Forward secure one-time authentication tokens with embedded time hints
First Claim
1. A token-side method for generating a passcode from a user authentication token for presentation to an authentication server, comprising:
- determining a current state of said token;
generating, using said token, a user authentication passcode based on said current state, wherein said generated user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated; and
communicating said generated user authentication passcode to said authentication server, wherein said authentication server obtains said embedded time hint from said generated user authentication passcode and determines a time interval to search for another user authentication passcode based on said embedded time hint, wherein said communicating step employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators.
18 Assignments
0 Petitions
Accused Products
Abstract
Forward-secure one-time authentication tokens are provided with embedded time hints. A token generates a passcode for presentation to an authentication server by determining a current state of the token; generating a user authentication passcode based on the current state, wherein the generated user authentication passcode comprises an embedded time hint; and communicating the generated user authentication passcode to the authentication server. The passcode may be generated with the embedded time hint, for example, each time a user authentication passcode is generated or upon demand when a user authentication passcode is generated. A server processes a user authentication passcode by receiving the user authentication passcode, wherein the received user authentication passcode comprises an embedded time hint; and determining a time interval to search for another user authentication passcode based on the embedded time hint.
17 Citations
64 Claims
-
1. A token-side method for generating a passcode from a user authentication token for presentation to an authentication server, comprising:
-
determining a current state of said token; generating, using said token, a user authentication passcode based on said current state, wherein said generated user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated; and communicating said generated user authentication passcode to said authentication server, wherein said authentication server obtains said embedded time hint from said generated user authentication passcode and determines a time interval to search for another user authentication passcode based on said embedded time hint, wherein said communicating step employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory machine-readable recordable storage medium for generating a user authentication passcode for presentation to an authentication server, wherein one or more software programs when executed by one or more processing devices implement the following steps:
-
determining a current state of said token; generating, using said token, a user authentication passcode based on said current state, wherein said generated user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated; and communicating said generated user authentication passcode to said authentication server, wherein said authentication server obtains said embedded time hint from said generated user authentication passcode and determines a time interval to search for another user authentication passcode based on said embedded time hint, wherein said communicating step employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators.
-
-
20. A token apparatus for generating a user authentication passcode for presentation to an authentication server, the apparatus comprising:
-
a memory; and at least one hardware device, coupled to the memory, operative to implement the following steps; determine a current state of said token; generate, using said token apparatus, a user authentication passcode based on said current state, wherein said generated user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated; and communicate said generated user authentication passcode to said authentication server, wherein said authentication server obtains said embedded time hint from said generated user authentication passcode and determines a time interval to search for another user authentication passcode based on said embedded time hint, wherein said communication employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
38. A server-side method for processing a user authentication passcode, comprising:
-
receiving a user authentication passcode, generated using a token, wherein said received user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated, wherein said receiving step employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators; obtaining, by at least one processing device of said server, said embedded time hint from said received user authentication passcode; and determining, by said at least one processing device of said server, a time interval to search for another user authentication passcode based on said embedded time hint. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A non-transitory machine-readable recordable storage medium for processing a user authentication passcode, wherein one or more software programs when executed by one or more processing devices implement the following steps:
-
receiving a user authentication passcode, generated using a token, wherein said received user authentication passcode comprises an embedded time hint not previously known to an authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated, wherein said receiving step employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators; obtaining, by at least one processing device of said authentication server, said embedded time hint from said received user authentication passcode; and determining, by said at least one processing device of said authentication server, a time interval to search for another user authentication passcode based on said embedded time hint.
-
-
52. A server apparatus for processing a user authentication passcode, the apparatus comprising:
-
a memory; and at least one processing device, coupled to the memory, operative to implement the following steps; receive a user authentication passcode, generated using a token, wherein said received user authentication passcode comprises an embedded time hint not previously known to said authentication server, wherein said embedded time hint is embedded in said generated user authentication passcode when said generated user authentication passcode is generated, wherein said receiving employs one or more of (i) a verification-independent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated, and (ii) a verification-dependent auxiliary channel that employs a plurality of auxiliary bits comprising at least one auxiliary bit indicating that said embedded time hint is activated and at least two independent forward-secure pseudorandom generators; obtain, by said at least one processing device of said server apparatus, said embedded time hint from said received user authentication passcode; and determine, by said at least one processing device of said server apparatus, a time interval to search for another user authentication passcode based on said embedded time hint. - View Dependent Claims (53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64)
-
Specification