of the client 15 and the first server 30 is that both store 185, 185′ a secret seed SS that is used as part of the authentication 65″ process. A further initialization step is that the first server 30 stores 188 a copy of the public exponent ei and the modulus ni or publishes them so that they can be provided to the client, and initializes 189 the access attempt variable nU.
  • The hardening function R=g(w, b) in the RSA cryptosystem-based embodiment is defined by g(w, b)=wb mod n. The value w is generated 190 as above via a function ƒ applied to a user 3 supplied first secret 35, such as a password P. That is, w=ƒ(FS) where the function ƒ may be based on a mask generation function and FS is the first secret 35 as previously. To blind the initial communication from the client 15 to the first server 30, the client 15 generates 195 a random value ai such that (1<ai<n−1) and gcd(ai, n)=1. The value ai is relatively prime to n so that an inverse of ai ei is guaranteed to exist. The client 15 then 200 computes Mi=ai e i w mod n. Here, ai e i is a random element of Zn*, regardless of f(w). Provided that ƒ(w) is in Zn*, so that it does not contain a factor in common with n, the Mi will be a random element of Zn*, so all values of Mi are equally likely. As all values of ai are equally likely, multiplication by the value ai serves to blind the value of w mod n with respect to the first server 30 and with respect to someone observing communications between the client 15 and the first server 30. The value Mi is transmitted 205 to the first server 30 by the client 15.
  • The next step in the blind function evaluation protocol 40″ is that the first server 30 computes 210 the value c=Mi b mod n and returns 215 this value to the client 15 along with the nonce N. As described above, this operation reverses the exponentiation by ei because ei and b are the multiplicative inverses of each other. Mathematically the value of c is given by h=Mi b mod n=aiwb mod n. If the space for b is sufficiently large, the exponentiation of Mi by b serves to harden the user's 3 first secret 35 P. As mentioned above, the value of wb mod n is blinded from observers (including the first server 30) by the multiplication by the random value of ai. In order to limit unauthorized attempts to harden a first secret 35, the nonce N is returned is returned by the first server 30 to the client 15 to identify this instantiation of the encrypted secrets 5 recovery attempt for verification purposes.
  • The final stage in the blind function evaluation protocol 40″ first involves the client 15 removing the blinding associated with the random value ai. The client 15 achieves this by multiplying 220 c mod n by ai −1 mod n. The unblinding is represented mathematically by ai −1 c=wb mod n. To provide additional security to the hardened secret R=wb mod n 25″, the unblinded value is next entered 225 as the input to a hash function h so that the intermediary strong secret T 3 65″ is given by T3=h(ai −1 c mod n).
  • An advantage of the RSA cryptosystem-based blind function evaluation protocol 40″ is that it only involves one short exponentiation, one multiplication, and one modular inversion per user 3. The modulus may be the same for each user 3 i provided that the exponents ei are different, so that protocol runs are associated with a particular user 3 i and throttling of other account-specific countermeasures can be enabled. If the exponent ei varies for each user 3 i, the set of possible exponents should be pairwise relatively prime to LCM(p−1, q−1).
  • The security of the RSA cryptosystem-based blind function evaluation protocol 40″ depends on the modulus n and the exponent e forming a valid RSA public exponent such that n is a product of two large primes, and e is relatively prime to Φ(n). If n is not a product of two large primes, it may be possible for an attacker to determine the value R from ƒ(w), and if e is not relatively prime to Φ(n), then information about ƒ(w) may be leaked from the client information ae ƒ(w).
  • In one embodiment, the server provides the n and e values to the client in a certificate, where the certificate associates the n and e values with the particular user. The certificate authority can assure that the n and e values are valid before issuing the certificate. To do this the certificate authority may, for example, use the methods and apparatus described in co-pending U.S. Ser. No. 09/188,963, entitled “Methods and Apparatus for Verifying the Cryptographic Security of a Selected Private and Public Key Pair Without Knowing the Private Key,” by Liskov et al., incorporated herein by reference.
  • It should be noted that in the embodiment of FIG. 5, proper selection of e may be more critical than selection of n. If a compromised first server selects n such that it does not have prime factors, that will help an attacker who compromises the device. But a improper selection of e will make it possible for someone else (who has not compromised the device 10′), to attack the system.
  • As mentioned above, the authentication step 65 can be implemented in various ways. In the embodiment shown in FIG. 5, the authentication 65″ shows the details of using a time-based token code. Under this method, the client 15 generates 230 a dynamic password L as a function of a secret seed SS and the current time CT (and optionally a user PIN PP) and sends 235 the dynamic password L to the second device 10′. To authenticate 65″ the client 15, the second device 10′ regenerates 240 a version L′ of the dynamic password L from its copy of the secret seed SS, the current time CT (and the user PIN PP, if appropriate). The second device 10′ then compares 245 the dynamic password L it received from the client to the one L′ that it generated. If there is not an exact match, the second device 10′ can be configured to recalculate the regenerated dynamic password L′ utilizing times nearby to its current time CT to synchronize its clock with the client's 15 clock. In an alternative embodiment, the second device 10′ does not directly verify the dynamic password L but instead employs a third server to generate and verify the client's 15 dynamic password L.
  • In the current embodiment, the generation of the dynamic password L by the user is implemented as a physical token, such as a RSA SECURID token. In an additional alternative embodiment, the physical token is combined with a PIN to provide additional security through a two-factor authentication process. The use of the token is just one way that authentication could be implemented.
  • In another embodiment, biometric information is used for the authentication step 65″. The use of biometric derived information for authentication 65″ could be similar to the use of biometric derived information for the first secret 35. The initial biometric information, such as a fingerprint or iris scan, is here converted into-authentication data. In one embodiment as in the first secret 35 case, the error correction codes are stored on error correction servers connected to the network 20 and can be signed by an independent server to ensure integrity. Before providing the authentication data, the client 15 obtains the error correcting information and verifies its integrity. The client 15 then combines the information with the initial biometric information to generate the authentication data that is used to authenticate 65″ to the second device 10′. In other embodiments, the error correction codes are stored in other locations including on the client 15, on the first server 30, or the second device 10′.
  • In an additional embodiment also employing biometric-derived information for authentication 65″ no error correction codes are utilized. In this embodiment, the authentication 65″ process tolerates a range of biometric values. According to this embodiment, the client 15 transmits the biometric derived information to the second device 10′, and if this information falls within the range that the second device 10′ is configured to accept, then the second device 10′ will consider that the client 15 has successfully been authenticated 65″.
  • Once the client 15 has been authenticated 65″ by the second device 10′, the second device 10′ provides 250 to the client 15 the encrypted secrets 5. To decrypt the encrypted secrets 5 the client 15 uses the intermediary strong secret T3. Once the encrypted secrets 5 are decrypted 255, the client 15 verifies 55 this to the first server 30 as before. That is, the client 15 signs 260 the nonce N with the user's 3 private key 8 and transmits 265 this valve to the first server 30. The client 15 has access to the user's private key 8 because, as before, the user's private key 8 was one of the encrypted secrets 5. The first server 30 then checks 270 the signature using the user's 3 public key Pubu and verifies 275 that the nonce N representing this instantiation of the access attempt is correct. Assuming the nonce N is verified, the value of the access attempt variable nu is reset 280 for further access attempts.
  • Referring to FIG. 6, in another embodiment, a user 603 uses commercially available web browser software running on a personal computer 615 (the client in this embodiment), to access a web server 610 over a computer network such as the Internet. In this interaction with the web server 610, the user 603 provides certain personal information, such as the user's name and address, and possibly other information, such as personal preferences, demographic information, financial information (credit card or bank account numbers), and so on, to the web server 610.
  • This personal information is useful for the interaction of the user 603 with the web server 610 using the client 615, and the user 603 would typically prefer not to provide the same information to the web server 610 each time the user interacts with the web server 610. The personal information could be stored on the client 615, but this may not be practical, for example because the user would like to access the web server 610 from more than one location, or for example because the client 615 is not used by the user 603 exclusively.
  • It therefore is useful to store the personal information on the web server 610, but in a manner that makes it difficult for an attacker to access the personal information. For performance reasons, web servers are frequently placed on an open network outside of firewalls and other security measures, and so they are vulnerable to attack. The user's personal information can be stored as encrypted secrets 605. As described above, if a user-provided password (or other weak secret) is used as a key to encrypt the personal information, the password is likely to be a weak key, and so it will likely afford less than optimal protection to the encrypted secrets. In one embodiment, the encrypted secrets are stored such that they can be decrypted with a hardened password. In various embodiments, a user's password is used as the input to a blind function evaluation protocol in which either the client or the web server participates with a hardening server 630. The result of the blind function evaluation protocol is used as or to derive a decryption key for the encrypted secrets.
  • In one embodiment, the user communicates 651 with the web server 610, and the web server 610 directs the browser to communicate 652 with the hardening server 630. If the web browser does not have the appropriate code to engage in the blind function evaluation protocol, either the web server 610 or the hardening server 630 can provide the browser with the necessary code, for example in the form of a Java applet, or in the form of a browser plug-in, or in the form of executable code for the computer.
  • The client 615 and the hardening server 630 engage in a blind function evaluation protocol, with the result that the client derives a hardened password. The hardened password is communicated to the web server, which then decrypts the user's personal information, and so can make the personal information available to the user as part of the user's interaction with the web server 610. When the user has completed his interaction with the web server 610 (e.g. logs off), the web server deletes the unencrypted secrets, keeping only the encrypted secrets in its data store. If the data store of the web server 610 is compromised, the attacker has access only to the encrypted secrets, and cannot directly access to the user's personal information.
  • In one embodiment, the blind function evaluation protocol takes as input a web server 610 identifier, in addition to the client information and the first server secret. The web server identifier might be, for example, some portion of the URL or network address of the web server, or the web server identifier could be another identifier assigned to one or more web servers. The web server 610 identifier is used in the blind function evaluation protocol, for example as an input to the blind function, and/or as an input to the key derivation function that derives the decryption key from the result of the blind function. By including the web server identifier 610 as an input to the blind function evaluation protocol, the user need only have one password, yet the client would generate different decryption keys for different web servers.
  • In one such embodiment, the web server 610 communicates the verification information to the hardening server 630. When the web server 610 decrypts the encrypted secrets, it uses some information in the encrypted secrets to prove to the hardening server that successful decryption has occurred. In this embodiment, the client communicates to the web server 610, along with the decryption key, the nonce or other verification information provided by the hardening server.
  • In another embodiment, the client 615 provides the client information (derived from the user's password and/or other secret data) directly to the web server 610, and the web server 610 engages 652 in the blind function evaluation protocol with the hardening server. The web server 610 then derives the decryption key from the hardened password (which may be the hardened password) to decrypt the encrypted secrets. In this way, the client 615 has to do less work, but the web server is able to store data that is only vulnerable to compromise when the user is communicating with the web server 610.
  • Referring to FIG. 7, in a variation of the embodiment of FIG. 6, the client 715 uses the password hardening server 730 to generate a hardened password that is used to authenticate the client 715 to the web server 710. The client 715 receives a web server identifier WSID 771. The web server identifier might be, for example, some portion of the URL or network address of the web server, or the web server identifier could be another identifier assigned to one or more web servers. Instead of receiving the WSID from the web server, the client could derive the WSID from such other information, store a list of WSID's locally, or request the WSID from a server on the network (such as the authentication server 730).
  • The client provides 772 the client information (which is derived from the user's secret) to the authentication server 730 as part of the client's participation in a blind function evaluation protocol. The client may also provide the web server identifier WSID, and the client may also provide a user identifier to the authentication server 730 as part of the blind function evaluation protocol. The WSID can be used in the blind function evaluation protocol, for example as an additional input to the blind function, to select a server secret to use in the blind function evaluation protocol. This may be in addition to or instead of the use of the WSID as an input to the key derivation function that derives the decryption key from the result R of the blind function. The user identifier may be used to selected the appropriate server secret, or for other purposes.
  • The authentication server 730 returns the blinded result R to the client 715, along with a nonce or other session identifier 772. The client generates a hardened password for use in authenticating to the web site based on the result R of the blind function evaluation protocol and possibly the other information (i.e. user identifier, web site identifier). By including the web server identifier WSID as an input to the key derivation function (and/or as an input to the blind function evaluation protocol), the user need only have one password, yet the client can generate different passwords for authentication to different web servers.
  • The client communicates 774 the hardened password and the nonce to the web server 710. For the verification, the web server 710 sends 775 a message to the authentication server 730, indicating whether or not the authentication attempt associated with the nonce was successful. If the authentication was successful, the hardening server resets the attempt counter, if it was not successful, the account variable is increased. Preferably, the message is communicated such that the web server 710 cannot be impersonated. For example, the communication can include the digital signature of the web server on the nonce.
  • Variations, modifications, and other implementations of what is described herein will occur to those of ordinary skill in the art without departing from the spirit and the scope of the invention as claimed. Accordingly, the invention is to be defined not by the preceding illustrative description but instead by the spirit and scope of the following claims.

Claims (39)

1. A method comprising:
implementing a multi-party secure computation protocol between a client which has a client secret and a server which has a server secret to compute a third secret from the client secret and the server secret, wherein the protocol is implemented so that the client obtains the third secret and cannot feasibly determine the server secret, and the server cannot feasibly determine the client secret and cannot feasibly determine the third secret;
authenticating the client by a device, the device storing an encrypted secret and configured not to provide the encrypted secret without authentication and the device being distinct from the server; and
after authenticating, providing to the client by the device the encrypted secret, wherein the encrypted secret is capable of being decrypted using a decryption key derived from the third secret and wherein the multi-party secure computation protocol implemented between the client and the server is the only multi-party computation protocol that is implemented in generating the third secret and the decryption key derived from the third secret;
wherein implementing the multi-party secure computation protocol involves:
at the client, using the client secret to compute client information to harden the client secret and then sending the client information to the server;
at the server, using the client information and the server secret to compute intermediate data and sending the intermediate data to the client; and
at the client, deriving the third secret from the intermediate data.
2. The method of claim 1 wherein the third secret is derived from the intermediate data by use of one of a key derivation function and a hash function.
3. (canceled)
4. The method of claim 1 wherein the client secret comprises at least one of a PIN, a password, and biometric information.
5. The method of claim 4 wherein the intermediate data is derived from at least the client secret and the server secret by use of a blind function evaluation protocol.
6. The method of claim 5 wherein the security of the blind function evaluation protocol is based on the problem of extracting roots modulo a composite.
7. The method of claim 5 wherein the security of the blind function evaluation protocol uses discrete logarithms.
8. The method of claim 1 wherein authenticating comprises authenticating the client based on a time-dependent code.
9. The method of claim 1 wherein authenticating comprises authenticating the client based on at least one of a PIN, a password, and biometric information.
10. The method of claim 1 wherein authenticating comprises authenticating the client based on a secret other than the client secret.
11. The method of claim 1 wherein authenticating comprises using an authentication secret derived from the third secret.
12. The method of claim 1 wherein the device comprises at least one of a file server, a directory server, a key server, a PDA, a mobile telephone, a smart card, and a desktop computer.
13. The method of claim 12 wherein the device comprises at least one secure data store, the device requiring authentication before allowing the client access to the data store.
14. The method of claim 1 wherein the encrypted secret comprises an encrypted private key of a public/private key pair used for asymmetric cryptography.
15. The method of claim 14 wherein the encrypted secret comprises an encrypted signature key used for creating a digital signature.
16. The method of claim 15 wherein authenticating comprises authenticating the client based on a secret other than the client secret, so that the user provides different information to access the device and access the signature key.
17. The method of claim 1 wherein the encrypted secret comprises an encrypted secret key used for symmetric cryptography.
18. The method of claim 1 wherein the encrypted secret comprises at least one unit of encrypted digital currency.
19. The method of claim 1 further comprising verifying that the client has not exceeded a predetermined number of unsuccessful attempts to obtain the intermediate data.
20. The method of claim 19 wherein verifying further comprises:
transmitting a challenge code to the client; and
receiving the result of a cryptographic operation using the challenge code as an input and using a cryptographic key derived from the encrypted secret.
21-30. (canceled)
31. The method of claim 1, further comprising
deriving the decryption key from the third secret; and
decrypting the encrypted secret using the decryption key.
32-37. (canceled)
38. A method for authenticating to a network server, the method comprising:
implementing a multi-party secure computation protocol between a client which has a client secret and a server which has a server secret to compute a third secret from the client secret and the server secret, wherein the protocol is implemented so that the client cannot feasibly determine the server secret and the server cannot feasibly determine the client secret and cannot feasibly determine the third secret;
at the client deriving a password from the third secret;
authenticating to the network server using the derived password, wherein the multi-party secure computation protocol implemented between the client and the server is the only multi-party computation protocol that is implemented in generating the third secret and the password derived from the third secret;
wherein implementing the multi-party secure computation protocol involves:
at the client, using the client secret to compute client information to harden the client secret and then sending the client information to the server;
at the server, using the client information and the server secret to compute intermediate data and sending the intermediate data to the client; and
at the client, deriving the third secret from the intermediate data.
39. The method of claim 38 further comprising transmitting to the first server by the network server verification that the user has authenticated successfully.
40. The method of claim 38 wherein the network server is a web server.
41. The method of claim 38 wherein deriving comprises deriving a server password using a key derivation function.
42-43. (canceled)
44. The method of claim 1, wherein the multi-party secure computation protocol is a blind function evaluation protocol.
45. The method of claim 44, wherein the blind function evaluation protocol is based on discrete-logarithm cryptography.
46. The method of claim 45, wherein the blind function evaluation protocol is based on an RSA algorithm.
47. A method comprising:
implementing a multi-party secure computation protocol between a client which has a client secret and a server which has a server secret to compute a third secret from the client secret and the server secret, wherein the protocol is implemented so that the client cannot feasibly determine the server secret and the server cannot feasibly determine the client secret and cannot feasibly determine the third secret;
authenticating the client by a device, the device storing an encrypted secret and configured not to provide the encrypted secret without authentication; and
after authenticating, providing to the client by the device the encrypted secret, wherein the encrypted secret is capable of being decrypted using a decryption key derived from the third secret and wherein no additional multi-party secure computation protocol involving any entity other than the server is required to enable the client to generate the third secret and the key derived from the third secret;
wherein implementing the multi-party secure computation protocol involves:
at the client, using the client secret to compute client information to harden the client secret and then sending the client information to the server;
at the server, using the client information and the server secret to compute intermediate data and sending the intermediate data to the client; and
at the client, deriving the third secret from the intermediate data.
48. The method of claim 38, wherein the password is derived from the third secret and a server identifier.
49. The method of claim 1, wherein the multi-party secure computation protocol comprises the client and the server providing their respective secrets as input to respective protocol operations that jointly calculate the third secret as a function of the client and server secrets.
50. The method of claim 38, wherein the multi-party secure computation protocol comprises the client and the server providing their respective secrets as input to respective protocol operations that jointly calculate the third secret as a function of the client and server secrets.
51. The method of claim 47, wherein the multi-party secure computation protocol comprises the client and the server providing their respective secrets as input to respective protocol operations that jointly calculate the third secret as a function of the client and server secrets.
52. The method of claim 1, wherein implementing the multi-party secure computation protocol between the client which has the client secret and the server which has the server secret to compute the third secret from the client secret and the server secret comprises implementing the multi-party secure computation protocol between the client which has the client secret and a single server which has the server secret to compute the third secret from the client secret and the server secret.
53. The method of claim 38, wherein implementing the multi-party secure computation protocol between the client which has the client secret and the server which has the server secret to compute the third secret from the client secret and the server secret comprises implementing the multi-party secure computation protocol between the client which has the client secret and a single server which has the server secret to compute the third secret from the client secret and the server secret.
54. The method of claim 47, wherein implementing the multi-party secure computation protocol between the client which has the client secret and the server which has the server secret to compute the third secret from the client secret and the server secret comprises implementing the multi-party secure computation protocol between the client which has the client secret and a single server which has the server secret to compute a third secret from the client secret and the server secret.
US09/802,485 2000-03-10 2001-03-09 System and method for increasing the security of encrypted secrets and authentication Expired - Lifetime US7716484B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/802,485 US7716484B1 (en) 2000-03-10 2001-03-09 System and method for increasing the security of encrypted secrets and authentication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US18845800P 2000-03-10 2000-03-10
US09/802,485 US7716484B1 (en) 2000-03-10 2001-03-09 System and method for increasing the security of encrypted secrets and authentication

Publications (2)

Publication Number Publication Date
US20100100724A1 true US20100100724A1 (en) 2010-04-22
US7716484B1 US7716484B1 (en) 2010-05-11

Family

ID=42109556

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/802,485 Expired - Lifetime US7716484B1 (en) 2000-03-10 2001-03-09 System and method for increasing the security of encrypted secrets and authentication

Country Status (1)

Country Link
US (1) US7716484B1 (en)

Cited By (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070283011A1 (en) * 2006-06-02 2007-12-06 Google Inc. Synchronizing Configuration Information Among Multiple Clients
US20080152129A1 (en) * 2006-12-25 2008-06-26 Via Technologies, Inc. Data-securing method of program tool
US20080162934A1 (en) * 2006-09-20 2008-07-03 Katsuyoshi Okawa Secure transmission system
US20080201398A1 (en) * 2005-05-25 2008-08-21 Bernd Meyer Determination of a Modular Inverse
US20080235518A1 (en) * 2007-03-23 2008-09-25 Via Technologies, Inc. Application protection systems and methods
US20080298590A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Network encryption key rotation
US20090013180A1 (en) * 2005-08-12 2009-01-08 Dongsheng Li Method and Apparatus for Ensuring the Security of an Electronic Certificate Tool
US20090013182A1 (en) * 2001-08-29 2009-01-08 Nader Asghari-Kamrani Centralized Identification and Authentication System and Method
US20090313478A1 (en) * 2008-06-17 2009-12-17 Lenovo (Singapore) Pte. Ltd Arrangments for interfacing with a user access manager
US20100115230A1 (en) * 2008-10-31 2010-05-06 Apple Inc. Hash functions using recurrency and arithmetic
US20100131755A1 (en) * 2008-11-24 2010-05-27 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating
US20110113092A1 (en) * 2006-06-02 2011-05-12 Rakowski Brian D Resolving Conflicts While Synchronizing Configuration Information Among Multiple Clients
US20110286594A1 (en) * 2010-05-19 2011-11-24 Cleversafe, Inc. Storage of sensitive data in a dispersed storage network
US20120039462A1 (en) * 2010-08-12 2012-02-16 Electronics And Telecommunications Research Institute Rsa signature method and apparatus
US8156228B1 (en) * 2007-09-28 2012-04-10 Symantec Corporation Method and apparatus to enable confidential browser referrals
WO2012012415A3 (en) * 2010-07-23 2012-04-12 Silicon Image, Inc. Mechanism for internal processing of content through partial authentication on secondary channel
US20120136921A1 (en) * 2010-11-30 2012-05-31 Google Inc. Event management for hosted applications
US8281129B1 (en) * 2001-08-29 2012-10-02 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US8295490B1 (en) * 2011-12-13 2012-10-23 Google Inc. Method and system for storing and providing an encryption key for data storage
US20130046973A1 (en) * 2011-08-17 2013-02-21 Cleversafe, Inc. Facilitating access of a dispersed storage network
US20130117562A1 (en) * 2010-06-22 2013-05-09 Ercom Security method, associated chip card, module and terminal
FR2992124A1 (en) * 2012-06-18 2013-12-20 Morpho SECURE DATA PROCESSING METHOD
US20140189831A1 (en) * 2012-12-28 2014-07-03 SecureEnvoy Plc Time-based authentication
US20150052365A1 (en) * 2010-02-05 2015-02-19 Leidos, Inc. Network Managed Antivirus Appliance
WO2015088705A1 (en) * 2013-12-09 2015-06-18 Mohan Ram Balasubramaniam Authentication utilizing a dynamic passcode from a user-defined formula based on a changing parameter value
US20160300224A1 (en) * 2014-01-07 2016-10-13 Tencent Technology (Shenzhen) Company Limited Method, Server, And Storage Medium For Verifying Transactions Using A Smart Card
US20160379207A1 (en) * 2015-06-25 2016-12-29 Intel Corporation Secured credential aggregator
US9871663B2 (en) * 2015-03-25 2018-01-16 Intel Corporation Challenge response authentication for self encrypting drives
US10027485B1 (en) * 2012-01-10 2018-07-17 Jpmorgan Chase Bank, N.A. System and method for device registration and authentication
US10375066B2 (en) * 2016-07-13 2019-08-06 Idemia Identity & Security Authentication method and system by garbled circuit
US10389533B2 (en) 2014-08-29 2019-08-20 Visa International Service Association Methods for secure cryptogram generation
US10396984B2 (en) 2014-05-02 2019-08-27 Barclays Services Limited Apparatus and system having multi-party cryptographic authentication
US10461933B2 (en) 2015-01-27 2019-10-29 Visa International Service Association Methods for secure credential provisioning
CN111062029A (en) * 2019-12-17 2020-04-24 湖南安方信息技术有限公司 Multi-factor authentication protocol based on identification password
US10664612B2 (en) * 2018-10-09 2020-05-26 Unboun Tech Ltd. System and method for controlling operations performed on personal information
US10749689B1 (en) * 2017-06-29 2020-08-18 Salesforce.Com, Inc. Language-agnostic secure application development
US20200382305A1 (en) * 2015-12-30 2020-12-03 Jpmorgan Chase Bank, N.A. Systems and methods for enhanced mobile device authentication
US11134075B2 (en) 2016-03-04 2021-09-28 Ping Identity Corporation Method and system for authenticated login using static or dynamic codes
US11163910B2 (en) * 2017-06-29 2021-11-02 Salesforce.Com, Inc. Methods and systems for data migration
US11170130B1 (en) 2021-04-08 2021-11-09 Aster Key, LLC Apparatus, systems and methods for storing user profile data on a distributed database for anonymous verification
US11245536B2 (en) * 2019-04-16 2022-02-08 Meta Platforms, Inc. Secure multi-party computation attribution
US11263415B2 (en) 2016-03-07 2022-03-01 Ping Identity Corporation Transferring data files using a series of visual codes
US20220103381A1 (en) * 2018-04-17 2022-03-31 Digicert, Inc. Digital certificate validation using untrusted data
US11323272B2 (en) 2017-02-06 2022-05-03 Ping Identity Corporation Electronic identification verification methods and systems with storage of certification records to a side chain
US11431504B2 (en) * 2017-03-24 2022-08-30 Visa International Service Association Authentication system using secure multi-party computation
US20220376928A1 (en) * 2020-02-06 2022-11-24 Google Llc Preventing data manipulation using multiple aggregation servers
US11544367B2 (en) 2015-05-05 2023-01-03 Ping Identity Corporation Systems, apparatus and methods for secure electrical communication of biometric personal identification information to validate the identity of an individual
US11544487B2 (en) 2016-03-07 2023-01-03 Ping Identity Corporation Large data transfer using visual codes with feedback confirmation
US11722301B2 (en) 2018-10-17 2023-08-08 Ping Identity Corporation Blockchain ID connect
US11777726B2 (en) 2017-12-08 2023-10-03 Ping Identity Corporation Methods and systems for recovering data using dynamic passwords
US11818265B2 (en) 2018-10-17 2023-11-14 Ping Identity Corporation Methods and systems for creating and recovering accounts using dynamic passwords
US11870886B2 (en) * 2020-08-12 2024-01-09 Intuit Inc. System and method for multitenant key derivation

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3570178B1 (en) 2002-01-08 2020-05-27 Seven Networks, LLC Secure transport for mobile communication network
US7899753B1 (en) 2002-03-25 2011-03-01 Jpmorgan Chase Bank, N.A Systems and methods for time variable financial authentication
US9135612B1 (en) 2011-04-17 2015-09-15 Proctor Consulting, LLC Proximity detection, virtual detection, or location based triggering of the exchange of value and information
GB2442249B (en) * 2007-02-20 2008-09-10 Cryptomathic As Authentication device and method
US7958057B2 (en) * 2007-03-28 2011-06-07 King Fahd University Of Petroleum And Minerals Virtual account based new digital cash protocols with combined blind digital signature and pseudonym authentication
US8090359B2 (en) 2008-09-08 2012-01-03 Proctor Jr James Arthur Exchanging identifiers between wireless communication to determine further information to be exchanged or further services to be provided
US8555342B1 (en) 2009-12-23 2013-10-08 Emc Corporation Providing secure access to a set of credentials within a data security mechanism of a data storage system
US8539220B2 (en) 2010-02-26 2013-09-17 Microsoft Corporation Secure computation using a server module
US9077539B2 (en) * 2011-03-09 2015-07-07 Microsoft Technology Licensing, Llc Server-aided multi-party protocols
WO2012145762A2 (en) * 2011-04-21 2012-10-26 Vikram Jandhyala Systems and methods for protecting data for server-based computations
US8850208B1 (en) 2011-06-24 2014-09-30 Emc Corporation Certificate crosschecking by multiple certificate authorities
US10148438B2 (en) * 2012-04-03 2018-12-04 Rally Health, Inc. Methods and apparatus for protecting sensitive data in distributed applications
US8868919B2 (en) 2012-10-23 2014-10-21 Authernative, Inc. Authentication method of field contents based challenge and enumerated pattern of field positions based response in random partial digitized path recognition system
US9215072B1 (en) 2012-10-23 2015-12-15 Authernative, Inc. Back-end matching method supporting front-end knowledge-based probabilistic authentication systems for enhanced credential security
US8955074B2 (en) 2012-10-23 2015-02-10 Authernative, Inc. Authentication method of enumerated pattern of field positions based challenge and enumerated pattern of field positions based response through interaction between two credentials in random partial digitized path recognition system
US10354325B1 (en) 2013-06-28 2019-07-16 Winklevoss Ip, Llc Computer-generated graphical user interface
US10269009B1 (en) 2013-06-28 2019-04-23 Winklevoss Ip, Llc Systems, methods, and program products for a digital math-based asset exchange
US10068228B1 (en) 2013-06-28 2018-09-04 Winklevoss Ip, Llc Systems and methods for storing digital math-based assets using a secure portal
US9892460B1 (en) 2013-06-28 2018-02-13 Winklevoss Ip, Llc Systems, methods, and program products for operating exchange traded products holding digital math-based assets
US11282139B1 (en) 2013-06-28 2022-03-22 Gemini Ip, Llc Systems, methods, and program products for verifying digital assets held in a custodial digital asset wallet
US9853977B1 (en) 2015-01-26 2017-12-26 Winklevoss Ip, Llc System, method, and program product for processing secure transactions within a cloud computing system
US10915891B1 (en) 2015-03-16 2021-02-09 Winklevoss Ip, Llc Autonomous devices
US10158480B1 (en) 2015-03-16 2018-12-18 Winklevoss Ip, Llc Autonomous devices
US11200569B1 (en) 2018-02-12 2021-12-14 Winklevoss Ip, Llc System, method and program product for making payments using fiat-backed digital assets
US10929842B1 (en) 2018-03-05 2021-02-23 Winklevoss Ip, Llc System, method and program product for depositing and withdrawing stable value digital assets in exchange for fiat
US11522700B1 (en) 2018-02-12 2022-12-06 Gemini Ip, Llc Systems, methods, and program products for depositing, holding and/or distributing collateral as a token in the form of digital assets on an underlying blockchain
US11308487B1 (en) 2018-02-12 2022-04-19 Gemini Ip, Llc System, method and program product for obtaining digital assets
US10540654B1 (en) 2018-02-12 2020-01-21 Winklevoss Ip, Llc System, method and program product for generating and utilizing stable value digital assets
US11909860B1 (en) 2018-02-12 2024-02-20 Gemini Ip, Llc Systems, methods, and program products for loaning digital assets and for depositing, holding and/or distributing collateral as a token in the form of digital assets on an underlying blockchain
US10373129B1 (en) 2018-03-05 2019-08-06 Winklevoss Ip, Llc System, method and program product for generating and utilizing stable value digital assets
US10438290B1 (en) 2018-03-05 2019-10-08 Winklevoss Ip, Llc System, method and program product for generating and utilizing stable value digital assets
US11475442B1 (en) 2018-02-12 2022-10-18 Gemini Ip, Llc System, method and program product for modifying a supply of stable value digital asset tokens
US11139955B1 (en) 2018-02-12 2021-10-05 Winklevoss Ip, Llc Systems, methods, and program products for loaning digital assets and for depositing, holding and/or distributing collateral as a token in the form of digital assets on an underlying blockchain
US10373158B1 (en) 2018-02-12 2019-08-06 Winklevoss Ip, Llc System, method and program product for modifying a supply of stable value digital asset tokens
US11334883B1 (en) 2018-03-05 2022-05-17 Gemini Ip, Llc Systems, methods, and program products for modifying the supply, depositing, holding and/or distributing collateral as a stable value token in the form of digital assets
CN111768304A (en) 2018-08-06 2020-10-13 阿里巴巴集团控股有限公司 Block chain transaction method and device and electronic equipment
KR102150814B1 (en) 2018-11-27 2020-09-02 알리바바 그룹 홀딩 리미티드 Systems and methods for information protection
EP3549082B1 (en) 2018-11-27 2020-08-26 Alibaba Group Holding Limited System and method for information protection
US10700850B2 (en) 2018-11-27 2020-06-30 Alibaba Group Holding Limited System and method for information protection
CN110089069B (en) 2018-11-27 2022-02-22 创新先进技术有限公司 System and method for information protection
PL3549303T3 (en) * 2018-11-27 2021-11-22 Advanced New Technologies Co., Ltd. System and method for information protection
RU2719311C1 (en) 2018-11-27 2020-04-17 Алибаба Груп Холдинг Лимитед Information protection system and method
US11501370B1 (en) 2019-06-17 2022-11-15 Gemini Ip, Llc Systems, methods, and program products for non-custodial trading of digital assets on a digital asset exchange
US10817190B1 (en) 2019-07-15 2020-10-27 Amazon Technologies, Inc. System and method for managing memory compression security

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4424414A (en) * 1978-05-01 1984-01-03 Board Of Trustees Of The Leland Stanford Junior University Exponentiation cryptographic apparatus and method
US4567600A (en) * 1982-02-02 1986-01-28 Omnet Associates Method and apparatus for maintaining the privacy of digital messages conveyed by public transmission
US4720860A (en) * 1984-11-30 1988-01-19 Security Dynamics Technologies, Inc. Method and apparatus for positively identifying an individual
US4759063A (en) * 1983-08-22 1988-07-19 Chaum David L Blind signature systems
US4885778A (en) * 1984-11-30 1989-12-05 Weiss Kenneth P Method and apparatus for synchronizing generation of separate, free running, time dependent equipment
US4947430A (en) * 1987-11-23 1990-08-07 David Chaum Undeniable signature systems
US5023908A (en) * 1984-11-30 1991-06-11 Kenneth Weiss Method and apparatus for personal identification
US5168520A (en) * 1984-11-30 1992-12-01 Security Dynamics Technologies, Inc. Method and apparatus for personal identification
US5222140A (en) * 1991-11-08 1993-06-22 Bell Communications Research, Inc. Cryptographic method for key agreement and user authentication
US5241599A (en) * 1991-10-02 1993-08-31 At&T Bell Laboratories Cryptographic protocol for secure communications
US5367572A (en) * 1984-11-30 1994-11-22 Weiss Kenneth P Method and apparatus for personal identification
US5440635A (en) * 1993-08-23 1995-08-08 At&T Corp. Cryptographic protocol for remote authentication
US5485519A (en) * 1991-06-07 1996-01-16 Security Dynamics Technologies, Inc. Enhanced security for a secure token code
US5623637A (en) * 1993-12-06 1997-04-22 Telequip Corporation Encrypted data storage card including smartcard integrated circuit for storing an access password and encryption keys
US5638445A (en) * 1995-09-19 1997-06-10 Microsoft Corporation Blind encryption
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
US6240184B1 (en) * 1997-09-05 2001-05-29 Rsa Security Inc. Password synchronization
US6505164B1 (en) * 1997-09-19 2003-01-07 Compaq Information Technologies Group, L.P. Method and apparatus for secure vendor access to accounts payable information over the internet
US6829356B1 (en) * 1999-06-29 2004-12-07 Verisign, Inc. Server-assisted regeneration of a strong secret from a weak secret

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4424414A (en) * 1978-05-01 1984-01-03 Board Of Trustees Of The Leland Stanford Junior University Exponentiation cryptographic apparatus and method
US4567600A (en) * 1982-02-02 1986-01-28 Omnet Associates Method and apparatus for maintaining the privacy of digital messages conveyed by public transmission
US4759063A (en) * 1983-08-22 1988-07-19 Chaum David L Blind signature systems
US5367572A (en) * 1984-11-30 1994-11-22 Weiss Kenneth P Method and apparatus for personal identification
US4720860A (en) * 1984-11-30 1988-01-19 Security Dynamics Technologies, Inc. Method and apparatus for positively identifying an individual
US4885778A (en) * 1984-11-30 1989-12-05 Weiss Kenneth P Method and apparatus for synchronizing generation of separate, free running, time dependent equipment
US5023908A (en) * 1984-11-30 1991-06-11 Kenneth Weiss Method and apparatus for personal identification
US5168520A (en) * 1984-11-30 1992-12-01 Security Dynamics Technologies, Inc. Method and apparatus for personal identification
US4947430A (en) * 1987-11-23 1990-08-07 David Chaum Undeniable signature systems
US5485519A (en) * 1991-06-07 1996-01-16 Security Dynamics Technologies, Inc. Enhanced security for a secure token code
US5241599A (en) * 1991-10-02 1993-08-31 At&T Bell Laboratories Cryptographic protocol for secure communications
US5222140A (en) * 1991-11-08 1993-06-22 Bell Communications Research, Inc. Cryptographic method for key agreement and user authentication
US5440635A (en) * 1993-08-23 1995-08-08 At&T Corp. Cryptographic protocol for remote authentication
US5623637A (en) * 1993-12-06 1997-04-22 Telequip Corporation Encrypted data storage card including smartcard integrated circuit for storing an access password and encryption keys
US5638445A (en) * 1995-09-19 1997-06-10 Microsoft Corporation Blind encryption
US5922074A (en) * 1997-02-28 1999-07-13 Xcert Software, Inc. Method of and apparatus for providing secure distributed directory services and public key infrastructure
US6240184B1 (en) * 1997-09-05 2001-05-29 Rsa Security Inc. Password synchronization
US6505164B1 (en) * 1997-09-19 2003-01-07 Compaq Information Technologies Group, L.P. Method and apparatus for secure vendor access to accounts payable information over the internet
US6829356B1 (en) * 1999-06-29 2004-12-07 Verisign, Inc. Server-assisted regeneration of a strong secret from a weak secret

Cited By (121)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8281129B1 (en) * 2001-08-29 2012-10-02 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US9703938B2 (en) 2001-08-29 2017-07-11 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US10083285B2 (en) 2001-08-29 2018-09-25 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US10769297B2 (en) 2001-08-29 2020-09-08 Nader Asghari-Kamrani Centralized identification and authentication system and method
US9870453B2 (en) 2001-08-29 2018-01-16 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US9727864B2 (en) 2001-08-29 2017-08-08 Nader Asghari-Kamrani Centralized identification and authentication system and method
US20090013182A1 (en) * 2001-08-29 2009-01-08 Nader Asghari-Kamrani Centralized Identification and Authentication System and Method
US8266432B2 (en) * 2001-08-29 2012-09-11 Nader Asghari-Kamrani Centralized identification and authentication system and method
US20080201398A1 (en) * 2005-05-25 2008-08-21 Bernd Meyer Determination of a Modular Inverse
US20090013180A1 (en) * 2005-08-12 2009-01-08 Dongsheng Li Method and Apparatus for Ensuring the Security of an Electronic Certificate Tool
US8341249B2 (en) 2006-06-02 2012-12-25 Google Inc. Synchronizing configuration information among multiple clients
US20070283011A1 (en) * 2006-06-02 2007-12-06 Google Inc. Synchronizing Configuration Information Among Multiple Clients
US20110113092A1 (en) * 2006-06-02 2011-05-12 Rakowski Brian D Resolving Conflicts While Synchronizing Configuration Information Among Multiple Clients
US8082316B2 (en) 2006-06-02 2011-12-20 Google Inc. Resolving conflicts while synchronizing configuration information among multiple clients
US8086698B2 (en) * 2006-06-02 2011-12-27 Google Inc. Synchronizing configuration information among multiple clients
US20080162934A1 (en) * 2006-09-20 2008-07-03 Katsuyoshi Okawa Secure transmission system
US8209546B2 (en) * 2006-12-25 2012-06-26 Via Technologies, Inc. Data-securing method of program tool
US20080152129A1 (en) * 2006-12-25 2008-06-26 Via Technologies, Inc. Data-securing method of program tool
US8181037B2 (en) * 2007-03-23 2012-05-15 Via Technologies, Inc. Application protection systems and methods
US20080235518A1 (en) * 2007-03-23 2008-09-25 Via Technologies, Inc. Application protection systems and methods
US8989379B2 (en) 2007-06-04 2015-03-24 Qualcomm Incorporated Network encryption key rotation
US8930572B2 (en) 2007-06-04 2015-01-06 Qualcomm Incorporated Path selection for routing traffic in a network
US8700076B1 (en) 2007-06-04 2014-04-15 Qualcomm Atheros, Inc. Clock synchronization among network stations
US20080298590A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Network encryption key rotation
US9130888B2 (en) 2007-06-04 2015-09-08 Qualcomm Incorporated Authorizing equipment on a sub-network
US8510470B2 (en) 2007-06-04 2013-08-13 Qualcomm Atheros, Inc. Path selection for routing traffic in a network
US8170051B2 (en) 2007-06-04 2012-05-01 Qualcomm Atheros, Inc. In-home coexistence network
US20090116461A1 (en) * 2007-06-04 2009-05-07 Intellon Corporation Distributed Scheduling
US9521090B2 (en) 2007-06-04 2016-12-13 Qualcomm Incorporated Authorizing stations into a centrally managed network
US20080298589A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Establishing a unique end-to-end management key
US8503480B2 (en) 2007-06-04 2013-08-06 Qualcomm Atheros, Inc. Managing communications over a shared medium
US9413686B2 (en) * 2007-06-04 2016-08-09 Qualcomm Incorporated Establishing a unique end-to-end management key
US20080298252A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Method of routing traffic in a network
US8112358B2 (en) 2007-06-04 2012-02-07 Qualcomm Atheros, Inc. Authorizing customer premise equipment on a sub-network
US9385966B2 (en) 2007-06-04 2016-07-05 Qualcomm Incorporated Managing communications over a shared medium
US20080301052A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Authorizing customer premise equipment on a sub-network
US20080298594A1 (en) * 2007-06-04 2008-12-04 Intellon Corporation Authorizing stations into a centrally managed network
US8429406B2 (en) 2007-06-04 2013-04-23 Qualcomm Atheros, Inc. Authorizing customer premise equipment into a network
US9148385B2 (en) 2007-06-04 2015-09-29 Qualcomm Incorporated Contention groups for hidden nodes
US8467369B2 (en) 2007-06-04 2013-06-18 Qualcomm Atheros, Inc. Distributed scheduling
US8488615B2 (en) 2007-06-04 2013-07-16 Qualcomm Incorporated Contention groups for hidden nodes
US8156228B1 (en) * 2007-09-28 2012-04-10 Symantec Corporation Method and apparatus to enable confidential browser referrals
US20090313478A1 (en) * 2008-06-17 2009-12-17 Lenovo (Singapore) Pte. Ltd Arrangments for interfacing with a user access manager
US8132019B2 (en) * 2008-06-17 2012-03-06 Lenovo (Singapore) Pte. Ltd. Arrangements for interfacing with a user access manager
US8225100B2 (en) * 2008-10-31 2012-07-17 Apple Inc. Hash functions using recurrency and arithmetic
US20100115230A1 (en) * 2008-10-31 2010-05-06 Apple Inc. Hash functions using recurrency and arithmetic
US9160528B2 (en) 2008-11-24 2015-10-13 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US9641514B2 (en) 2008-11-24 2017-05-02 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US8151333B2 (en) * 2008-11-24 2012-04-03 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating
US9184910B2 (en) 2008-11-24 2015-11-10 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US20100131755A1 (en) * 2008-11-24 2010-05-27 Microsoft Corporation Distributed single sign on technologies including privacy protection and proactive updating
US9083514B2 (en) 2008-11-24 2015-07-14 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US10298562B2 (en) 2008-11-24 2019-05-21 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US9118463B2 (en) 2008-11-24 2015-08-25 Microsoft Technology Licensing, Llc Distributed single sign on technologies including privacy protection and proactive updating
US20150052365A1 (en) * 2010-02-05 2015-02-19 Leidos, Inc. Network Managed Antivirus Appliance
US10318734B2 (en) * 2010-02-05 2019-06-11 Leidos, Inc. Network managed antivirus appliance
US20110286594A1 (en) * 2010-05-19 2011-11-24 Cleversafe, Inc. Storage of sensitive data in a dispersed storage network
US8861727B2 (en) * 2010-05-19 2014-10-14 Cleversafe, Inc. Storage of sensitive data in a dispersed storage network
US20130117562A1 (en) * 2010-06-22 2013-05-09 Ercom Security method, associated chip card, module and terminal
US8909923B2 (en) * 2010-06-22 2014-12-09 Ercom Security method, associated chip card, module and terminal
US8930692B2 (en) 2010-07-23 2015-01-06 Silicon Image, Inc. Mechanism for internal processing of content through partial authentication on secondary channel
WO2012012415A3 (en) * 2010-07-23 2012-04-12 Silicon Image, Inc. Mechanism for internal processing of content through partial authentication on secondary channel
US20120039462A1 (en) * 2010-08-12 2012-02-16 Electronics And Telecommunications Research Institute Rsa signature method and apparatus
US20120136921A1 (en) * 2010-11-30 2012-05-31 Google Inc. Event management for hosted applications
US8935392B2 (en) 2010-11-30 2015-01-13 Google Inc. Event management for hosted applications
US8239529B2 (en) * 2010-11-30 2012-08-07 Google Inc. Event management for hosted applications
US9092385B2 (en) * 2011-08-17 2015-07-28 Cleversafe, Inc. Facilitating access of a dispersed storage network
US20130046973A1 (en) * 2011-08-17 2013-02-21 Cleversafe, Inc. Facilitating access of a dispersed storage network
US8295490B1 (en) * 2011-12-13 2012-10-23 Google Inc. Method and system for storing and providing an encryption key for data storage
US10027485B1 (en) * 2012-01-10 2018-07-17 Jpmorgan Chase Bank, N.A. System and method for device registration and authentication
US10708059B2 (en) 2012-01-10 2020-07-07 Jpmorgan Chase Bank, N.A. System and method for device registration and authentication
US11489673B2 (en) 2012-01-10 2022-11-01 Jpmorgan Chase Bank, N.A. System and method for device registration and authentication
WO2013189881A1 (en) * 2012-06-18 2013-12-27 Morpho Secure method of processing data
FR2992124A1 (en) * 2012-06-18 2013-12-20 Morpho SECURE DATA PROCESSING METHOD
US9350731B2 (en) 2012-06-18 2016-05-24 Morpho Secure method of processing data
US9363077B2 (en) * 2012-12-28 2016-06-07 Securenvoy Plc Time-based authentication
US20140189831A1 (en) * 2012-12-28 2014-07-03 SecureEnvoy Plc Time-based authentication
WO2015088705A1 (en) * 2013-12-09 2015-06-18 Mohan Ram Balasubramaniam Authentication utilizing a dynamic passcode from a user-defined formula based on a changing parameter value
US9467443B2 (en) 2013-12-09 2016-10-11 Ram Balasubramaniam MOHAN Authentication utilizing a dynamic passcode from a user-defined formula based on a changing parameter value
US20160300224A1 (en) * 2014-01-07 2016-10-13 Tencent Technology (Shenzhen) Company Limited Method, Server, And Storage Medium For Verifying Transactions Using A Smart Card
US11640605B2 (en) * 2014-01-07 2023-05-02 Tencent Technology (Shenzhen) Company Limited Method, server, and storage medium for verifying transactions using a smart card
US20210073809A1 (en) * 2014-01-07 2021-03-11 Tencent Technology (Shenzhen) Company Limited Method, server, and storage medium for verifying transactions using a smart card
US10878413B2 (en) * 2014-01-07 2020-12-29 Tencent Technology (Shenzhen) Company Limited Method, server, and storage medium for verifying transactions using a smart card
US10396984B2 (en) 2014-05-02 2019-08-27 Barclays Services Limited Apparatus and system having multi-party cryptographic authentication
US10491384B2 (en) 2014-05-02 2019-11-26 Barclays Services Limited Device for secure multi-party cryptographic authorization
RU2710897C2 (en) * 2014-08-29 2020-01-14 Виза Интернэшнл Сервис Ассосиэйшн Methods for safe generation of cryptograms
US10389533B2 (en) 2014-08-29 2019-08-20 Visa International Service Association Methods for secure cryptogram generation
US11032075B2 (en) 2014-08-29 2021-06-08 Visa International Service Association Methods for secure cryptogram generation
US11588637B2 (en) 2014-08-29 2023-02-21 Visa International Service Association Methods for secure cryptogram generation
US11201743B2 (en) 2015-01-27 2021-12-14 Visa International Service Association Methods for secure credential provisioning
US11856104B2 (en) 2015-01-27 2023-12-26 Visa International Service Association Methods for secure credential provisioning
US10461933B2 (en) 2015-01-27 2019-10-29 Visa International Service Association Methods for secure credential provisioning
US9871663B2 (en) * 2015-03-25 2018-01-16 Intel Corporation Challenge response authentication for self encrypting drives
US11544367B2 (en) 2015-05-05 2023-01-03 Ping Identity Corporation Systems, apparatus and methods for secure electrical communication of biometric personal identification information to validate the identity of an individual
US20160379207A1 (en) * 2015-06-25 2016-12-29 Intel Corporation Secured credential aggregator
US11838421B2 (en) * 2015-12-30 2023-12-05 Jpmorgan Chase Bank, N.A. Systems and methods for enhanced mobile device authentication
US20200382305A1 (en) * 2015-12-30 2020-12-03 Jpmorgan Chase Bank, N.A. Systems and methods for enhanced mobile device authentication
US11134075B2 (en) 2016-03-04 2021-09-28 Ping Identity Corporation Method and system for authenticated login using static or dynamic codes
US11658961B2 (en) 2016-03-04 2023-05-23 Ping Identity Corporation Method and system for authenticated login using static or dynamic codes
US11544487B2 (en) 2016-03-07 2023-01-03 Ping Identity Corporation Large data transfer using visual codes with feedback confirmation
US11263415B2 (en) 2016-03-07 2022-03-01 Ping Identity Corporation Transferring data files using a series of visual codes
US10375066B2 (en) * 2016-07-13 2019-08-06 Idemia Identity & Security Authentication method and system by garbled circuit
US11799668B2 (en) 2017-02-06 2023-10-24 Ping Identity Corporation Electronic identification verification methods and systems with storage of certification records to a side chain
US11323272B2 (en) 2017-02-06 2022-05-03 Ping Identity Corporation Electronic identification verification methods and systems with storage of certification records to a side chain
US11431504B2 (en) * 2017-03-24 2022-08-30 Visa International Service Association Authentication system using secure multi-party computation
US20220360449A1 (en) * 2017-03-24 2022-11-10 Visa International Service Association Authentication system using secure multi-party computation
US10749689B1 (en) * 2017-06-29 2020-08-18 Salesforce.Com, Inc. Language-agnostic secure application development
US11163910B2 (en) * 2017-06-29 2021-11-02 Salesforce.Com, Inc. Methods and systems for data migration
US11777726B2 (en) 2017-12-08 2023-10-03 Ping Identity Corporation Methods and systems for recovering data using dynamic passwords
US11722320B2 (en) * 2018-04-17 2023-08-08 Digicert, Inc. Digital certificate validation using untrusted data
US20220103381A1 (en) * 2018-04-17 2022-03-31 Digicert, Inc. Digital certificate validation using untrusted data
US10664612B2 (en) * 2018-10-09 2020-05-26 Unboun Tech Ltd. System and method for controlling operations performed on personal information
US11722301B2 (en) 2018-10-17 2023-08-08 Ping Identity Corporation Blockchain ID connect
US11818265B2 (en) 2018-10-17 2023-11-14 Ping Identity Corporation Methods and systems for creating and recovering accounts using dynamic passwords
US20220141035A1 (en) * 2019-04-16 2022-05-05 Meta Platforms, Inc. Secure multi-party computation attribution
US11245536B2 (en) * 2019-04-16 2022-02-08 Meta Platforms, Inc. Secure multi-party computation attribution
CN111062029A (en) * 2019-12-17 2020-04-24 湖南安方信息技术有限公司 Multi-factor authentication protocol based on identification password
US20220376928A1 (en) * 2020-02-06 2022-11-24 Google Llc Preventing data manipulation using multiple aggregation servers
US11917078B2 (en) * 2020-02-06 2024-02-27 Google Llc Preventing data manipulation using multiple aggregation servers
US11870886B2 (en) * 2020-08-12 2024-01-09 Intuit Inc. System and method for multitenant key derivation
US11170130B1 (en) 2021-04-08 2021-11-09 Aster Key, LLC Apparatus, systems and methods for storing user profile data on a distributed database for anonymous verification

Also Published As

Publication number Publication date
US7716484B1 (en) 2010-05-11

Similar Documents

Publication Publication Date Title
US7716484B1 (en) System and method for increasing the security of encrypted secrets and authentication
US8799664B2 (en) Small public-key based digital signatures for authentication
EP0786178B1 (en) Secret-key certificates
US7359507B2 (en) Server-assisted regeneration of a strong secret from a weak secret
US5146500A (en) Public key cryptographic system using elliptic curves over rings
JP4639084B2 (en) Encryption method and encryption apparatus for secure authentication
US6792533B2 (en) Cryptographic methods for remote authentication
US7047408B1 (en) Secure mutual network authentication and key exchange protocol
Katz et al. Efficient and secure authenticated key exchange using weak passwords
EP1383265A1 (en) Method for generating proxy signatures
JP2003536320A (en) System, method and software for remote password authentication using multiple servers
JP2002335238A (en) Communication method
US20110219233A1 (en) Quadratic residue based password authenticated key exchange method and system
MacKenzie et al. Delegation of cryptographic servers for capture-resilient devices
JP4307589B2 (en) Authentication protocol
US7373499B2 (en) Methods and apparatus for delegation of cryptographic servers for capture-resilient devices
JP2003152716A (en) Qualification authentication method employing variable authentication information
Kwon Virtual software tokens-a practical way to secure PKI roaming
Kilciauskas et al. Authenticated key agreement protocol based on provable secure cryptographic functions
JP3746919B2 (en) Qualification authentication method using variable authentication information
JP5101535B2 (en) Authentication method, authentication system, program, and shared key generation method
Wulf et al. A technique for remote authentication
Kwon Robust Software Tokens-Yet Another Method for Securing User’s Digital Identity (Extended and Revised: Ver. 0.9)
Yoon et al. Robust User Password Change Scheme based on the Elliptic Curve Cryptosystem
Acan et al. Capture resilient elgamal signature protocols

Legal Events

Date Code Title Description
AS Assignment

Owner name: RSA SECURITY INC.,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KALISKI, BURTON S., JR.;REEL/FRAME:011906/0874

Effective date: 20010525

AS Assignment

Owner name: RSA SECURITY HOLDING, INC.,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY LLC;REEL/FRAME:023824/0721

Effective date: 20091222

Owner name: EMC CORPORATION,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY HOLDING, INC.;REEL/FRAME:023825/0011

Effective date: 20091231

Owner name: RSA SECURITY HOLDING, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY LLC;REEL/FRAME:023824/0721

Effective date: 20091222

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY HOLDING, INC.;REEL/FRAME:023825/0011

Effective date: 20091231

AS Assignment

Owner name: RSA SECURITY LLC,MASSACHUSETTS

Free format text: MERGER;ASSIGNOR:RSA SECURITY INC.;REEL/FRAME:023852/0500

Effective date: 20091221

Owner name: RSA SECURITY LLC, MASSACHUSETTS

Free format text: MERGER;ASSIGNOR:RSA SECURITY INC.;REEL/FRAME:023852/0500

Effective date: 20091221

AS Assignment

Owner name: EMC CORPORATION,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY HOLDING, INC.;REEL/FRAME:023975/0151

Effective date: 20091231

Owner name: RSA SECURITY HOLDING, INC.,MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY LLC;REEL/FRAME:023975/0453

Effective date: 20091222

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY HOLDING, INC.;REEL/FRAME:023975/0151

Effective date: 20091231

Owner name: RSA SECURITY HOLDING, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RSA SECURITY LLC;REEL/FRAME:023975/0453

Effective date: 20091222

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040134/0001

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A

Free format text: SECURITY AGREEMENT;ASSIGNORS:ASAP SOFTWARE EXPRESS, INC.;AVENTAIL LLC;CREDANT TECHNOLOGIES, INC.;AND OTHERS;REEL/FRAME:040136/0001

Effective date: 20160907

AS Assignment

Owner name: EMC IP HOLDING COMPANY LLC, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EMC CORPORATION;REEL/FRAME:040203/0001

Effective date: 20160906

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., T

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001

Effective date: 20200409

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: WYSE TECHNOLOGY L.L.C., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MOZY, INC., WASHINGTON

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: MAGINATICS LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: FORCE10 NETWORKS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC IP HOLDING COMPANY LLC, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SYSTEMS CORPORATION, TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL SOFTWARE INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL MARKETING L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL INTERNATIONAL, L.L.C., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: CREDANT TECHNOLOGIES, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

Owner name: ASAP SOFTWARE EXPRESS, INC., ILLINOIS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:058216/0001

Effective date: 20211101

AS Assignment

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040136/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061324/0001

Effective date: 20220329

AS Assignment

Owner name: SCALEIO LLC, MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC IP HOLDING COMPANY LLC (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MOZY, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: EMC CORPORATION (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO MAGINATICS LLC), MASSACHUSETTS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO FORCE10 NETWORKS, INC. AND WYSE TECHNOLOGY L.L.C.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL INTERNATIONAL L.L.C., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL USA L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING L.P. (ON BEHALF OF ITSELF AND AS SUCCESSOR-IN-INTEREST TO CREDANT TECHNOLOGIES, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329

Owner name: DELL MARKETING CORPORATION (SUCCESSOR-IN-INTEREST TO ASAP SOFTWARE EXPRESS, INC.), TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (045455/0001);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT;REEL/FRAME:061753/0001

Effective date: 20220329