US20040177258A1 - Secure object for convenient identification - Google Patents
Secure object for convenient identification Download PDFInfo
- Publication number
- US20040177258A1 US20040177258A1 US10/420,676 US42067603A US2004177258A1 US 20040177258 A1 US20040177258 A1 US 20040177258A1 US 42067603 A US42067603 A US 42067603A US 2004177258 A1 US2004177258 A1 US 2004177258A1
- Authority
- US
- United States
- Prior art keywords
- user
- information
- soci
- pin
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Definitions
- the present invention pertains to the field of secure networks and computing devices. More particularly, the present invention relates to a device for automatic user authentication.
- a method and apparatus for automatic user authentication are described.
- Information is received at a device, the device including a credential container, and stored at the credential container.
- Cryptographic calculations are performed on the received information and the encrypted information is provided upon request.
- FIG. 1 illustrates an exemplary system architecture according to one embodiment of the invention
- FIG. 2 illustrates components of a Secure Object for Convenient Identification according to one embodiment of the invention
- FIG. 3 is a flow chart of a startup procedure according to one embodiment of the invention.
- FIG. 4 is an exemplary architecture of a processing system according to one embodiment of the invention.
- references to “one embodiment” or “an embodiment” mean that the feature being referred to is included in at least one embodiment of the present invention. Further, separate references to “one embodiment” in this description do not necessarily refer to the same embodiment; however, neither are such embodiments mutually exclusive, unless so stated and except as will be readily apparent to those skilled in the art. Thus, the present invention can include any variety of combinations and/or integrations of the embodiments described herein.
- the present invention discloses a method and system for authenticating user via physicalization of user credentials at a hardware device. Passwords and usernames of a user are stored in a hardware device and automatically provided to corresponding applications that the user is attempting to access.
- playback means automatically inserting stored user authentication information into appropriate applications.
- client machine means a processing system hosting a Secure Object for Convenient Identification. [LBK1]
- SOAP Simple Object Access Protocol
- XML Extensible Markup Language
- SOAP employs XML syntax to send text commands using HTTP.
- HTTPS HyperText Transfer Protocol Secure
- URL Uniform Resource Locator
- the smart card is an intelligent token that provides computational capability and memory capability.
- the self-containment of the smart card makes it resistant to attack as it does not depend on potentially vulnerable external resources.
- the physical structure of a smart card is specified by the International Standards Organization (ISO) 7810, 7816/1 and 7816/2.
- ISO International Standards Organization
- the capability of a smart card is defined by its integrated circuit chip.
- the integrated circuit chip consists of a microprocessor, read only memory (ROM), nonstatic random access memory (RAM) and electrically erasable programmable read only memory (EEPROM), which will retain its state when the power is removed.
- Another embodiment of the invention utilizes public-key algorithms.
- Public-key algorithms use two different keys: a public key and a private key.
- the private key member of the pair must be kept private and secure.
- the public key can be distributed to anyone who requests it.
- the public key of a key pair is often distributed by means of a digital certificate.
- the digital certificate is a digitally signed statement that contains information about the entity and the entity's public key, thus binding these two pieces of information together.
- a certificate is issued by a trusted organization called a Certification Authority (CA) after verification of the entity's identity.
- CA Certification Authority
- the user's public key is used to encrypt data, only a person who has the user's private key can decrypt the data. If the user's private key is used to encrypt data, then only user's public key will decrypt the data. In addition, if the private key is used to sign a message, the public key from that pair must be used to validate the signature.
- FIG. 1 illustrates an exemplary architecture of the invention.
- An Access Agent 100 interfaces with Secure Object for Convenient Identification (SOCI) device 120 via SOCI Application Program Interface functions.
- SOCI Secure Object for Convenient Identification
- the Access Agent 100 communicates with Identity Management System (IMS) 110 via SOAP or HTTPS.
- IMS is located on a server machine and communicates with a client machine that hosts the SOCI.
- FIG. 2 illustrates an exemplary architecture of the SOCI according to an embodiment of the invention.
- the SOCI is a hardware token capable of being connected to the user's computer.
- the SOCI includes a chip CryptoVault 200 , that may be a smart card chip.
- the chip 200 includes a crypto processor 210 that performs cryptographic calculation described below. Cryptographic calculations include symmetric key, asymmetric key and hash algorithms such as RSA, DES, 3DES, SHA1 and MD5, all of which are well known in the art and do not require any further explanation.
- the chip 200 includes NVRAM to store sensitive private data, such as private keys.
- the SOCI also includes Flash RAM 215 to store software drivers and non-sensitive data such as user configuration data, digital certificates, etc.
- the Flash RAM 215 in addition to SOCI drivers also contains software drivers to perform configuration operations such as installation of Access Agent on the client's computer. Part of the Flash RAM 215 memory is partitioned for a Smart Card File System (SCFS) interface. The RAM 215 may also contain a plug-n-play storage drive that appears as a disk drive on an operation system platforms supporting, for example, USB 1.1 mass-storage devices.
- a Communication controller 220 is another component of the SOCI.
- the Communication controller 220 may be a USB controller, a Bluetooth controller, an RFID controller, a PCMCIA controller, an 802.11b controller, or other controller known in the art.
- the Communication controller provides access from the client computer, i.e. SOCI host computer, to the Flash RAM storage 215 and the chip 200 .
- the SOCI includes Application Interface Functions via which the client computer communicates with the SOCI.
- the Application Interface Functions provide high-level abstraction for SOCI services, such as certificate management, data encryption/decryption, and digital signature generation.
- the functions exposed by the Application Programming Interface may be implemented by a SOCI Runtime Library (not shown).
- SOCI may be wirelessly connected to the client commuter or may be connected via a serial bus.
- SOCI may communicate with servers via Local Area Networks (LANs).
- LANs Local Area Networks
- the SOCI stores its authentication information to be provided to the Access Agent in a certificate signed by Certificate Authority (CA) trusted by the Access Agent.
- the Certification Authority (CA) is an entity entrusted to issue certificates asserting that the recipient individual, machine or organization requesting the certificate fulfills the conditions of an established policy. Certificates together with private keys may be utilized in SOCI to authenticate the user.
- the SOCI comprises a tamper-evident casing to prevent physical access to SOCI components.
- the SOCI may comprise a display and a keyboard allowing the users to control SOCI directly without utilizing the computer.
- information about particular SOCI device is recorded in the NVRAM of the device.
- Information includes a serial number of the device, a color of the device, a physical form of the device, identification of the manufacturer and the date of manufacturing, etc. These information is stored as digitally signed attributes in a certificate signed by the CA trusted by the Access Agent.
- the Access Agent registers the device with a server, verification of ownership of the certificate is performed by ensuring that the signature on the device certificate is digitally signed by the CA trusted to issue device certificates.
- the physical processing platforms that embody the Access Agent and IMS may include processing systems, such as conventional personal computers (PCs) and/or server-class computer systems according to various embodiments of the invention.
- FIG. 6 illustrates an example of such a processing system at a high level.
- the processing system of FIG. 4 includes one or more processors 400 , read-only memory (ROM) 410 , random access memory (RAM) 420 , and a mass storage device 430 coupled to each other on a bus system 440 .
- the bus system 440 includes one or more buses, which may be connected to each other through various bridges, controllers and/or adapters, which are well known in the art.
- the bus system 440 may include a ‘system bus’, which may be connected through an adapter to one or more expansion, such as a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. Also coupled to the bus system 440 are a the mass storage device 430 , one or more input/output (I/O) devices 450 and one or more data communication devices 460 to communicate with remote processing systems via one or more communication links 465 and 470 , respectively.
- the I/O devices 450 may include, for example, any one or more of a display device, a keyboard, a pointing device (e.g., mouse, touchpad, trackball), an audio speaker.
- the processor(s) 400 may include one or more conventional general-purpose or special-purpose programmable microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), or programmable logic devices (PLD), or a combination of such devices.
- the mass storage device 430 may include any one or more devices suitable for storing large volumes of data in a non-volatile manner, such as magnetic disk or tape, magneto-optical storage device, or any of various types of Digital Video Disk (DVD) or Compact Disk (CD) based storage or a combination of such devices.
- the data communication device(s) 460 each may be any devices suitable for enabling the processing system to communicate data with a remote processing system over a data communication link, such as a wireless transceiver or a conventional telephone modem, a wireless modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) modem, a cable modem, a satellite transceiver, an Ethernet adapter, or the like.
- a wireless transceiver or a conventional telephone modem such as a wireless transceiver or a conventional telephone modem, a wireless modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) modem, a cable modem, a satellite transceiver, an Ethernet adapter, or the like.
- ISDN Integrated Services Digital Network
- DSL Digital Subscriber Line
- the Access Agent 100 can be executing on the user's machine, i.e. client machine.
- the startup procedure will be described with reference to FIG. 3.
- the Access Agent 100 is executed upon the boot up of the client machine.
- the Access Agent 100 interacts with a logon procedure of the operating system to handle initialization procedures.
- the Access Agent 100 at 320 starts a thread, which may poll ports, for example USB ports, of the client machine.
- the polling thread identifies whether SOCI is present in any of the ports.
- the Access Agent at 325 prompts the user to insert the SOCI and awaits for the insertion of the SOCI by periodically polling the ports. If the polling thread identifies that SOCI is already connected to the port or if the new SOCI has been inserted, the session management module 230 displays a dialogue box prompting the user for a personal identification number (PIN). Upon the user entering the PIN, the Access Agent at 335 verifies the entered PIN. If the PIN is successfully verified, the Access Agent 100 obtains the operating system login and password information of the user at 540 . For example, if the client machine is running Windows Operating System, the Access Agent 100 obtains Windows Login ID and Windows Password.
- PIN personal identification number
- the operating system login identification and password data are encrypted and stored in the SOCI and retrieved by the Access Agent 100 via SOCI APIs.
- the user may have several operating system login identifications and passwords and in this case the user may be presented with a pull down menu to select the login ID and password for the current session.
- the Access Agent 100 inserts the ID and password into the operating system logon procedure.
- a setup program located in the flash memory of the SOCI is executed to determine whether the Access Agent 100 is installed on the client machine. If the Access Agent is not installed on the client machine, the setup program locates the download server to download the Access Agent installer module. The setup program may contain a default location of the installer module. If the setup program fails to locate the installer for download, the setup program prompts the user for location of the installer or for an insertion of a diskette or CD-ROM including the installer module. Upon installation of the installer, the user is prompted to enter a SOCI personal identification number (PIN) and password. PIN of the SOCI is distributed with the SOCI. User can change the PIN after obtaining access to the SOCI upon entering the original PIN.
- PIN personal identification number
- the installer Upon the user entering the PIN and password, the installer transmits the PIN and password data to the IMS.
- data transmitted to the IMS includes SOCI identification number retrieved from the SOCI device, SOCI properties, SOCI public keys, encrypted Common Symmetric Key (CSK).
- the IMS Upon receiving the data, the IMS creates a new user account and registers the SOCI with the account. The IMS generates a new certificate and transmits the certificate to the Access Agent which stores the certificate in the SOCI.
- the IMS may also encrypt the CSK with a key derived from the SOCI password and further encrypt the CSK with the IMS's public key.
- the server's public key is stored on a separate secure server, or stored in a hardware key device.
- the Access Agent 100 executes in the background at the client machine and identifies user's login, logout, change of password activities and records the procedures in a form of an access script.
- the access scripts are encrypted and stored in the SOCI and the IMS server.
- the Access Agent 100 captures operating system messages for various applications and identifies whether any of the captured messages comprise user authentication data. If the Access Agent 100 identifies the user authentication application data for a particular application, the Access Agent 100 stores the information in the SOCI. Upon identifying the user authentication application, the Access Agent 100 generates access scripts to be played back when the user attempts to access an application requiring authentication information. When the user attempts to access the application, the Access Agent 100 determines whether an access script exists for the application.
- an access script is an XML-based script that contains information on how to playback authentication information, such as the location of the application in the computer, the name of the application, the buttons to click, etc.
- the access script contains information allowing the Access Agent 100 to recognize access points of an application, the class identification of the application, password policies associated with the application, etc.
- the Access Agent 100 upon identification of user's authentication data, converts the user's authentication data into a stronger form of authentication data to be then presented to the applications that user attempts to access.
- the conversion of the authentication data may be performed without the user being aware of the change.
- the Access Agent 100 can generate a longer password by adding alpha-numeric characters into the password, for example to the end of the user's password.
- the Access Agent 100 can also generate a random password to be utilized for user authentication purposes instead of the user's chosen password to ensure higher security levels.
- the new password is generated based on configurable criteria, such as the minimal length, or the inclusion of special characters.
- the stronger form of authentication data can be digital certificates, private keys, etc.
- the request for change of passwords to the application can be performed by either Access Agent or IMS. This is done by supplying both the old password and the new password to the application. Once the application accepts the change and is aware of the new password, Access Agent will store the new password in the form of configuration data encrypted by the CSK.
- the Access Agent 100 may also request IMS for a digital certificate using a private key stored in the SOCI. This stronger form can be used for user authentication purposes instead of user's password if the application is configured to use public key authentication mechanism. Once again, the procedure of conversion of user's password into a stronger form of authentication credentials may be performed without knowledge of the user. By configuring the Access Agent to periodically and automatically perform the above procedures, user credentials will be more [LBK3] secured, hence they are fortified.
- the user authentication data and access scripts are stored in SOCI and on the IMS server for a backup.
- the data in the SOCI and IMS server is identical, unless during one of the update sessions by Access Agent 100 , the server was not accessible due for example, to lack of network connection between the client machine and the IMS server.
- the data on the server may be updated when the user utilizes a duplicate SOCI, causing the original SOCI not to have the latest copy of the user authentication data.
- all the records stored in the SOCI and IMS server are time stamped allowing the Access Agent 100 to determine whether SOCI or IMS server includes the latest data. Upon determining the location of the latest user authentication data, the Access Agent 100 directs SOCI or IMS to update the data to ensure identical copies of user authentication data on SOCI and IMS server.
- the user authentication data may be stored on the client machine as software. If a SOCI device is not available, the user may request the stored authentication data from the IMS server. Upon downloading the user authentication information to the client machine, the downloaded data may be used by the Access Agent in a manner described above.
- SOCI will authenticate itself only to servers included in the trusted host list stored in SOCI.
- the list is stored in SOCI rather than on the user's computer that is typically not secured.
- the trusted host list contains servers that user is attempting to access using public key algorithm authentication mechanism, such as IMS server. Restricting the servers to which SOCI can authenticate may prevent a form of “man-in-the-middle” attacks, which occurs when a client authenticates to a malicious server, allowing the malicious server to masquerade as the client to a legitimate server by forwarding the responses to any challenges given by the legitimate server.
- SOCI ensures that a server that is being accessed by the user is on the trusted host list.
- Each SOCI is assigned a personal identification number (PIN) at the time of manufacturing.
- PIN personal identification number
- the Access Agent 100 detects a change in SOCI PIN performed by the client.
- the Access Agent 100 encrypts the new PIN with the public keys of all SOCIs of the user and distributes the encrypted PIN to the SOCIs utilizing IMS server.
- SOCI devices decrypt the PIN with the private key and update their data to reflect the new PIN.
- SOCIs include public-private key pairs to be registered with a Certificate Authority of IMS.
- the issued certificate and key pair are stored in the SOCI.
- the Access Agent detects an application that has been configured to employ public keys for user authentication, the Access Agent directs the SOCI to perform crypto function to automatically cause the application to provide the user with the access.
- the private key is stored in the SOCI and is not provided to any application or any user.
- the SOCI has physical tamper-proof features to ensure that private keys are not released. In one embodiment the private key may be burned into the chip of SOCIs during manufacturing.
- administrators of IMS may cause the authentication system to utilize private-public key method without the system users being aware of the change. Due to automatic user authentication, the users need not be aware of the authentication method employed as long as they are provided with the desired application access.
- a SOCI device can be “cloned”, such that the second SOCI can functionally authenticate to the same set of applications as the original SOCI.
- a SOCI includes a symmetric key, which is used to encrypt the contents of SOCI.
- the original SOCI encrypts its symmetric key using the public key of the second SOCI and transfers the encrypted symmetric key and the encrypted contents of the original SOCI to the second SOCI via a server, which may be the IMS server.
- the second SOCI downloads the encrypted CSK.
- the encrypted authentication data is downloaded from the server to the new SOCI to is decrypted utilizing the encryption key.
- the new SOCI is therefore able to access the same information as the original SOCI, and is said to host a cloned credential container.
- a SOCI device includes a physical feature such as a button that allows a user to manually input his/her authorization of SOCI performing digital signature operations.
- the SOCI device will only perform digital signature operations when the button is pressed, thus preventing generation of digital signature without knowledge of the user, for example by a malicious program located on the SOCI's host machine.
- the user can press the authorization button when he/she is trying to authenticate him/herself.
- SOCI has a display that displays the message to inform the user what information SOCI is about to digitally sign upon user pressing the authorization button. This allows the user to know what he/she is authorizing. For example, a bank transaction will display “Transferring $10 to account # 1234” on the SOCI display before the user can authorize the transaction by pressing the authorization button on the device.
- the user may utilize SOCI keyboard and display to digitally sign data without utilizing a computer.
- digitally sign data such as a text message
- a user inputs the message into SOCI utilizing the keys of the keyboard.
- the user verifies the accuracy of the entered message on the display and requests the digital signature of the entered message by pressing one of the keyboard buttons.
- the user may also utilize SOCI to obtain his/her authentication information to be provided to an application that the user attempts to access without connecting SOCI to the user's computer.
- SOCI Upon receiving a prompt for authentication information, i.e. challenge phrase, at the user's computer, the user enters the request for the prompted information into the SOCI using SOCI keyboard.
- SOCI displays the data on its display, which then the user may manually enter at the user's computer.
Abstract
Description
- This application hereby claims the foreign priority benefit under 35 U.S.C. 365(b) of corresponding Singapore Patent Application Serial No. 200301114-5, filed Mar. 3, 2003.
- The present invention pertains to the field of secure networks and computing devices. More particularly, the present invention relates to a device for automatic user authentication.
- With rapid growth of Internet and networks, the popularity of Internet technology rises among users of network services. In order to provide secure access to network services, user names and passwords are utilized to authenticate the user logging into a system providing particular network services. Users may accesses several applications, each with its own separate authentication mechanism causing the user to remember multiple user names and passwords. Due to this inconvenience users usually utilize the same user name and password for multiple applications that they access. In addition, users choose easy to remember passwords, which usually are easy to crack by hackers. Cracking of one password for an account breaches other accounts with the same user name and password. Network setups such as wireless Local Area Networks, remote access features, and weak intrusion protection increase vulnerability of passwords to technical attacks by hackers.
- Many hackers are able to trick users by posing as system administrators causing the users to voluntarily provide the hackers with their passwords and user names.
- Due to multiple accounts and multiple passwords that users maintain, password management for system administrators becomes a tedious and sometimes burdensome task. Resetting forgotten and compromised passwords, disabling all accounts of a departing employee are examples of tasks that system administrators need to perform in order to manage passwords of existing accounts in the system. Inaccurate password management may lead to security breaches, such as failing to delete a password of a fired employee may allow that employee to access network areas that that employee should not be accessing anymore.
- Further, even if passwords are correctly managed, using passwords correctly for authenticating users is fundamentally vulnerable to various attacks from anywhere on the Internet. One of the best ways to lower the population of potential attackers is to use a certificate-based authentication mechanism with private keys stored on physical tokens. The process of transitioning from password-based authentication to token/certificate-based authentication is a complex process. However, it is a transition process that all enterprises serious about digital security need to undertake.
- What is needed, therefore, is a solution that overcomes these and other shortcomings of the prior art.
- A method and apparatus for automatic user authentication are described. Information is received at a device, the device including a credential container, and stored at the credential container. Cryptographic calculations are performed on the received information and the encrypted information is provided upon request.
- The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements.
- FIG. 1 illustrates an exemplary system architecture according to one embodiment of the invention;
- FIG. 2 illustrates components of a Secure Object for Convenient Identification according to one embodiment of the invention;
- FIG. 3 is a flow chart of a startup procedure according to one embodiment of the invention; and
- FIG. 4 is an exemplary architecture of a processing system according to one embodiment of the invention.
- A method and apparatus for user authentication is described. Note that in this description, references to “one embodiment” or “an embodiment” mean that the feature being referred to is included in at least one embodiment of the present invention. Further, separate references to “one embodiment” in this description do not necessarily refer to the same embodiment; however, neither are such embodiments mutually exclusive, unless so stated and except as will be readily apparent to those skilled in the art. Thus, the present invention can include any variety of combinations and/or integrations of the embodiments described herein.
- The present invention discloses a method and system for authenticating user via physicalization of user credentials at a hardware device. Passwords and usernames of a user are stored in a hardware device and automatically provided to corresponding applications that the user is attempting to access.
- It will be appreciated that the term “playback”, as used herein, means automatically inserting stored user authentication information into appropriate applications. The term “client machine”, as used herein, means a processing system hosting a Secure Object for Convenient Identification.[LBK1]
- Related Technology
- Introduction to related technology may be helpful in understanding some embodiments of the invention.
- One embodiment of the invention utilizes Simple Object Access Protocol (SOAP). SOAP is a message-based protocol based on Extensible Markup Language (XML) for accessing services on the Web. SOAP employs XML syntax to send text commands using HTTP.
- One embodiment of the invention utilizes HyperText Transfer Protocol Secure (HTTPS). HTTPS is a protocol for accessing secure Web servers. Using HTTPS in a Uniform Resource Locator (URL) instead of HTTP directs the message to a secure port number rather than to a default port number.
- One embodiment of the invention utilizes Smart Card technology. The smart card is an intelligent token that provides computational capability and memory capability. The self-containment of the smart card makes it resistant to attack as it does not depend on potentially vulnerable external resources. The physical structure of a smart card is specified by the International Standards Organization (ISO) 7810, 7816/1 and 7816/2. The capability of a smart card is defined by its integrated circuit chip. Typically, the integrated circuit chip consists of a microprocessor, read only memory (ROM), nonstatic random access memory (RAM) and electrically erasable programmable read only memory (EEPROM), which will retain its state when the power is removed.
- Another embodiment of the invention utilizes public-key algorithms. Public-key algorithms use two different keys: a public key and a private key. The private key member of the pair must be kept private and secure. The public key, however, can be distributed to anyone who requests it. The public key of a key pair is often distributed by means of a digital certificate. The digital certificate is a digitally signed statement that contains information about the entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization called a Certification Authority (CA) after verification of the entity's identity. When one key of a key pair is used to encrypt a message, the other key from that pair is required to decrypt the message. Thus, if the user's public key is used to encrypt data, only a person who has the user's private key can decrypt the data. If the user's private key is used to encrypt data, then only user's public key will decrypt the data. In addition, if the private key is used to sign a message, the public key from that pair must be used to validate the signature.
- Exemplary Architecture
- FIG. 1 illustrates an exemplary architecture of the invention. An
Access Agent 100 interfaces with Secure Object for Convenient Identification (SOCI)device 120 via SOCI Application Program Interface functions. In addition, theAccess Agent 100 communicates with Identity Management System (IMS) 110 via SOAP or HTTPS. IMS is located on a server machine and communicates with a client machine that hosts the SOCI. - FIG. 2 illustrates an exemplary architecture of the SOCI according to an embodiment of the invention. The SOCI is a hardware token capable of being connected to the user's computer. The SOCI includes a
chip CryptoVault 200, that may be a smart card chip. Thechip 200 includes acrypto processor 210 that performs cryptographic calculation described below. Cryptographic calculations include symmetric key, asymmetric key and hash algorithms such as RSA, DES, 3DES, SHA1 and MD5, all of which are well known in the art and do not require any further explanation. In addition, thechip 200 includes NVRAM to store sensitive private data, such as private keys. The SOCI also includesFlash RAM 215 to store software drivers and non-sensitive data such as user configuration data, digital certificates, etc. TheFlash RAM 215 in addition to SOCI drivers also contains software drivers to perform configuration operations such as installation of Access Agent on the client's computer. Part of theFlash RAM 215 memory is partitioned for a Smart Card File System (SCFS) interface. TheRAM 215 may also contain a plug-n-play storage drive that appears as a disk drive on an operation system platforms supporting, for example, USB 1.1 mass-storage devices. ACommunication controller 220 is another component of the SOCI. TheCommunication controller 220 may be a USB controller, a Bluetooth controller, an RFID controller, a PCMCIA controller, an 802.11b controller, or other controller known in the art. The Communication controller provides access from the client computer, i.e. SOCI host computer, to theFlash RAM storage 215 and thechip 200. The SOCI includes Application Interface Functions via which the client computer communicates with the SOCI. The Application Interface Functions provide high-level abstraction for SOCI services, such as certificate management, data encryption/decryption, and digital signature generation. The functions exposed by the Application Programming Interface may be implemented by a SOCI Runtime Library (not shown). SOCI may be wirelessly connected to the client commuter or may be connected via a serial bus. In addition, SOCI may communicate with servers via Local Area Networks (LANs). - In one embodiment, the SOCI stores its authentication information to be provided to the Access Agent in a certificate signed by Certificate Authority (CA) trusted by the Access Agent. The Certification Authority (CA) is an entity entrusted to issue certificates asserting that the recipient individual, machine or organization requesting the certificate fulfills the conditions of an established policy. Certificates together with private keys may be utilized in SOCI to authenticate the user.
- The SOCI comprises a tamper-evident casing to prevent physical access to SOCI components. In addition, the SOCI may comprise a display and a keyboard allowing the users to control SOCI directly without utilizing the computer.
- During manufacturing, information about particular SOCI device is recorded in the NVRAM of the device. Information includes a serial number of the device, a color of the device, a physical form of the device, identification of the manufacturer and the date of manufacturing, etc. These information is stored as digitally signed attributes in a certificate signed by the CA trusted by the Access Agent. When the Access Agent registers the device with a server, verification of ownership of the certificate is performed by ensuring that the signature on the device certificate is digitally signed by the CA trusted to issue device certificates.
- The physical processing platforms that embody the Access Agent and IMS may include processing systems, such as conventional personal computers (PCs) and/or server-class computer systems according to various embodiments of the invention. FIG. 6 illustrates an example of such a processing system at a high level. The processing system of FIG. 4 includes one or
more processors 400, read-only memory (ROM) 410, random access memory (RAM) 420, and amass storage device 430 coupled to each other on abus system 440. Thebus system 440 includes one or more buses, which may be connected to each other through various bridges, controllers and/or adapters, which are well known in the art. For example, thebus system 440 may include a ‘system bus’, which may be connected through an adapter to one or more expansion, such as a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus. Also coupled to thebus system 440 are a themass storage device 430, one or more input/output (I/O)devices 450 and one or moredata communication devices 460 to communicate with remote processing systems via one ormore communication links O devices 450 may include, for example, any one or more of a display device, a keyboard, a pointing device (e.g., mouse, touchpad, trackball), an audio speaker. - The processor(s)400 may include one or more conventional general-purpose or special-purpose programmable microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), or programmable logic devices (PLD), or a combination of such devices. The
mass storage device 430 may include any one or more devices suitable for storing large volumes of data in a non-volatile manner, such as magnetic disk or tape, magneto-optical storage device, or any of various types of Digital Video Disk (DVD) or Compact Disk (CD) based storage or a combination of such devices. - The data communication device(s)460 each may be any devices suitable for enabling the processing system to communicate data with a remote processing system over a data communication link, such as a wireless transceiver or a conventional telephone modem, a wireless modem, an Integrated Services Digital Network (ISDN) adapter, a Digital Subscriber Line (DSL) modem, a cable modem, a satellite transceiver, an Ethernet adapter, or the like.
- Methodology
- With theses concepts in mind embodiments of the invention can be further explored.
- Startup Procedure
- In order for a user to be automatically authenticated for each application that the user attempts to access, the
Access Agent 100 can be executing on the user's machine, i.e. client machine. The startup procedure will be described with reference to FIG. 3. At 310 theAccess Agent 100 is executed upon the boot up of the client machine. TheAccess Agent 100 interacts with a logon procedure of the operating system to handle initialization procedures. Upon initialization, theAccess Agent 100 at 320 starts a thread, which may poll ports, for example USB ports, of the client machine. The polling thread identifies whether SOCI is present in any of the ports. If the polling thread does not identify the SOCI, the Access Agent at 325 prompts the user to insert the SOCI and awaits for the insertion of the SOCI by periodically polling the ports. If the polling thread identifies that SOCI is already connected to the port or if the new SOCI has been inserted, the session management module 230 displays a dialogue box prompting the user for a personal identification number (PIN). Upon the user entering the PIN, the Access Agent at 335 verifies the entered PIN. If the PIN is successfully verified, theAccess Agent 100 obtains the operating system login and password information of the user at 540. For example, if the client machine is running Windows Operating System, theAccess Agent 100 obtains Windows Login ID and Windows Password. In one embodiment the operating system login identification and password data are encrypted and stored in the SOCI and retrieved by theAccess Agent 100 via SOCI APIs. The user may have several operating system login identifications and passwords and in this case the user may be presented with a pull down menu to select the login ID and password for the current session. At 345 upon determining and decrypting the login ID and password, theAccess Agent 100 inserts the ID and password into the operating system logon procedure. - SOCI Initialization
- In one embodiment upon insertion of the SOCI, a setup program located in the flash memory of the SOCI is executed to determine whether the
Access Agent 100 is installed on the client machine. If the Access Agent is not installed on the client machine, the setup program locates the download server to download the Access Agent installer module. The setup program may contain a default location of the installer module. If the setup program fails to locate the installer for download, the setup program prompts the user for location of the installer or for an insertion of a diskette or CD-ROM including the installer module. Upon installation of the installer, the user is prompted to enter a SOCI personal identification number (PIN) and password. PIN of the SOCI is distributed with the SOCI. User can change the PIN after obtaining access to the SOCI upon entering the original PIN. Upon the user entering the PIN and password, the installer transmits the PIN and password data to the IMS. In one embodiment data transmitted to the IMS includes SOCI identification number retrieved from the SOCI device, SOCI properties, SOCI public keys, encrypted Common Symmetric Key (CSK). Upon receiving the data, the IMS creates a new user account and registers the SOCI with the account. The IMS generates a new certificate and transmits the certificate to the Access Agent which stores the certificate in the SOCI. The IMS may also encrypt the CSK with a key derived from the SOCI password and further encrypt the CSK with the IMS's public key. In one embodiment, the server's public key is stored on a separate secure server, or stored in a hardware key device. - Automated Authentication
- In one embodiment the
Access Agent 100 executes in the background at the client machine and identifies user's login, logout, change of password activities and records the procedures in a form of an access script. The access scripts are encrypted and stored in the SOCI and the IMS server. TheAccess Agent 100 captures operating system messages for various applications and identifies whether any of the captured messages comprise user authentication data. If theAccess Agent 100 identifies the user authentication application data for a particular application, theAccess Agent 100 stores the information in the SOCI. Upon identifying the user authentication application, theAccess Agent 100 generates access scripts to be played back when the user attempts to access an application requiring authentication information. When the user attempts to access the application, theAccess Agent 100 determines whether an access script exists for the application. If the access script exists, the authentication information is injected into the login procedure of the application. If the access script does not exist, theAccess Agent 100 captures the logon information entered by the user and stores the encrypted information in the SOCI and IMS. An access script is an XML-based script that contains information on how to playback authentication information, such as the location of the application in the computer, the name of the application, the buttons to click, etc. An example of an access script is provided below:<AccessScript ASPoint=“explorer.exe”> <ASMethod MethodName=“explorer.exe-1” MethodType=“login”> <ASStep ID=“1”><ASResult> <WebSignature><PageURL></PageURL> <UserFieldName></UserFieldName> <PwdFieldName> </PwdFieldName> <ActionFieldName></ActionFieldName></WebSignature> <WndSignature><WndID/> <WndTitle>Connect to</WndTitle><ServerLabel></ServerLabel><UserNameLabel>User name:</UserNameLabel><PasswordLabel>Password:</PasswordLabel> <NewPasswordLabel></NewPasswordLabel><VerifyPasswordLabel> </VerifyPasswordLabel><LeftStr>Connect to</LeftStr><RightStr></RightStr><ServerDlgID/><UserNameDlgID/> <NewPasswordDlgID/><OkButtonID/></WndSignature><ASEvent> <Message></Message></ASEvent></ASResult></ASStep></ASMethod> </AccessScript> - In addition, the access script contains information allowing the
Access Agent 100 to recognize access points of an application, the class identification of the application, password policies associated with the application, etc. - In one embodiment upon identification of user's authentication data, the
Access Agent 100 converts the user's authentication data into a stronger form of authentication data to be then presented to the applications that user attempts to access. The conversion of the authentication data may be performed without the user being aware of the change. TheAccess Agent 100 can generate a longer password by adding alpha-numeric characters into the password, for example to the end of the user's password. TheAccess Agent 100 can also generate a random password to be utilized for user authentication purposes instead of the user's chosen password to ensure higher security levels. The new password is generated based on configurable criteria, such as the minimal length, or the inclusion of special characters. In addition, the stronger form of authentication data can be digital certificates, private keys, etc. The request for change of passwords to the application can be performed by either Access Agent or IMS. This is done by supplying both the old password and the new password to the application. Once the application accepts the change and is aware of the new password, Access Agent will store the new password in the form of configuration data encrypted by the CSK. TheAccess Agent 100 may also request IMS for a digital certificate using a private key stored in the SOCI. This stronger form can be used for user authentication purposes instead of user's password if the application is configured to use public key authentication mechanism. Once again, the procedure of conversion of user's password into a stronger form of authentication credentials may be performed without knowledge of the user. By configuring the Access Agent to periodically and automatically perform the above procedures, user credentials will be more [LBK3]secured, hence they are fortified. - Data Synchronization
- In one embodiment the user authentication data and access scripts are stored in SOCI and on the IMS server for a backup. The data in the SOCI and IMS server is identical, unless during one of the update sessions by
Access Agent 100, the server was not accessible due for example, to lack of network connection between the client machine and the IMS server. Also, the data on the server may be updated when the user utilizes a duplicate SOCI, causing the original SOCI not to have the latest copy of the user authentication data. In one embodiment, all the records stored in the SOCI and IMS server are time stamped allowing theAccess Agent 100 to determine whether SOCI or IMS server includes the latest data. Upon determining the location of the latest user authentication data, theAccess Agent 100 directs SOCI or IMS to update the data to ensure identical copies of user authentication data on SOCI and IMS server. - In one embodiment, the user authentication data may be stored on the client machine as software. If a SOCI device is not available, the user may request the stored authentication data from the IMS server. Upon downloading the user authentication information to the client machine, the downloaded data may be used by the Access Agent in a manner described above.
- Secure SOCI Authentication
- In one embodiment of the invention SOCI will authenticate itself only to servers included in the trusted host list stored in SOCI. To prevent tampering with the list, the list is stored in SOCI rather than on the user's computer that is typically not secured. The trusted host list contains servers that user is attempting to access using public key algorithm authentication mechanism, such as IMS server. Restricting the servers to which SOCI can authenticate may prevent a form of “man-in-the-middle” attacks, which occurs when a client authenticates to a malicious server, allowing the malicious server to masquerade as the client to a legitimate server by forwarding the responses to any challenges given by the legitimate server. Thus, prior to performing any cryptographic calculations described in this specification, SOCI ensures that a server that is being accessed by the user is on the trusted host list.
- SOCI PIN Distribution
- Each SOCI is assigned a personal identification number (PIN) at the time of manufacturing. In order for the user to unlock SOCI for the first time, the user has to use the assigned PIN. However, the PIN can be changed by the user at a later time. In a case that the user utilizes multiple SOCIs, it is advantageous that all SOCIs are assigned the same PIN to simplify SOCI login procedure for the user. In one embodiment of the invention, the
Access Agent 100 detects a change in SOCI PIN performed by the client. TheAccess Agent 100 encrypts the new PIN with the public keys of all SOCIs of the user and distributes the encrypted PIN to the SOCIs utilizing IMS server. SOCI devices decrypt the PIN with the private key and update their data to reflect the new PIN. - It will be appreciated that the same method may be employed to ensure that all SOCI's utilized by the user are updated upon the user changing user authentication information for different applications.
- Public/Private Key Authentication
- As described above, in one embodiment of the invention, SOCIs include public-private key pairs to be registered with a Certificate Authority of IMS. The issued certificate and key pair are stored in the SOCI. When the Access Agent detects an application that has been configured to employ public keys for user authentication, the Access Agent directs the SOCI to perform crypto function to automatically cause the application to provide the user with the access. The private key is stored in the SOCI and is not provided to any application or any user. The SOCI has physical tamper-proof features to ensure that private keys are not released. In one embodiment the private key may be burned into the chip of SOCIs during manufacturing.
- In one embodiment administrators of IMS may cause the authentication system to utilize private-public key method without the system users being aware of the change. Due to automatic user authentication, the users need not be aware of the authentication method employed as long as they are provided with the desired application access.
- Cloning of SOCI[LBK9]
- In one embodiment, a SOCI device can be “cloned”, such that the second SOCI can functionally authenticate to the same set of applications as the original SOCI. A SOCI includes a symmetric key, which is used to encrypt the contents of SOCI. To “clone” a SOCI in a secure manner, the original SOCI encrypts its symmetric key using the public key of the second SOCI and transfers the encrypted symmetric key and the encrypted contents of the original SOCI to the second SOCI via a server, which may be the IMS server. The second SOCI downloads the encrypted CSK. Once the encryption key is acquired by the new SOCI, the encrypted authentication data is downloaded from the server to the new SOCI to is decrypted utilizing the encryption key. The new SOCI is therefore able to access the same information as the original SOCI, and is said to host a cloned credential container.
- Manual Authorization of SOCI for Performing Digital Signature[LBK10]
- In one embodiment, a SOCI device includes a physical feature such as a button that allows a user to manually input his/her authorization of SOCI performing digital signature operations. The SOCI device will only perform digital signature operations when the button is pressed, thus preventing generation of digital signature without knowledge of the user, for example by a malicious program located on the SOCI's host machine. The user can press the authorization button when he/she is trying to authenticate him/herself.
- In another embodiment, SOCI has a display that displays the message to inform the user what information SOCI is about to digitally sign upon user pressing the authorization button. This allows the user to know what he/she is authorizing. For example, a bank transaction will display “Transferring $10 to account # 1234” on the SOCI display before the user can authorize the transaction by pressing the authorization button on the device.
- External SOCI Control
- In one embodiment of the invention, the user may utilize SOCI keyboard and display to digitally sign data without utilizing a computer. In order to digitally sign data, such as a text message, a user inputs the message into SOCI utilizing the keys of the keyboard. The user then verifies the accuracy of the entered message on the display and requests the digital signature of the entered message by pressing one of the keyboard buttons.
- The user may also utilize SOCI to obtain his/her authentication information to be provided to an application that the user attempts to access without connecting SOCI to the user's computer. Upon receiving a prompt for authentication information, i.e. challenge phrase, at the user's computer, the user enters the request for the prompted information into the SOCI using SOCI keyboard. Upon retrieving the requested information, SOCI displays the data on its display, which then the user may manually enter at the user's computer.
- Thus, a method and apparatus for user authentication have been described. Although the present invention has been described with reference to specific exemplary embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader spirit and scope of the invention as set forth in the claims. Accordingly, the specification and drawings are to be regarded in an illustrative sense rather than a restrictive sense.
Claims (48)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/708,795 US7581099B2 (en) | 2003-03-03 | 2007-02-20 | Secure object for convenient identification |
US12/363,988 US8850558B2 (en) | 2003-03-03 | 2009-02-02 | Controlling access to a process using a separate hardware device |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SG200301114-5 | 2003-03-03 | ||
SG200301114 | 2003-03-03 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/708,795 Division US7581099B2 (en) | 2003-03-03 | 2007-02-20 | Secure object for convenient identification |
Publications (1)
Publication Number | Publication Date |
---|---|
US20040177258A1 true US20040177258A1 (en) | 2004-09-09 |
Family
ID=32923969
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/420,676 Abandoned US20040177258A1 (en) | 2003-03-03 | 2003-04-21 | Secure object for convenient identification |
US11/708,795 Expired - Fee Related US7581099B2 (en) | 2003-03-03 | 2007-02-20 | Secure object for convenient identification |
US12/363,988 Expired - Fee Related US8850558B2 (en) | 2003-03-03 | 2009-02-02 | Controlling access to a process using a separate hardware device |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/708,795 Expired - Fee Related US7581099B2 (en) | 2003-03-03 | 2007-02-20 | Secure object for convenient identification |
US12/363,988 Expired - Fee Related US8850558B2 (en) | 2003-03-03 | 2009-02-02 | Controlling access to a process using a separate hardware device |
Country Status (5)
Country | Link |
---|---|
US (3) | US20040177258A1 (en) |
EP (1) | EP1606914A4 (en) |
AU (1) | AU2003223153A1 (en) |
CA (1) | CA2516718A1 (en) |
WO (1) | WO2004079988A1 (en) |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020138754A1 (en) * | 2001-03-21 | 2002-09-26 | Kabushiki Kaisha Toshiba | Method and system for managing software licenses and storage apparatus |
US20040230812A1 (en) * | 2003-05-16 | 2004-11-18 | Berner Fachhochschule | Method for authentication of a user with an authorizing device, and a security apparatus for carrying out the method |
US20060282577A1 (en) * | 2005-06-08 | 2006-12-14 | Feitian Technologies Co. Ltd. | Universal serial bus data transport method and device |
US20070016743A1 (en) * | 2005-07-14 | 2007-01-18 | Ironkey, Inc. | Secure storage device with offline code entry |
WO2007030517A2 (en) * | 2005-09-06 | 2007-03-15 | Ironkey, Inc. | Systems and methods for third-party authentication |
US20070067620A1 (en) * | 2005-09-06 | 2007-03-22 | Ironkey, Inc. | Systems and methods for third-party authentication |
US20070101434A1 (en) * | 2005-07-14 | 2007-05-03 | Ironkey, Inc. | Recovery of encrypted data from a secure storage device |
US20070233540A1 (en) * | 2006-03-31 | 2007-10-04 | Peter Sirota | Customizable sign-on service |
US20070288689A1 (en) * | 2006-04-29 | 2007-12-13 | Zhou Lu | USB apparatus and control method therein |
US20070300052A1 (en) * | 2005-07-14 | 2007-12-27 | Jevans David A | Recovery of Data Access for a Locked Secure Storage Device |
US20070300031A1 (en) * | 2006-06-22 | 2007-12-27 | Ironkey, Inc. | Memory data shredder |
US20080060059A1 (en) * | 2006-09-05 | 2008-03-06 | Takuya Yoshida | Data processor, peripheral device, and recording medium used herewith |
US20080271163A1 (en) * | 2003-06-18 | 2008-10-30 | Stillerman Matthew A | Active verification of boot firmware |
US20090089366A1 (en) * | 2007-09-27 | 2009-04-02 | Kalman Csaba Toth | Portable caching system |
US20090205030A1 (en) * | 2003-03-03 | 2009-08-13 | International Business Machines Corporation | Controlling Access to a Process Using a Separate Hardware Device |
US20090276623A1 (en) * | 2005-07-14 | 2009-11-05 | David Jevans | Enterprise Device Recovery |
US20110035574A1 (en) * | 2009-08-06 | 2011-02-10 | David Jevans | Running a Computer from a Secure Portable Device |
US8015606B1 (en) | 2005-07-14 | 2011-09-06 | Ironkey, Inc. | Storage device with website trust indication |
US8266378B1 (en) | 2005-12-22 | 2012-09-11 | Imation Corp. | Storage device with accessible partitions |
US20130160113A1 (en) * | 2011-12-15 | 2013-06-20 | Samsung Electronics Co., Ltd. | Computing apparatus and method for operating application |
US8499157B1 (en) * | 2010-09-29 | 2013-07-30 | Emc Corporation | Device-based password management |
US8639873B1 (en) | 2005-12-22 | 2014-01-28 | Imation Corp. | Detachable storage device with RAM cache |
US8683088B2 (en) | 2009-08-06 | 2014-03-25 | Imation Corp. | Peripheral device data integrity |
US9152797B2 (en) | 2012-10-30 | 2015-10-06 | Barclays Bank Plc | Device and method for secure memory access |
WO2017207680A1 (en) * | 2016-06-01 | 2017-12-07 | Bundesdruckerei Gmbh | User authentication by means of an id token |
US9916574B2 (en) | 2012-10-30 | 2018-03-13 | Barclays Bank Plc | Secure computing device and method |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5129499B2 (en) * | 2007-04-11 | 2013-01-30 | キヤノン株式会社 | Image forming apparatus, image forming apparatus control method, program, and storage medium |
US8694776B2 (en) | 2007-12-21 | 2014-04-08 | Spansion Llc | Authenticated memory and controller slave |
WO2009108373A2 (en) * | 2008-02-27 | 2009-09-03 | Fisher-Rosemount Systems, Inc. | Join key provisioning of wireless devices |
GB201000288D0 (en) * | 2010-01-11 | 2010-02-24 | Scentrics Information Security | System and method of enforcing a computer policy |
US10250589B2 (en) * | 2010-05-20 | 2019-04-02 | Cyberark Software Ltd. | System and method for protecting access to authentication systems |
US9582505B2 (en) | 2011-03-24 | 2017-02-28 | Echostar Technologies L.L.C. | Handling user-specific information for content during content-altering operations |
US8572685B2 (en) * | 2012-01-06 | 2013-10-29 | Timothy J. Caplis | Consolidated data services apparatus and method |
US8677121B2 (en) | 2012-07-31 | 2014-03-18 | Hewlett-Packard Development Company, L.P. | Monitoring encrypted session properties |
US9430624B1 (en) | 2013-04-30 | 2016-08-30 | United Services Automobile Association (Usaa) | Efficient logon |
US9509676B1 (en) * | 2013-04-30 | 2016-11-29 | United Services Automobile Association (Usaa) | Efficient startup and logon |
US9438560B2 (en) * | 2014-12-31 | 2016-09-06 | Symantec Corporation | Systems and methods for automatically applying firewall policies within data center applications |
CN104794626B (en) * | 2015-04-28 | 2018-09-11 | 广东欧珀移动通信有限公司 | A kind of method for anti-counterfeit and device based on hardware information |
CN105072136B (en) * | 2015-09-06 | 2018-02-09 | 李宏仲 | A kind of equipment room safety certifying method and system based on virtual drive |
US10747900B1 (en) * | 2019-08-19 | 2020-08-18 | Cyberark Software Ltd. | Discovering and controlling sensitive data available in temporary access memory |
CN112507301B (en) * | 2020-12-05 | 2021-10-08 | 广州技象科技有限公司 | Internet of things equipment control method, device, equipment and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US1876A (en) * | 1840-12-01 | Sled for the transportation oe ice in blocks | ||
US18569A (en) * | 1857-11-10 | Device fob pobming bound tenons on window-blind slats | ||
US169961A (en) * | 1875-11-16 | Improvement in dumping-wagons | ||
US6460138B1 (en) * | 1998-10-05 | 2002-10-01 | Flashpoint Technology, Inc. | User authentication for portable electronic devices using asymmetrical cryptography |
US20030014372A1 (en) * | 2000-08-04 | 2003-01-16 | Wheeler Lynn Henry | Trusted authentication digital signature (tads) system |
US6704871B1 (en) * | 1997-09-16 | 2004-03-09 | Safenet, Inc. | Cryptographic co-processor |
US7039027B2 (en) * | 2000-12-28 | 2006-05-02 | Symbol Technologies, Inc. | Automatic and seamless vertical roaming between wireless local area network (WLAN) and wireless wide area network (WWAN) while maintaining an active voice or streaming data connection: systems, methods and program products |
US7069433B1 (en) * | 2001-02-20 | 2006-06-27 | At&T Corp. | Mobile host using a virtual single account client and server system for network access and management |
Family Cites Families (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5774551A (en) * | 1995-08-07 | 1998-06-30 | Sun Microsystems, Inc. | Pluggable account management interface with unified login and logout and multiple user authentication services |
US5943423A (en) | 1995-12-15 | 1999-08-24 | Entegrity Solutions Corporation | Smart token system for secure electronic transactions and identification |
EP0912954B8 (en) * | 1996-07-22 | 2006-06-14 | Cyva Research Corporation | Personal information security and exchange tool |
US6170065B1 (en) * | 1997-11-14 | 2001-01-02 | E-Parcel, Llc | Automatic system for dynamic diagnosis and repair of computer configurations |
JPH11154137A (en) * | 1997-11-20 | 1999-06-08 | Hitachi Ltd | Individual work environment setting system |
US6185685B1 (en) * | 1997-12-11 | 2001-02-06 | International Business Machines Corporation | Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same |
CA2255285C (en) * | 1998-12-04 | 2009-10-13 | Certicom Corp. | Enhanced subscriber authentication protocol |
US7272723B1 (en) * | 1999-01-15 | 2007-09-18 | Safenet, Inc. | USB-compliant personal key with integral input and output devices |
KR20000006645A (en) * | 1999-08-30 | 2000-02-07 | 김종률 | Multi-account Management System for Computer Network using a Integrated Circuit Card and Method Therof |
FR2802666B1 (en) * | 1999-12-17 | 2002-04-05 | Activcard | COMPUTER SYSTEM FOR ACCREDITATION ACCESS APPLICATION |
US6601020B1 (en) * | 2000-05-03 | 2003-07-29 | Eureka Software Solutions, Inc. | System load testing coordination over a network |
GB0023969D0 (en) * | 2000-09-30 | 2000-11-15 | Internet Extra Ltd | Mechanism for automating the extraction of selected information from web based pages design and implementation |
GB2370474B (en) * | 2000-12-22 | 2004-06-09 | Hewlett Packard Co | Communicating credentials across a network |
FI115098B (en) * | 2000-12-27 | 2005-02-28 | Nokia Corp | Authentication in data communication |
US7921290B2 (en) * | 2001-04-18 | 2011-04-05 | Ipass Inc. | Method and system for securely authenticating network access credentials for users |
US6986047B2 (en) * | 2001-05-10 | 2006-01-10 | International Business Machines Corporation | Method and apparatus for serving content from a semi-trusted server |
AU2002259229A1 (en) * | 2001-05-18 | 2002-12-03 | Imprivata, Inc. | Authentication with variable biometric templates |
US20030143372A1 (en) * | 2002-01-28 | 2003-07-31 | Beverly Richard | Antibacterial toilet tissue |
CA2476646A1 (en) * | 2002-02-14 | 2003-08-21 | Zachary Pessin | Apparatus and method of a distributed capital system |
US8745409B2 (en) * | 2002-12-18 | 2014-06-03 | Sandisk Il Ltd. | System and method for securing portable data |
US20040177258A1 (en) | 2003-03-03 | 2004-09-09 | Ong Peng T. | Secure object for convenient identification |
-
2003
- 2003-04-21 US US10/420,676 patent/US20040177258A1/en not_active Abandoned
- 2003-05-07 WO PCT/SG2003/000107 patent/WO2004079988A1/en not_active Application Discontinuation
- 2003-05-07 CA CA002516718A patent/CA2516718A1/en not_active Abandoned
- 2003-05-07 AU AU2003223153A patent/AU2003223153A1/en not_active Abandoned
- 2003-05-07 EP EP03719281A patent/EP1606914A4/en not_active Withdrawn
-
2007
- 2007-02-20 US US11/708,795 patent/US7581099B2/en not_active Expired - Fee Related
-
2009
- 2009-02-02 US US12/363,988 patent/US8850558B2/en not_active Expired - Fee Related
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US1876A (en) * | 1840-12-01 | Sled for the transportation oe ice in blocks | ||
US18569A (en) * | 1857-11-10 | Device fob pobming bound tenons on window-blind slats | ||
US169961A (en) * | 1875-11-16 | Improvement in dumping-wagons | ||
US6704871B1 (en) * | 1997-09-16 | 2004-03-09 | Safenet, Inc. | Cryptographic co-processor |
US6460138B1 (en) * | 1998-10-05 | 2002-10-01 | Flashpoint Technology, Inc. | User authentication for portable electronic devices using asymmetrical cryptography |
US20030014372A1 (en) * | 2000-08-04 | 2003-01-16 | Wheeler Lynn Henry | Trusted authentication digital signature (tads) system |
US7039027B2 (en) * | 2000-12-28 | 2006-05-02 | Symbol Technologies, Inc. | Automatic and seamless vertical roaming between wireless local area network (WLAN) and wireless wide area network (WWAN) while maintaining an active voice or streaming data connection: systems, methods and program products |
US7069433B1 (en) * | 2001-02-20 | 2006-06-27 | At&T Corp. | Mobile host using a virtual single account client and server system for network access and management |
Cited By (51)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090126024A1 (en) * | 2001-03-21 | 2009-05-14 | Kabushiki Kaisha Toshiba | Method and system for managing software licenses and storage apparatus |
US20020138754A1 (en) * | 2001-03-21 | 2002-09-26 | Kabushiki Kaisha Toshiba | Method and system for managing software licenses and storage apparatus |
US8850558B2 (en) | 2003-03-03 | 2014-09-30 | International Business Machines Corporation | Controlling access to a process using a separate hardware device |
US20090205030A1 (en) * | 2003-03-03 | 2009-08-13 | International Business Machines Corporation | Controlling Access to a Process Using a Separate Hardware Device |
US20040230812A1 (en) * | 2003-05-16 | 2004-11-18 | Berner Fachhochschule | Method for authentication of a user with an authorizing device, and a security apparatus for carrying out the method |
US20090217373A1 (en) * | 2003-06-18 | 2009-08-27 | Architecture Technology Corporation | Active verification of boot firmware |
US20080271163A1 (en) * | 2003-06-18 | 2008-10-30 | Stillerman Matthew A | Active verification of boot firmware |
US7716470B2 (en) * | 2003-06-18 | 2010-05-11 | Architecture Technology Corporation | Active verification of boot firmware |
US7467417B2 (en) * | 2003-06-18 | 2008-12-16 | Architecture Technology Corporation | Active verification of boot firmware |
US7610409B2 (en) * | 2005-06-08 | 2009-10-27 | Feitian Technologies Co., Ltd. | Method for transporting data through universal serial bus and universal serial bus device |
US20060282577A1 (en) * | 2005-06-08 | 2006-12-14 | Feitian Technologies Co. Ltd. | Universal serial bus data transport method and device |
US8381294B2 (en) | 2005-07-14 | 2013-02-19 | Imation Corp. | Storage device with website trust indication |
US8438647B2 (en) | 2005-07-14 | 2013-05-07 | Imation Corp. | Recovery of encrypted data from a secure storage device |
US8505075B2 (en) | 2005-07-14 | 2013-08-06 | Marble Security, Inc. | Enterprise device recovery |
US20070101434A1 (en) * | 2005-07-14 | 2007-05-03 | Ironkey, Inc. | Recovery of encrypted data from a secure storage device |
US20070016743A1 (en) * | 2005-07-14 | 2007-01-18 | Ironkey, Inc. | Secure storage device with offline code entry |
US20070300052A1 (en) * | 2005-07-14 | 2007-12-27 | Jevans David A | Recovery of Data Access for a Locked Secure Storage Device |
US8015606B1 (en) | 2005-07-14 | 2011-09-06 | Ironkey, Inc. | Storage device with website trust indication |
US20090276623A1 (en) * | 2005-07-14 | 2009-11-05 | David Jevans | Enterprise Device Recovery |
US8335920B2 (en) | 2005-07-14 | 2012-12-18 | Imation Corp. | Recovery of data access for a locked secure storage device |
US8321953B2 (en) | 2005-07-14 | 2012-11-27 | Imation Corp. | Secure storage device with offline code entry |
WO2007030517A3 (en) * | 2005-09-06 | 2009-04-23 | Ironkey Inc | Systems and methods for third-party authentication |
WO2007030517A2 (en) * | 2005-09-06 | 2007-03-15 | Ironkey, Inc. | Systems and methods for third-party authentication |
US20070067620A1 (en) * | 2005-09-06 | 2007-03-22 | Ironkey, Inc. | Systems and methods for third-party authentication |
US8543764B2 (en) | 2005-12-22 | 2013-09-24 | Imation Corp. | Storage device with accessible partitions |
US8266378B1 (en) | 2005-12-22 | 2012-09-11 | Imation Corp. | Storage device with accessible partitions |
US8639873B1 (en) | 2005-12-22 | 2014-01-28 | Imation Corp. | Detachable storage device with RAM cache |
US9332001B2 (en) | 2006-03-31 | 2016-05-03 | Amazon Technologies, Inc. | Customizable sign-on service |
US7912762B2 (en) * | 2006-03-31 | 2011-03-22 | Amazon Technologies, Inc. | Customizable sign-on service |
US8627435B2 (en) | 2006-03-31 | 2014-01-07 | Amazon Technologies, Inc. | Customizable sign-on service |
US20100263037A1 (en) * | 2006-03-31 | 2010-10-14 | Peter Sirota | Customizable sign-on service |
US10574646B2 (en) | 2006-03-31 | 2020-02-25 | Amazon Technologies, Inc. | Managing authorized execution of code |
US9537853B2 (en) | 2006-03-31 | 2017-01-03 | Amazon Technologies, Inc. | Sign-on service and client service information exchange interactions |
US8108922B2 (en) | 2006-03-31 | 2012-01-31 | Amazon Technologies, Inc. | Customizable sign-on service |
US20070233540A1 (en) * | 2006-03-31 | 2007-10-04 | Peter Sirota | Customizable sign-on service |
US10021086B2 (en) | 2006-03-31 | 2018-07-10 | Amazon Technologies, Inc. | Delegation of authority for users of sign-on service |
US11637820B2 (en) | 2006-03-31 | 2023-04-25 | Amazon Technologies, Inc. | Customizable sign-on service |
US20070288689A1 (en) * | 2006-04-29 | 2007-12-13 | Zhou Lu | USB apparatus and control method therein |
US7861015B2 (en) * | 2006-04-29 | 2010-12-28 | Feitian Technologies Co., Ltd. | USB apparatus and control method therein |
US20070300031A1 (en) * | 2006-06-22 | 2007-12-27 | Ironkey, Inc. | Memory data shredder |
US20080060059A1 (en) * | 2006-09-05 | 2008-03-06 | Takuya Yoshida | Data processor, peripheral device, and recording medium used herewith |
US20090089366A1 (en) * | 2007-09-27 | 2009-04-02 | Kalman Csaba Toth | Portable caching system |
US8745365B2 (en) | 2009-08-06 | 2014-06-03 | Imation Corp. | Method and system for secure booting a computer by booting a first operating system from a secure peripheral device and launching a second operating system stored a secure area in the secure peripheral device on the first operating system |
US8683088B2 (en) | 2009-08-06 | 2014-03-25 | Imation Corp. | Peripheral device data integrity |
US20110035574A1 (en) * | 2009-08-06 | 2011-02-10 | David Jevans | Running a Computer from a Secure Portable Device |
US8499157B1 (en) * | 2010-09-29 | 2013-07-30 | Emc Corporation | Device-based password management |
US9672344B2 (en) * | 2011-12-15 | 2017-06-06 | Samsung Electronics Co., Ltd. | Computing apparatus and method for operating application using retrieved login information |
US20130160113A1 (en) * | 2011-12-15 | 2013-06-20 | Samsung Electronics Co., Ltd. | Computing apparatus and method for operating application |
US9152797B2 (en) | 2012-10-30 | 2015-10-06 | Barclays Bank Plc | Device and method for secure memory access |
US9916574B2 (en) | 2012-10-30 | 2018-03-13 | Barclays Bank Plc | Secure computing device and method |
WO2017207680A1 (en) * | 2016-06-01 | 2017-12-07 | Bundesdruckerei Gmbh | User authentication by means of an id token |
Also Published As
Publication number | Publication date |
---|---|
US20090205030A1 (en) | 2009-08-13 |
WO2004079988A1 (en) | 2004-09-16 |
US7581099B2 (en) | 2009-08-25 |
US20070208950A1 (en) | 2007-09-06 |
EP1606914A1 (en) | 2005-12-21 |
CA2516718A1 (en) | 2004-09-16 |
US8850558B2 (en) | 2014-09-30 |
AU2003223153A1 (en) | 2004-09-28 |
EP1606914A4 (en) | 2008-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7581099B2 (en) | Secure object for convenient identification | |
US10666642B2 (en) | System and method for service assisted mobile pairing of password-less computer login | |
US10404476B1 (en) | Systems and methods for providing authentication to a plurality of devices | |
US8683562B2 (en) | Secure authentication using one-time passwords | |
US9397988B2 (en) | Secure portable store for security skins and authentication information | |
US7409543B1 (en) | Method and apparatus for using a third party authentication server | |
JP5860815B2 (en) | System and method for enforcing computer policy | |
EP2115654B1 (en) | Simplified management of authentication credentials for unattended applications | |
US20040117662A1 (en) | System for indentity management and fortification of authentication | |
US11544365B2 (en) | Authentication system using a visual representation of an authentication challenge | |
US6973569B1 (en) | Inexpensive secure on-line certification authority system and method | |
US20090158033A1 (en) | Method and apparatus for performing secure communication using one time password | |
KR101451359B1 (en) | User account recovery | |
US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
KR101686167B1 (en) | Apparatus and Method for Certificate Distribution of the Internet of Things Equipment | |
US20150121498A1 (en) | Remote keychain for mobile devices | |
CN101507233A (en) | Method and apparatus for providing trusted single sign-on access to applications and internet-based services | |
US11716312B1 (en) | Platform for optimizing secure communications | |
EP1760988A1 (en) | Multi-level and multi-factor security credentials management for network element authentication | |
EP4096147A1 (en) | Secure enclave implementation of proxied cryptographic keys | |
US9323911B1 (en) | Verifying requests to remove applications from a device | |
US8051470B2 (en) | Consolidation of user directories | |
KR101545897B1 (en) | A server access control system by periodic authentification of the smart card | |
US20140289519A1 (en) | Entities with biometrically derived keys | |
CN114697137A (en) | Application program login method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: ENCENTUATE PTE LTD, SINGAPORE Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ONG, PENG T.;REEL/FRAME:014335/0854 Effective date: 20030717 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ACQUISITION;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:021541/0893 Effective date: 20080901 |
|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR. DOCUMENT PREVIOUSLY RECORDED AT REEL 021541 FRAME 0893;ASSIGNOR:ENCENTUATE PTE. LTD.;REEL/FRAME:021792/0815 Effective date: 20080901 Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR. DOCUMENT PREVIOUSLY RECORDED AT REEL 021541 FRAME 0893. ASSIGNOR HEREBY CONFIRMS THE ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ENCENTUATE PTE. LTD.;REEL/FRAME:021792/0815 Effective date: 20080901 |