Detecting and preventing replay in authentication systems
First Claim
1. A system for detecting and preventing replay attacks in an authentication network, comprising:
- a plurality of authentication servers interconnected through an authentication network;
one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;
an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;
(a) evaluates a high water mark value associated with a token seeking authentication;
(b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
, (c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication.
24 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.
-
Citations
15 Claims
-
1. A system for detecting and preventing replay attacks in an authentication network, comprising:
-
a plurality of authentication servers interconnected through an authentication network;
one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;
an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;
(a) evaluates a high water mark value associated with a token seeking authentication;
(b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
,(c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of detecting and preventing replay attacks in an authentication network including a plurality of authentication servers interconnected through an authentication network, comprising:
-
associating a token, capable of generating one-time passcodes, with a home authentication server that maintains a current high water mark value of the token seeking authentication;
generating a one-time passcode with the token, and providing the one-time passcode to one of the plurality of authentication servers for authentication;
evaluating a high water mark value associated with the token;
allowing an authentication procedure to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
,preventing authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction.
-
-
7. A method of associating tokens, capable of generating one-time passcodes, with home authentication servers in a network of authentication servers, comprising:
-
assigning each of a plurality of tokens to a home authentication server according to a predetermined characteristic of the token;
evaluating authentication activity of the plurality of tokens;
for each one of the plurality of tokens, reassigning the token to a home authentication server to which the token most often authenticates. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method of determining availability of one or more home authentication servers in a network of authentication servers, comprising:
-
assigning each of a plurality of tokens, capable of generating one-time passcodes, to a home authentication server;
issuing each of the home authentication servers a status request;
receiving status responses from at least some of the home authentication servers;
identifying one or more home authentication servers that fail to provide a status response as failed home authentication servers; and
,for each token that is currently assigned to one of the failed home authentications servers, assigning the token to a different home authentication server.
-
-
15. A method of determining availability of one or more home authentication servers in a network of authentication servers, comprising:
-
assigning each of a plurality of tokens, capable of generating one-time passcodes, to a home authentication server;
detecting, via one or more hardware-based failure detection components, whether one or more of the home authentication servers have failed;
for each token that is currently assigned to one of the home authentications servers detected as having failed, assigning the token to a different home authentication server.
-
Specification