Extended one-time password method and apparatus

US 20070067828A1
Filed: 08/11/2006
Published: 03/22/2007
Est. Priority Date: 08/11/2005
Status: Active Grant

First Claim

Patent Images

1. ) In a system comprising a server, a client workstation in communication with the server via a wide-area network, and an OTP token interfaced with the client workstation via a device interface, a method of handling session OTP transmission, the method comprising:

a) receiving from the server information at least partially identifying the server;

b) determining if said identifying information is indicative of a legitimate server; and

c) in accordance with said determining, deciding to carry out one action selected from the group consisting of;

i) transmitting, from the OTP token, data indicative of an internally-generated session OTP; and

ii) refraining from said transmitting.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An OTP token for facilitating the authorizing of a client workstation to conduct a session with a server over the Internet is disclosed. Information at least partially identifying the server is provided to the OTP token and/or the client workstation, and a determination is made, using this identifying information, if the server is a legitimate server. In accordance with this determination, it is decided whether or not to transmit data indicative of a session OTP from the OTP token to the client workstation. In some embodiments, if the identifying information is indicative of a legitimate server, the data indicative of the session OTP is transmitted from the OTP token to the client workstation, and otherwise, the data indicative of the session OTP is withheld from the client workstation. Data indicative of the session OTP may include, in various embodiments, either multi-factor authentication data derived from user authorization data, or session OTP data that is independent of user authentication data.

231 Citations

36 Claims

1. ) In a system comprising a server, a client workstation in communication with the server via a wide-area network, and an OTP token interfaced with the client workstation via a device interface, a method of handling session OTP transmission, the method comprising:
- a) receiving from the server information at least partially identifying the server;
  
  b) determining if said identifying information is indicative of a legitimate server; and
  
  c) in accordance with said determining, deciding to carry out one action selected from the group consisting of;
  
  i) transmitting, from the OTP token, data indicative of an internally-generated session OTP; and
  
  ii) refraining from said transmitting.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. ) The method of claim 1 further comprising:
    - d) only if said decision is a positive decision, transmitting said data indicative of said session OTP from the OTP token.
  - 3. ) The method of claim 2 wherein said transmitting includes effecting an inter-device data transfer of said indicative data from the OTP token to the client workstation via the interface only if said decision is positive.
  - 4. ) The method of claim 2 wherein said transmitting includes displaying said data indicative of said session OTP on a display screen of the OTP token only if said decision is positive.
  - 5. ) The method of claim 1 wherein said data indicative of said session OTP is multi-factor authentication data derived also from user authentication data.
  - 6. ) The method of claim 1 wherein said data indicative of said session OTP is independent of user authentication data.
  - 7. ) The method of claim 1 wherein, further comprising:
    - d) if said decision is a negative decision, refraining by the OTP token from generating said session OTP.
  - 8. ) The method of claim 1 wherein, further comprising:
    - d) if said decision is a negative decision;
      
      i) internally generating, within the OTP token, said session OTP;
      
      ii) maintaining a status wherein said session OTP remains within the OTP token.
  - 9. ) The method of claim 1 further comprising:
    - d) before said receiving, using an embedded security browser within the OTP token, opening a secure session between the OTP token and the server.
  - 10. ) The method of claim 9 further comprising:
    - e) after said opening of said session, transferring a client end of said session from the OTP token to the client workstation, wherein at least one of said receiving and said determining is carried out at the client workstation.
  - 11. ) The method of claim 9 wherein a client end of said session remains at said embedded browser at a time that said identifying information is received by the OTP token from the server.
  - 12. ) The method of claim 1 wherein said receiving is carried out by the OTP token via a communications link between the server and the OTP token.
  - 13. ) The method of claim 1 wherein said determining is carried out within the OTP token.
  - 14. ) The method of claim 1 wherein said determining includes effecting a query to a database residing within the OTP token.
  - 15. ) The method of claim 14 wherein said query is effected from the client workstation.
  - 16. ) The method of claim 14 wherein said determining is carried out within the OTP token, and said query is effected by database client code residing within the OTP token.
  - 17. ) The method of claim 14 wherein said database is an immutable database.
  - 18. ) The method of claim 14 wherein said database includes one of a pre-determined list of acceptable URLs, a pre-determined list of acceptable IP addresses, and a pre-determined list of acceptable values for certificate fields.
  - 19. ) The method of claim 1 wherein said determining is carried out in accordance with at least one of protocol data of a received one communication, certificate data transmitted in a received communication, IP address data, and URL data.
  - 20. ) The method of claim 19 wherein said determining is carried out in accordance with only some attributes of a certificate received from said server.

21. ) An OTP token for use with a client workstation in communication with a server via a wide-area network, the OTP token comprising:
- a) a device port for receiving, from the client workstation, data including information at least partially identifying the server;
  
  b) a server legitimacy engine for determining if said information is indicative of a legitimate server;
  
  c) an OTP generator operative to generate a session OTP; and
  
  d) an OTP-transmission decision engine operative, in accordance with results of said determining, to decide to carry out one action selected from the group consisting of;
  
  i) transmitting, from the OTP token, data indicative of said session OTP; and
  
  ii) refraining from said transmitting.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 22. ) The OTP token of claim 21, further comprising:
    - e) an OTP transmitter for transmitting data indicative of a session OTP from the OTP token in accordance with said decision.
  - 23. ) The OTP token of claim 22 wherein said OTP transmitter is operative to effect an inter-device data transfer, via said data port, of said data indicative of said session OTP, only if said decision is a positive decision.
  - 24. ) The OTP token of claim 22 further comprising:
    - f) a data display, wherein said OTP transmitter is operative to transmit said data indicative of said session OTP to said data display only if said decision is a positive decision.
  - 25. ) The OTP token of claim 21 further comprising:
    - e) an embedded security browser embedded within the OTP token, said embedded browser operative to open a secure session between the OTP token and the server.
  - 26. ) The OTP token of claim 25 wherein said embedded security browser is operative to receive, during said secure session, said identifying information.
  - 27. ) The OTP token of claim 21 wherein said server legitimacy engine includes:
    - d) a database of predetermined data, wherein said server legitimacy engine is operative to carry out said determining in accordance with contents of said database.
  - 28. ) The OTP token of claim 27 wherein said database is an immutable database.
  - 29. ) The OTP token of claim 27 wherein said database includes one a pre-determined list of acceptable URLs, a pre-determined list of acceptable IP addresses, and a pre-determined list of acceptable values for certificate fields.
  - 30. ) The OTP token of claim 21 wherein said server legitimacy engine is operative to carry out said determining in accordance with at least one of protocol data of a communication from the server certificate data transmitted in a communication from the server, IP address data, and URL data.
  - 31. ) The OTP token of claim 30 wherein said server legitimacy engine is operative to carry out said determining in accordance with only some attributes of a certificate received from said server.
  - 32. ) The OTP token of claim 21 wherein said OTP generator is operative to generate said Session OTP in accordance with user authentication data, thereby generating said Session OTP as multi-factor authentication data.

33. ) The OTP token of claim 33 further comprising:
- e) a user identification module for authenticating said user authentication data.
- View Dependent Claims (34)
- - 34. ) The OTP token of claim 33 wherein said OTP-transmission decision engine is operative to effect said decision in accordance with results of said authenticating of said user authentication data.

35. ) A system for handling transmission of Session OTP data, the system comprising:
- a) a client workstation in communication with a server via a wide-area network, b) an OTP token interfaced with said client workstation, said OTP token including;
  
  i) a device port for interfacing with said client workstation; and
  
  ii) an OTP generator operative to generate a session OTP; and
  
  wherein at least one of said OTP token and said client workstation is operative to receive information identifying said server, the system further comprising;
  
  c) a server legitimacy engine for determining if said information is indicative of a legitimate server, said server legitimacy engine residing at least in part in at least one of said OTP token and said client workstation;
  
  d) an OTP-transmission decision engine operative, in accordance with results of said determining, to decide to carry out one action selected from the group consisting of;
  
  i) transmitting, from the OTP token, data indicative of said session OTP; and
  
  ii) refraining from said transmitting, wherein, said OTP-transmission decision engine resides at least in part in at least one of said OTP token and said client workstation.

36. ) A computer readable storage medium having computer readable code embodied in said computer readable storage medium, said computer readable code comprising instructions for:
- a) receiving, by at least one of a client workstation in communication with a server via a wide-area network and an OTP token interfaced with said server, information at least partially identifying the server;
  
  b) determining if said identifying information is indicative of a legitimate server; and
  
  c) in accordance with said determining, deciding to carry out one action selected from the group consisting of;
  
  i) transmitting, from the OTP token, data indicative of an internally-generated session OTP; and
  
  ii) refraining from said transmitting.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Israel Limited (Western Digital Corporation)
Original Assignee
msystems Ltd. (Western Digital Corporation)
Inventors
Bychkov, Eyal

Granted Patent

US 8,132,243 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Extended one-time password method and apparatus

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

231 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Extended one-time password method and apparatus

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

231 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links