Detecting and preventing replay in authentication systems
First Claim
1. A system for detecting and preventing replay attacks in an authentication network, comprising:
- a plurality of authentication servers interconnected through an authentication network;
one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;
an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;
(a) evaluates a high water mark value associated with a token seeking authentication;
(b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
,(c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication;
wherein, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server), the system is constructed and arranged to;
(i) forward the high water mark value to the adjudicator function of the non-home authentication server;
(ii) determine, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and
(iii) in response to determining, send the high water mark value to the adjudicator function of the home authentication server; and
wherein, when the token seeking authentication seeks authentication from the home authentication server, the system is constructed and arranged to;
(i) forward the high water mark value to the adjudicator function of the home authentication server;
(ii) determine, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and
(iii) in response to determining, maintain the high water mark value in the adjudicator function of the home authentication server.
24 Assignments
0 Petitions
Accused Products
Abstract
A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.
-
Citations
16 Claims
-
1. A system for detecting and preventing replay attacks in an authentication network, comprising:
-
a plurality of authentication servers interconnected through an authentication network; one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication; an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function; (a) evaluates a high water mark value associated with a token seeking authentication; (b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
,(c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction; wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication; wherein, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server), the system is constructed and arranged to; (i) forward the high water mark value to the adjudicator function of the non-home authentication server; (ii) determine, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, send the high water mark value to the adjudicator function of the home authentication server; and wherein, when the token seeking authentication seeks authentication from the home authentication server, the system is constructed and arranged to; (i) forward the high water mark value to the adjudicator function of the home authentication server; (ii) determine, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, maintain the high water mark value in the adjudicator function of the home authentication server. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of associating tokens, capable of generating one-time passcodes, with home authentication servers in a network of authentication servers, comprising:
-
assigning each of a plurality of tokens to a home authentication server according to a predetermined characteristic of the token; evaluating authentication activity of the plurality of tokens; for each one of the plurality of tokens, reassigning the token to a home authentication server to which the token most often authenticates; wherein authentication activity includes, regardless of which authentication server in the network of authentication servers that a token seeks authentication from, evaluating a high water mark value associated with the token seeking authentication at the home authentication server; wherein evaluating the high water mark value includes, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server); (i) forwarding the high water mark value to the adjudicator function of the non-home authentication server; (ii) determining, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, sending the high water mark value to the adjudicator function of the home authentication server; and wherein evaluating the high water mark value includes, when the token seeking authentication seeks authentication from the home authentication server; (i) forwarding the high water mark value to the adjudicator function of the home authentication server; (ii) determining, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, maintaining the high water mark value in the adjudicator function of the home authentication server. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of detecting and preventing replay attacks in an authentication network including a plurality of authentication servers interconnected through an authentication network, comprising:
-
associating a token, capable of generating one-time passcodes, with a home authentication server that maintains a current high water mark value of the token seeking authentication; generating a one-time passcode with the token, and providing the one-time passcode to one of the plurality of authentication servers for authentication; evaluating a high water mark value associated with the token; allowing an authentication procedure to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; preventing authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction; when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server); (i) forwarding the high water mark value to an adjudicator function of the non-home authentication server; (ii) determining, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, sending the high water mark value to an adjudicator function of the home authentication server; and when the token seeking authentication seeks authentication from the home authentication server; (i) forwarding the high water mark value to the adjudicator function of the home authentication server; (ii) determining, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and (iii) in response to determining, maintaining the high water mark value in the adjudicator function of the home authentication server. - View Dependent Claims (16)
-
Specification