Recovery mechanism for fault-tolerant split-server passcode verification of one-time authentication tokens

US 9,749,314 B1
Filed: 04/13/2016
Issued: 08/29/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A recovery method for a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said recovery method comprising:

determining, using at least one processing device, that a first one of said plurality of authentication servers is unavailable;

generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and

sending, using said at least one processing device, said authenticated message to said token.

View all claims

17 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A recovery mechanism is provided for split-server passcode verification systems. An exemplary token-centric recovery scheme comprises at least one token and a plurality of authentication servers, comprises the steps of: determining that a first one of the plurality of authentication servers is unavailable; applying an authentication mechanism to a message requesting the token to change to a new split-state mode; and sending the authenticated message to the token. The authentication mechanism comprises, for example, a relying party signing the message using a next passcode of the new split-state mode. The new split-state mode comprises, for example, a single server passcode verification and wherein the next passcode of the new split-state mode comprises a next passcode of the single server. A client optionally changes to the new split-state mode after successfully verifying the authentication mechanism.

Citations

20 Claims

1. A recovery method for a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said recovery method comprising:
- determining, using at least one processing device, that a first one of said plurality of authentication servers is unavailable;
  
  generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and
  
  sending, using said at least one processing device, said authenticated message to said token.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode.
  - 3. The method of claim 1, wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split-state mode comprises a next passcode of said single server.
  - 4. The method of claim 1, wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism.
  - 5. The method of claim 1, wherein said first authentication server and a second authentication server provide an “
    - aliveness”
      
      message to at least one other server.
  - 6. The method of claim 1, wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state.
  - 7. The method of claim 1, wherein said applying step is responsive to said determination that the first one of said plurality of authentication servers is unavailable.

8. An apparatus of a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said apparatus comprising:
- a memory; and
  
  at least one processing device, coupled to the memory, operative to implement the following steps;
  
  determining, using said at least one processing device, that a first one of said plurality of authentication servers is unavailable;
  
  generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and
  
  sending, using said at least one processing device, said authenticated message to said token.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode.
  - 10. The apparatus of claim 8, wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split-state mode comprises a next passcode of said single server.
  - 11. The apparatus of claim 8, wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism.
  - 12. The apparatus of claim 8, wherein said first authentication server and a second authentication server provide an “
    - aliveness”
      
      message to at least one other server.
  - 13. The apparatus of claim 8, wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state.
  - 14. The apparatus of claim 8, wherein said applying step is responsive to said determination that the first one of said plurality of authentication servers is unavailable.

15. An article of manufacture for a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said article of manufacture comprising a non-transitory machine readable medium containing one or more programs which when executed implement the steps of:
- determining, using at least one processing device, that a first one of said plurality of authentication servers is unavailable;
  
  generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and
  
  sending, using said at least one processing device, said authenticated message to said token.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The article of manufacture of claim 15, wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode.
  - 17. The article of manufacture of claim 15, wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split state mode comprises a next passcode of said single server.
  - 18. The article of manufacture of claim 15, wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism.
  - 19. The article of manufacture of claim 15, wherein said first authentication server and a second authentication server provide an “
    - aliveness”
      
      message to at least one other server.
  - 20. The article of manufacture of claim 15, wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RSA Security LLC (Symphony Technology Group LLC)
Original Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Inventors
Triandopoulos, Nikolaos, Brainard, John
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
Zhu, Zhimei

Application Number

US15/097,773
Time in Patent Office

503 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0838   using one-time-passwords

H04L 9/085   Secret sharing or secret sp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

H04L 9/3234   involving additional secure...

Recovery mechanism for fault-tolerant split-server passcode verification of one-time authentication tokens

First Claim

17 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Recovery mechanism for fault-tolerant split-server passcode verification of one-time authentication tokens

First Claim

17 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links