Event-based data signing via time-based one-time authentication passcodes

US 9,225,717 B1
Filed: 03/14/2013
Issued: 12/29/2015
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for generating one or more user authentication passcodes, comprising:

generating a time-based user authentication passcode based on a first forward-secure pseudorandom number;

generating an event-based user authentication passcode based on a second forward-secure pseudorandom number, wherein said first forward-secure pseudorandom number is generated using at least one hardware device using a first seed from a first level of a hierarchical forward-secure pseudorandom number tree stored in a memory and wherein said second forward-secure pseudorandom number is generated using said at least one hardware device using a second seed from a different, second level of said hierarchical forward-secure pseudorandom number tree;

providing said generated time-based user authentication passcode for authentication of a user; and

providing said generated event-based user authentication passcode for signing of one or more data transactions of said user during a session of said user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus are provided for signing data transactions using one-time authentication passcodes. User authentication passcodes are generated by generating a time-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated time-based user authentication passcode is used for authentication of the user; and generating an event-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated event-based user authentication passcode is used to sign one or more data transactions. The generation of an event-based user authentication passcode can be performed on-demand. The generation of the event-based user authentication passcode can optionally be performed substantially simultaneously with the generation of the time-based user authentication passcode.

Citations

22 Claims

1. A method for generating one or more user authentication passcodes, comprising:
- generating a time-based user authentication passcode based on a first forward-secure pseudorandom number;
  
  generating an event-based user authentication passcode based on a second forward-secure pseudorandom number, wherein said first forward-secure pseudorandom number is generated using at least one hardware device using a first seed from a first level of a hierarchical forward-secure pseudorandom number tree stored in a memory and wherein said second forward-secure pseudorandom number is generated using said at least one hardware device using a second seed from a different, second level of said hierarchical forward-secure pseudorandom number tree;
  
  providing said generated time-based user authentication passcode for authentication of a user; and
  
  providing said generated event-based user authentication passcode for signing of one or more data transactions of said user during a session of said user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said step of generating an event-based user authentication passcode is performed on-demand.
  - 3. The method of claim 1, wherein said two generating steps can be performed substantially simultaneously.
  - 4. The method of claim 1, wherein said method employs said hierarchical forward-secure pseudorandom number tree extended at a hierarchy level L to produce a hash chain of values K₁, K₂, . . . , so that K_iis a pseudorandom seed used for the i-th data transaction that is to be signed within a time interval T_Lthat corresponds to the level L.
  - 5. The method of claim 4, wherein each seed s in said hierarchical forward-secure pseudorandom number tree corresponding to a particular time unit T_Lis split into two new seeds s₁and s₂as follows:
    - s₁=h(s,event), s₂=h(s,time) where h is a collision-resistant and unpredictable one-way hash function.
  - 6. The method of claim 4, wherein said step of generating said event-based user authentication passcode further comprises the step of applying a function on T_c∥
    - D, where is a current time of a token when said transaction signing occurs and a fixed unique encoding of said token, and wherein D is said data to be signed, using as secret key the current value K₁, where K₁belongs in the sequence corresponding to the time interval T_L,cthat T_cbelongs in.
  - 7. The method of claim 6, wherein said function comprises one or more of a cryptographic hash function and a message authentication code.

8. A non-transitory machine-readable recordable storage medium for generating one or more user authentication passcodes, wherein one or more software programs when executed by one or more processing devices implement the following steps:
- generating a time-based user authentication passcode based on a first forward-secure pseudorandom number;
  
  generating an event-based user authentication passcode based on a second forward-secure pseudorandom number, wherein said first forward-secure pseudorandom number is generated using a first seed from a first level of a hierarchical forward-secure pseudorandom number tree stored in a memory and wherein said second forward-secure pseudorandom number is generated using a second seed from a different, second level of said hierarchical forward-secure pseudorandom number tree;
  
  providing said generated time-based user authentication passcode for authentication of a user; and
  
  providing said generated event-based user authentication passcode for signing of one or more data transactions of said user during a session of said user.

9. A time-based authentication token, comprising:
- a passcode generation function for generating a time-based user authentication passcode based on a first forward-secure pseudorandom number;
  
  a transaction passcode generation function for generating an event-based user authentication passcode based on a second forward-secure pseudorandom number, wherein said first forward-secure pseudorandom number is generated using a first seed from a first level of a hierarchical forward-secure pseudorandom number tree stored in a memory and wherein said second forward-secure pseudorandom number is generated using a second seed from a different, second level of said hierarchical forward-secure pseudorandom number tree;
  
  wherein said time-based authentication token provides said generated time-based user authentication passcode for authentication of a user and provides said generated event-based user authentication passcode for signing of one or more data transactions of said user during a session of said user.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The time-based authentication token of claim 9, wherein said generation of an event-based user authentication passcode is performed on-demand.
  - 11. The time-based authentication token of claim 9, wherein said two generation functions can be employed substantially simultaneously.
  - 12. The time-based authentication token of claim 9, wherein said token employs said hierarchical forward-secure pseudorandom number tree extended at a hierarchy level L to produce a hash chain of values K₁, K₂, . . . , so that K₁is a pseudorandom seed used for the i-th data transaction that is to be signed within a time interval T_Lthat corresponds to the level L.
  - 13. The time-based authentication token of claim 12, wherein each seed s in said hierarchical forward-secure pseudorandom number tree corresponding to a particular time unit T_Lis split into two new seeds s₁and s₂as follows:
    - s₁=h(s,event), s₂=h(s,time) where h is a collision-resistant and unpredictable one-way hash function.
  - 14. The time-based authentication token of claim 12, wherein said generation of said event-based user authentication passcode applies a function on T_c∥
    - D, where T_cis a current time of said token when said transaction signing occurs and a fixed unique encoding of said token, and wherein D is said data to be signed, using as secret key the current value K₁, where K₁belongs in the sequence corresponding to the time interval T_L,cthat T_cbelongs in.
  - 15. The time-based authentication token of claim 14, wherein said function comprises one or more of a cryptographic hash function and a message authentication code.

16. An apparatus for generating one or more user authentication passcodes, the apparatus comprising:
- a memory; and
  
  at least one hardware device, coupled to the memory, operative to implement the following steps;
  
  generating a time-based user authentication passcode based on a first forward-secure pseudorandom number,generating an event-based user authentication passcode based on a second forward-secure pseudorandom number, wherein said first forward-secure pseudorandom number is generated using a first seed from a first level of a hierarchical forward-secure pseudorandom number tree stored in a memory and wherein said second forward-secure pseudorandom number is generated using a second seed from a different, second level of said hierarchical forward-secure pseudorandom number tree;
  
  providing said generated time-based user authentication passcode for authentication of a user; and
  
  providing said generated event-based user authentication passcode for signing of one or more data transactions of said user during a session of said user.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The apparatus of claim 16, wherein said of generation of an event-based user authentication passcode is performed on-demand.
  - 18. The apparatus of claim 16, wherein said two generating steps can be performed substantially simultaneously.
  - 19. The apparatus of claim 16, wherein one or more of said two generating steps employ said hierarchical forward-secure pseudorandom number tree extended at a hierarchy level L to produce a hash chain of values K₁, K₂, . . . , so that K_iis a pseudorandom seed used for the i-th data transaction that is to be signed within a time interval T_Lthat corresponds to the level L.
  - 20. The apparatus of claim 19, wherein each seed s in said hierarchical forward-secure pseudorandom number tree corresponding to a particular time unit T_Lis split into two new seeds s₁and s₂as follows:
    - s₁=h(s,event), s₂=h(s,time) where h is a collision-resistant and unpredictable one-way hash function.
  - 21. The apparatus of claim 19, wherein said step of generating said event-based user authentication passcode further comprises the step of applying a function on T_c∥
    - D, where T_cis a current time of a token when said transaction signing occurs and a fixed unique encoding of said token, and wherein D is said data to be signed, using as secret key the current value K₁, where K_ibelongs in the sequence corresponding to the time interval T_L,cthat T_cbelong in.
  - 22. The apparatus of claim 21, wherein said function comprises one or more of a cryptographic hash function and a message authentication code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Brainard, John, Triandopoulos, Nikolaos, van Dijk, Marten, Juels, Ari
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Pham, Quy

Application Number

US13/826,924
Time in Patent Office

1,020 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0846   using time-dependent-passwo...

H04L 9/3228   One-time or temporary data,...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/3297   involving time stamps, e.g....

H04L 9/50   using hash chains, e.g. blo...

Event-based data signing via time-based one-time authentication passcodes

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Event-based data signing via time-based one-time authentication passcodes

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links