Extended one-time password method and apparatus

US 8,132,243 B2
Filed: 08/11/2006
Issued: 03/06/2012
Est. Priority Date: 08/11/2005
Status: Active Grant

First Claim

Patent Images

1. A method for handling a session one-time-password (“

OTP”

) transmission with an OTP token, the OTP token in communication with a server and a client workstation via a network, the method comprising;

an OTP token opening, with an embedded security browser at the OTP token, a secure session between the OTP token and a server;

receiving, at the OTP token, after opening the secure session, server information that at least partially identifies the server, wherein the server information is received from the server;

determining whether the server is legitimate based on the received server information;

in response to determining that the server is legitimate;

transmitting, from the OTP token, data of an internally-generated OTP; and

initiating, with the OTP token, a client-server session with the server; and

in response to determining that the server is not legitimate;

refraining from transmitting, from the OTP token, data of an internally-generated OTP.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An OTP token for facilitating the authorizing of a client workstation to conduct a session with a server over the Internet is disclosed. Information at least partially identifying the server is provided to the OTP token and/or the client workstation, and a determination is made, using this identifying information, if the server is a legitimate server. In accordance with this determination, it is decided whether or not to transmit data indicative of a session OTP from the OTP token to the client workstation. In some embodiments, if the identifying information is indicative of a legitimate server, the data indicative of the session OTP is transmitted from the OTP token to the client workstation, and otherwise, the data indicative of the session OTP is withheld from the client workstation. Data indicative of the session OTP may include, in various embodiments, either multi-factor authentication data derived from user authorization data, or session OTP data that is independent of user authentication data.

35 Citations

View as Search Results

30 Claims

1. A method for handling a session one-time-password (“
- OTP”
  
  ) transmission with an OTP token, the OTP token in communication with a server and a client workstation via a network, the method comprising;
  
  an OTP token opening, with an embedded security browser at the OTP token, a secure session between the OTP token and a server;
  
  receiving, at the OTP token, after opening the secure session, server information that at least partially identifies the server, wherein the server information is received from the server;
  
  determining whether the server is legitimate based on the received server information;
  
  in response to determining that the server is legitimate;
  
  transmitting, from the OTP token, data of an internally-generated OTP; and
  
  initiating, with the OTP token, a client-server session with the server; and
  
  in response to determining that the server is not legitimate;
  
  refraining from transmitting, from the OTP token, data of an internally-generated OTP.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the data of an internally-generated OTP is of a session OTP and transmitting said data from the OTP token to the client workstation is done via a device interface.
  - 3. The method of claim 1, wherein transmitting data of an internally-generated session OTP comprises:
    - displaying the data of the session OTP on a display screen of the OTP token.
  - 4. The method of claim 1, wherein the data of an internally-generated session OTP comprises multi-factor authentication data derived based at least in part on user authentication data.
  - 5. The method of claim 1, wherein the data of an internally-generated session OTP is not derived from user authentication data.
  - 6. The method of claim 1, further comprising:
    - in response to determining that the server is not legitimate;
      
      internally generating the session OTP within the OTP token;
      
      maintaining a status wherein the session OTP remains within the OTP token.
  - 7. The method of claim 1, further comprising:
    - transferring a client end of the secure session from the OTP token to a client workstation after opening the secure session,wherein the client workstation performs at least one of receiving server information that at least partially identifies the server and determining whether the server is a legitimate server based on the received server information.
  - 8. The method of claim 1, wherein the server information that at least partially identifies the server is received at the OTP token and a client end of the secure session remains at the embedded browser at a time that the server information is received by the OTP token from the server.
  - 9. The method of claim 1, wherein the receiving is carried out by the OTP token via a communications link between the server and the OTP token.
  - 10. The method of claim 1, wherein the determination of whether the server is a legitimate server is carried out within the OTP token.
  - 11. The method of claim 1, wherein the determination of whether the server is a legitimate server comprises querying a database residing within the OTP token.
  - 12. The method of claim 11, wherein the client workstation queries the database.
  - 13. The method of claim 11, wherein the OTP token determines whether the server is a legitimate server a client code residing within the OTP token causes the OTP token to query the database.
  - 14. The method of claim 11, wherein the database comprises an immutable database.
  - 15. The method of claim 11, wherein the database includes one of a pre-determined list of acceptable URLs, a pre-determined list of acceptable IP addresses, or a pre-determined list of acceptable values for certificate fields.

16. A method for handling a session one-time-password (“
- OTP”
  
  ) transmission with an OTP token, the OTP token in communication with a server and a client workstation via a network, the method comprising;
  
  receiving, at an OTP token, server information that at least partially identifies a server, wherein the server information is received from the server;
  
  determining whether the server is legitimate based on the received server information;
  
  in response to determining that the server is legitimate;
  
  transmitting, from the OTP token, data of an internally-generated OTP; and
  
  initiating, with the OTP token, a client-server session with the server; and
  
  in response to determining that the server is not legitimate;
  
  refraining from transmitting, from the OTP token, data of an internally-generated OTP;
  
  wherein the determination of whether the server is legitimate is carried out in accordance with at least one of protocol data of a received communication, certificate data transmitted in a received communication, IP address data, or URL data.
- View Dependent Claims (17)
- - 17. The method of claim 16, wherein the determination of whether the server is legitimate is carried out in accordance with only some attributes of a certificate received from the server.

18. A one-time-password (“
- OTP”
  
  ) token for use with a client workstation in communication with a server via a network, the OTP token comprising;
  
  a manual input device for inputting information at least partially identifying a server;
  
  a server legitimacy engine for determining whether the server is legitimate based on the information;
  
  an OTP generator operative to generate a session OTP;
  
  an OTP-transmission decision engine operative to decide whether to transmit, from the OTP token, data of the session OTP in response to a determination that the server is legitimate or whether to refrain from transmitting the data of the session OTP in response to a determination that the server is not legitimate; and
  
  an embedded security browser embedded within the OTP token, the embedded browser operative to open a security session between the OTP token and the server.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The OTP token of claim 18, further comprising:
    - an OTP transmitter for transmitting data indicative of the session OTP from the OTP token in accordance with the determination of the OTP-transmission decision engine.
  - 20. The OTP token of claim 19, further comprising:
    - a device port, wherein the OTP transmitter is operative to cause an inter-device data transfer, via the device port, of the data of the session OTP only upon a determination that the server is legitimate.
  - 21. The OTP token of claim 19, further comprising:
    - a data display, wherein the OTP transmitter is operative to transmit the data of the session OTP to the data display only upon a determination that the server is legitimate.
  - 22. The OTP token of claim 18, wherein the embedded security browser is operative to receive, during the secure session, the information at least partially identifying the server.
  - 23. The OTP token of claim 18, wherein the server legitimacy engine includes:
    - a database of predetermined data, wherein the server legitimacy engine is operative to determine whether the server is legitimate based on the contents of the database.
  - 24. The OTP token of claim 23, wherein the database comprises an immutable database.
  - 25. The OTP token of claim 23, wherein the database includes one of a pre-determined list of acceptable URLs, a pre-determined list of acceptable IP addresses, or a pre-determined list of acceptable values for certificate fields.

26. A one-time-password (“
- OTP”
  
  ) token for use with a client workstation in communication with a server via a network, the OTP token comprising;
  
  a manual input device for inputting information at least partially identifying a server;
  
  a server legitimacy engine for determining whether the server is legitimate based on the information;
  
  an OTP generator operative to generate a session OTP; and
  
  an OTP-transmission decision engine operative to decide whether to transmit, from the OTP token, data of the session OTP in response to a determination that the server is legitimate or whether to refrain from transmitting the data of the session OTP in response to a determination that the server is not legitimate;
  
  wherein the server legitimacy engine is operative to determine whether the server is legitimate based on at least one of protocol data of a communication from the server certificate data transmitted in a communication from the server, IP address data, or URL data.
- View Dependent Claims (27)
- - 27. The OTP token of claim 26, wherein the server legitimacy engine is operative to determine whether the server is a legitimate server in accordance with only some attributes of a certificate received from the server.

28. A one-time-password (“
- OTP”
  
  ) token for use with a client workstation in communication with a server via a network, the OTP token comprising;
  
  a manual input device for inputting information at least partially identifying a server;
  
  a server legitimacy engine for determining whether the server is legitimate based on the information;
  
  an OTP generator operative to generate a session OTP; and
  
  an OTP-transmission decision engine operative to decide whether to transmit, from the OTP token, data of the session OTP in response to a determination that the server is legitimate or whether to refrain from transmitting the data of the session OTP in response to a determination that the server is not legitimate;
  
  wherein the OTP generator is operative to generate the session OTP in accordance with user authentication data, thereby generating the session OTP as multi-factor authentication data.
- View Dependent Claims (29, 30)
- - 29. The OTP token of claim 28, further comprising:
    - a user identification module for authenticating the user authentication data.
  - 30. The OTP token of claim 29, wherein the OTP-transmission decision engine is operative to determine whether to transmit data of the session OTP or refrain from transmitting data of the session OTP based on the authentication of the authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Western Digital Israel Limited (Western Digital Corporation)
Original Assignee
SanDisk IL Ltd. (Western Digital Corporation)
Inventors
Bychkov, Eyal
Primary Examiner(s)
TRUONG, THANHNGA B

Application Number

US11/502,466
Publication Number

US 20070067828A1
Time in Patent Office

2,034 Days
Field of Search

726 3- 5, 726/17, 726/20, 455/418, 455/424, 455/416, 701/33, 713/182, 713184-185
US Class Current

726/9
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Extended one-time password method and apparatus

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Extended one-time password method and apparatus

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links