Detecting and preventing replay in authentication systems

US 20070256123A1
Filed: 12/01/2006
Published: 11/01/2007
Est. Priority Date: 12/01/2005
Status: Active Grant

First Claim

Patent Images

1. A system for detecting and preventing replay attacks in an authentication network, comprising:

a plurality of authentication servers interconnected through an authentication network;

one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;

an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;

(a) evaluates a high water mark value associated with a token seeking authentication;

(b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and

, (c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;

wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

Citations

15 Claims

1. A system for detecting and preventing replay attacks in an authentication network, comprising:
- a plurality of authentication servers interconnected through an authentication network;
  
  one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;
  
  an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;
  
  (a) evaluates a high water mark value associated with a token seeking authentication;
  
  (b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
  
  , (c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
  
  wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, wherein one of the plurality of authentication servers functions as the home authentication server for all of the one or more tokens in the system.
  - 3. The system of claim 1, wherein the high water mark value associated with the token seeking authentication includes information regarding a most recent time the token authenticated to one of the plurality of authentication servers.
  - 4. The system of claim 1, wherein the adjudicator disregards the high water mark associated with a token if the high water mark has aged by more than a predetermined amount of time.
  - 5. The system of claim 4, wherein the predetermined amount of time is a function of whether the token is a hardware-based token or a software-based token.

6. A method of detecting and preventing replay attacks in an authentication network including a plurality of authentication servers interconnected through an authentication network, comprising:
- associating a token, capable of generating one-time passcodes, with a home authentication server that maintains a current high water mark value of the token seeking authentication;
  
  generating a one-time passcode with the token, and providing the one-time passcode to one of the plurality of authentication servers for authentication;
  
  evaluating a high water mark value associated with the token;
  
  allowing an authentication procedure to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
  
  , preventing authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction.

7. A method of associating tokens, capable of generating one-time passcodes, with home authentication servers in a network of authentication servers, comprising:
- assigning each of a plurality of tokens to a home authentication server according to a predetermined characteristic of the token;
  
  evaluating authentication activity of the plurality of tokens;
  
  for each one of the plurality of tokens, reassigning the token to a home authentication server to which the token most often authenticates.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein the predetermined characteristic of the token is a registration site of the token.
  - 9. The method of claim 7, wherein the predetermined characteristic of the token is an identification number associated with the token.
  - 10. The method of claim 7, wherein evaluating authentication activity of the plurality of tokens further includes counting authentication attempts the token submits to each authentication server in the network of authentication servers.
  - 11. The method of claim 7, further including reassigning the token at a predetermined token reassignment rate.
  - 12. The method of claim 7, further including disregarding the high water mark if the high water mark has aged by more than a predetermined amount of time.
  - 13. The method of claim 12, wherein the predetermined amount of time is a function of whether the token is a hardware-based token or a software-based token.

14. A method of determining availability of one or more home authentication servers in a network of authentication servers, comprising:
- assigning each of a plurality of tokens, capable of generating one-time passcodes, to a home authentication server;
  
  issuing each of the home authentication servers a status request;
  
  receiving status responses from at least some of the home authentication servers;
  
  identifying one or more home authentication servers that fail to provide a status response as failed home authentication servers; and
  
  , for each token that is currently assigned to one of the failed home authentications servers, assigning the token to a different home authentication server.

15. A method of determining availability of one or more home authentication servers in a network of authentication servers, comprising:
- assigning each of a plurality of tokens, capable of generating one-time passcodes, to a home authentication server;
  
  detecting, via one or more hardware-based failure detection components, whether one or more of the home authentication servers have failed;
  
  for each token that is currently assigned to one of the home authentications servers detected as having failed, assigning the token to a different home authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
RSA Security Incorporated (Symphony Technology Group LLC)
Inventors
Duane, William, Volanis, Alexander, Friedman, Lawrence

Granted Patent

US 7,810,147 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

H04L 63/0838 using one-time-passwords

H04L 63/1441 Countermeasures against mal...

Detecting and preventing replay in authentication systems

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and preventing replay in authentication systems

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links