Detecting and preventing replay in authentication systems

US 7,810,147 B2
Filed: 12/01/2006
Issued: 10/05/2010
Est. Priority Date: 12/01/2005
Status: Active Grant

First Claim

Patent Images

1. A system for detecting and preventing replay attacks in an authentication network, comprising:

a plurality of authentication servers interconnected through an authentication network;

one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;

an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;

(a) evaluates a high water mark value associated with a token seeking authentication;

(b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and

,(c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;

wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication;

wherein, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server), the system is constructed and arranged to;

(i) forward the high water mark value to the adjudicator function of the non-home authentication server;

(ii) determine, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and

(iii) in response to determining, send the high water mark value to the adjudicator function of the home authentication server; and

wherein, when the token seeking authentication seeks authentication from the home authentication server, the system is constructed and arranged to;

(i) forward the high water mark value to the adjudicator function of the home authentication server;

(ii) determine, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and

(iii) in response to determining, maintain the high water mark value in the adjudicator function of the home authentication server.

View all claims

24 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for detecting and preventing replay attacks includes a plurality of interconnected authentication servers, and one or more tokens for generating a one-time passcode and providing the one-time passcode to one of the authentication servers for authentication. The system includes an adjudicator function associated with each authentication server. The adjudicator evaluates a high water mark value associated with a token seeking authentication, allows authentication to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication, and prevents authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication. The token is associated with a home authentication server that maintains a current high water mark of the token. The home authentication server validates the current high water mark on behalf of the adjudicator function evaluating the token for authentication.

Citations

16 Claims

1. A system for detecting and preventing replay attacks in an authentication network, comprising:
- a plurality of authentication servers interconnected through an authentication network;
  
  one or more tokens for generating a one-time passcode, and for providing the one-time passcode to one of the plurality of authentication servers for authentication;
  
  an adjudicator function associated with each of the plurality of authentication servers, wherein the adjudicator function;
  
  (a) evaluates a high water mark value associated with a token seeking authentication;
  
  (b) allows an authentication procedure to proceed for the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction; and
  
  ,(c) prevents authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
  
  wherein the token seeking authentication is associated with a home authentication server that maintains a current high water mark value of the token seeking authentication, and wherein the home authentication server validates the current high water mark value on behalf of the adjudicator function evaluating the token seeking authentication;
  
  wherein, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server), the system is constructed and arranged to;
  
  (i) forward the high water mark value to the adjudicator function of the non-home authentication server;
  
  (ii) determine, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, send the high water mark value to the adjudicator function of the home authentication server; and
  
  wherein, when the token seeking authentication seeks authentication from the home authentication server, the system is constructed and arranged to;
  
  (i) forward the high water mark value to the adjudicator function of the home authentication server;
  
  (ii) determine, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, maintain the high water mark value in the adjudicator function of the home authentication server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein one of the plurality of authentication servers functions as the home authentication server for all of the one or more tokens in the system.
  - 3. The system of claim 1, wherein the high water mark value associated with the token seeking authentication includes information regarding a most recent time the token authenticated to one of the plurality of authentication servers.
  - 4. The system of claim 1, wherein the adjudicator disregards the high water mark associated with a token if the high water mark has aged by more than a predetermined amount of time.
  - 5. The system of claim 4, wherein the predetermined amount of time is a function of whether the token is a hardware-based token or a software-based token.
  - 6. The system of claim 1:
    - wherein, when the token seeking authentication seeks authentication from the non-home authentication server, the system is further constructed and arranged to;
      
      (iv) perform cryptographic calculations associated with authenticating the one-time passcode at the non-home authentication server; and
      
      wherein, when the token seeking authentication seeks authentication from the home authentication server, the system is further constructed and arranged to;
      
      (iv) perform cryptographic calculations associated with authenticating the one-time passcode at the home authentication server.

7. A method of associating tokens, capable of generating one-time passcodes, with home authentication servers in a network of authentication servers, comprising:
- assigning each of a plurality of tokens to a home authentication server according to a predetermined characteristic of the token;
  
  evaluating authentication activity of the plurality of tokens;
  
  for each one of the plurality of tokens, reassigning the token to a home authentication server to which the token most often authenticates;
  
  wherein authentication activity includes, regardless of which authentication server in the network of authentication servers that a token seeks authentication from, evaluating a high water mark value associated with the token seeking authentication at the home authentication server;
  
  wherein evaluating the high water mark value includes, when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server);
  
  (i) forwarding the high water mark value to the adjudicator function of the non-home authentication server;
  
  (ii) determining, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, sending the high water mark value to the adjudicator function of the home authentication server; and
  
  wherein evaluating the high water mark value includes, when the token seeking authentication seeks authentication from the home authentication server;
  
  (i) forwarding the high water mark value to the adjudicator function of the home authentication server;
  
  (ii) determining, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, maintaining the high water mark value in the adjudicator function of the home authentication server.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, wherein the predetermined characteristic of the token is a registration site of the token.
  - 9. The method of claim 7, wherein the predetermined characteristic of the token is an identification number associated with the token.
  - 10. The method of claim 7, wherein evaluating authentication activity of the plurality of tokens further includes counting authentication attempts the token submits to each authentication server in the network of authentication servers.
  - 11. The method of claim 7, further including reassigning the token at a predetermined token reassignment rate.
  - 12. The method of claim 7, further including disregarding the high water mark if the high water mark has aged by more than a predetermined amount of time.
  - 13. The method of claim 12, wherein the predetermined amount of time is a function of whether the token is a hardware-based token or a software-based token.
  - 14. The method of claim 7:
    - wherein evaluating the high water mark value further includes, when the token seeking authentication seeks authentication from the non-home authentication server;
      
      (iv) performing cryptographic calculations associated with authenticating the one-time passcode at the non-home authentication server; and
      
      wherein evaluating the high water mark value further includes, when the token seeking authentication seeks authentication from the home authentication server;
      
      (iv) performing cryptographic calculations associated with authenticating the one-time passcode at the home authentication server.

15. A method of detecting and preventing replay attacks in an authentication network including a plurality of authentication servers interconnected through an authentication network, comprising:
- associating a token, capable of generating one-time passcodes, with a home authentication server that maintains a current high water mark value of the token seeking authentication;
  
  generating a one-time passcode with the token, and providing the one-time passcode to one of the plurality of authentication servers for authentication;
  
  evaluating a high water mark value associated with the token;
  
  allowing an authentication procedure to proceed for the token if the high water mark evaluation indicates that the one-time passcode was not used in a previous authentication transaction;
  
  preventing authentication of the token seeking authentication if the high water mark evaluation indicates that the one-time passcode was used in a previous authentication transaction;
  
  when the token seeking authentication seeks authentication from an authentication server of the plurality of authentication servers that is not the home authentication server (non-home authentication server);
  
  (i) forwarding the high water mark value to an adjudicator function of the non-home authentication server;
  
  (ii) determining, at the adjudicator function of the non-home authentication server, that the high water mark information originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, sending the high water mark value to an adjudicator function of the home authentication server; and
  
  when the token seeking authentication seeks authentication from the home authentication server;
  
  (i) forwarding the high water mark value to the adjudicator function of the home authentication server;
  
  (ii) determining, at the adjudicator function of the home authentication server, that the high water mark value originating from the token seeking authentication is associated with the home authentication server; and
  
  (iii) in response to determining, maintaining the high water mark value in the adjudicator function of the home authentication server.
- View Dependent Claims (16)
- - 16. The method of claim 15, further comprising:
    - when the token seeking authentication seeks authentication from the non-home authentication server;
      
      (iv) performing cryptographic calculations associated with authenticating the one-time passcode at the non-home authentication server; and
      
      when the token seeking authentication seeks authentication from the home authentication server;
      
      (iv) performing cryptographic calculations associated with authenticating the one-time passcode at the home authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Volanis, Alexander, Friedman, Lawrence N., Duane, William
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US11/607,836
Publication Number

US 20070256123A1
Time in Patent Office

1,404 Days
Field of Search

726/9
US Class Current

726/9
CPC Class Codes

H04L 63/0838 using one-time-passwords

H04L 63/1441 Countermeasures against mal...

Detecting and preventing replay in authentication systems

First Claim

24 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and preventing replay in authentication systems

First Claim

24 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links