Abstract: A network based mechanism for real time verification and authentication of data and user identities. The present invention enables a method whereby biometric elements, such as voice prints, are utilized to enhance the Public Key Infrastructure as a means to decrypt data and verify data authenticity, such that the user's private key is authenticated remotely on a one-time basis. The present invention comprises an authentication server ( 25 ) with various software modules that enable authentication of user identity, secure user access to data, digital signatures, secure messaging and secure online transactions.

Abstract: Conventional remote password authentication schemes allow a serviceable server to authenticate the legitimacy of a remote login user. However, these schemes are not used for multiserver architecture environments. We present a remote password authentication scheme for multiserver environments. The password authentication system is a pattern classification system based on an artificial neural network. In this scheme, the users only remember user identity and password numbers to log in to various servers. Users can freely choose their password. Furthermore, the system is not required to maintain a verification table and can withstand the replay attack.

Abstract: A user authentication service for a communication network authenticates local users before granting them access to personalized sets of network resources. Authentication agents on intelligent edge devices present users of associated end systems with log-in challenges. Information supplied by the users is forwarded to an authentication server for verification. If successfully verified, the authentication server returns to the agents authorized connectivity information and time restrictions for the particular authenticated users. The agents use the information to establish rules for filtering and forwarding network traffic originating from or destined for particular authenticated users during authorized time periods. An enhanced authentication server may be engaged if additional security is desired. The authorized connectivity information preferably includes identifiers of one or more virtual local area networks active in the network. Log-in attempts are recorded so that the identity and whereabouts of network users may be monitored from a network management station.

Abstract: A time-based method for generating an authentication code associated with an entity uses an authentication code generated from a secret, a dynamic, time-varying variable, and the number of previous authentication code generations within the particular time interval. Other information such as a personal identification number (PIN) and a verifier identifier can also be combined into the authentication code.

Abstract: A method and system for registering, storing and managing personal data for use over a network, and for allowing users to register for, link to and log onto third party Web sites. The invention queries a user for registration, authentication credentials information, such as user names, passwords, etc., for any type of application, and securely stores this data in a centralized user database. The invention prompts when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user. The invention further monitors a user's network browsing, detects when registration/authentication is needed, and either manually with user intervention or automatically with user permission inputs stored data, or automatically creates the registration/authentication credential data for the user. The invention then securely transmits authentication credentials data for automatic login at third party Web sites.

Abstract: A method and apparatus for a network-wide authentication and authorization mapping system for a network is provided. The global authentication and authorization mapping system enables a seamless transition from one web-based application in the network configuration to another web-based application in the network configuration, including a single sign-on capability for users. There are no localized security enforcement processes required to further authenticate a user.

Abstract: A mobile agent is an object which can autonomously migrate in a distributed system to perform tasks on behalf of its creator. Security issues in regard to the protection of host resources, as well as the agent themselves, raise significant obstacles in practical applications of the agent paradigm. This article describes the security architecture of Ajanta, a Java-based system for mobile agent programming. This architecture provides mechanisms to protect server resources from malicious agents, agent data from tampering by malicious servers and communication channels during its travel, and protection of name service data and the global namespace. We present here a proxy based mechanism for secure access to server resources by agents. Using Java's class loader model and thread group mechanism, isolated execution domains are created for agents at a server. An agent can contain three kinds of protected objects: read-only objects whose tampering can be detected, encrypted objects for specific servers, and a secure append-only log of objects. A generic authentication protocol is used for all client–server interactions when protection is required. Using this mechanism, the security model of Ajanta enforces protection of namespaces, and secure execution of control primitives such as agent recall or abort. Ajanta also supports communication between agents using RMI, which can be controlled if required by the servers' security policies. Copyright © 2001 John Wiley & Sons, Ltd.

Abstract: We present a unilateral authentication protocol for protecting IPv6 networks against abuse of mobile IPv6 primitives. A mobile node uses a partial hash of its public key for its IPv6 address. Our protocol integrates distribution of public keys and protects against falsification of network addresses. Our protocol is easy to implement, economic to deploy and lightweight in use. It is intended to enable experimentation with (mobile) IPv6 before the transition to a comprehensive IPSEC infrastructure.

Abstract: Systems for providing an authentication service through a number of authentication mechanisms associated with each user. Lists of the authentication mechanisms associated with each user are stored in a set of portfolios, one portfolio for each user. Authentication mechanisms include laptops, PCs, biometric input devices, smart card readers, proximity badge readers, magnetic stripe readers, and the like. The systems have various configurations of registration servers, authentication servers, and authorization servers. Methods for providing an authentication service include relating a user identity to a portfolio, relating a type of transaction to a level of authentication, and authenticating the user identity through one or more authentication mechanisms for the type of transaction, according to the level of authentication required.

Abstract: We consider the authentication of digital streams over a lossy network. The overall approach taken is graph-based, as this yields simple methods for controlling overhead, delay, and the ability to authenticate, while serving to unify many previously known hash- and MAC-based techniques. The loss pattern of the network is defined probabilistically, allowing both bursty and random packet loss to be modeled. Our authentication schemes are customizable by the sender of the stream; that is, within reasonable constraints on the input parameters, we provide schemes that achieve the desired authentication probability while meeting the input upper bound on the overhead per packet. In addition, we demonstrate that some of the shortcomings of previously known schemes correspond to easily identifiable properties of a graph, and hence, may be more easily avoided by taking a graph-based approach to designing authentication schemes.

Abstract: Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one. We provide a description of the limitations, requirements, and security models specific to Web client authentication. This includes the introduction of the interrogative adversary, a surprisingly powerful adversary that can adaptively query a Web site. We propose a set of hints for designing a secure client authentication scheme. Using these hints, we present the design and analysis of a simple authentication scheme secure against forgeries by the interrogative adversary. In conjunction with SSL, our scheme is secure against forgeries by the active adversary.

Abstract: This invention concerns a consumable authentication protocol for validating the existence of an untrusted authentication chip, as well as ensuring that the authentication chip lasts only as long as the consumable. In a further aspect it concerns a consumable authentication system for the protocol. A trusted authentication chip has a test function; and the untrusted authentication chip has a read function to test data from the trusted chip, including a random number and its signature, encrypted using a first key, by comparing the decrypted signature with a signature calculated from the decrypted random number. In the event that the two signatures match, it returns a data message and an encrypted version of the data message in combination with the random number, encrypted using the second key. The test function operates to encrypt the random number together with the data message using a second secret key, compare the two versions of the random number encrypted together with the data message using the second key. In the event that the two versions match, the untrusted authentication chip and the data message are considered to be valid; otherwise, they are considered to be invalid.

Abstract: Transmission and exchange of digital images with friends and customers is become a very simple task thanks to the development of the communication networks and the tools built around them. Unfortunately, such operations become delicate whenever image security is required, typically for commercial applications or protection of proprietary data. Solutions associated to data encryption already exist but are usually complex and do not take into account the specificities of images, generally under a compressed form. The Joint Photographic Experts group has recently created a new still image coding standard called JPEG 2000. It presents an efficient compression scheme together with support of functionalities required by today and tomorrow applications (progressive decoding, region of interest...). By considering the JPEG 2000 algorithm, we are presenting tools for image authentication or access control (on image resolutions and qualities). These techniques can be applied on JPEG 2000 codestreams or directly integrated into the coding/decoding operations, and are mainly based on modification and insertion of information in the bit stream. The resulting codestreams remain compliant with the standard. Moreover, they allow image side information retrieval and/or prevent use by unauthorized parties.

Abstract: A system and method for securing pathways to a remote application server involves a gateway or authentication server, and a mobile code authentication and encryption client available for download from the gateway or authentication server. Upon connection of a user's computing device to the authentication server over the open network, the authentication server requests authentication information, such as a password, from the user, and upon authentication of the user by the authentication server, the authentication server downloads the mobile code authentication and encryption client to the user's computing device. The authentication and encryption client then authenticates itself to authentication server, after which a secure communications channel between the user's computing device and the authentication server is opened, the secure communications channel permitting transfer of data between the user's computing device and an application server. The system and method do not require pre-installation or any certificates or other authentication and encryption software on the user's computing device, enabling the system and method to be used with thin-client and mobile computing devices, as well as with conventional computers.

Abstract: Disclosed are a person authentication system, a person authentication method, and an information processing apparatus which allow person authentication to be performed in an easy fashion in various devices by comparing a template serving as person identification data with sampling information input by a user. A service provider (SP) or user device (UD) executes person authentication by acquiring a template from a person identification certificate (IDC) generated by a third-party agency serving as a person identification certificate authority (IDA). The IDA acquires a template serving as identification data after verifying a person requesting an IDC to be issued, and generates the IDC storing template information. The IDA distributes the IDC having a digital signature of the IDA added thereto to the SP and the UD.

Abstract: An access point device and its authentication method are provided which can dramatically improve a wireless LAN system in security level. The access point device includes: authentication request display means for notifying a network administrator administering the LAN of the presence of an authentication-requesting mobile station so as to gain the final authorization of an authentication procedure when a mobile station in the area perform the authentication procedure before the initiation of an association procedure; and authentication input means from which the network administrator notified inputs an authentication-authorizing or -rejecting instruction with respect to the authentication-requesting mobile station.

Abstract: A method for real-time authentication or authorization of a user (1) of a secured system (3) is based on using two authentication channels and an authentication device (4) from which the secured system can request authentication or authorization (6) over a secured information network connection (6, 9) One of the authentication channels is a telephone network (8), to which the authentication device (4) is connected A user logging into the secured system (3) over the other channel (6) of the authentication channels must make a call to the authentication device over the telephone network by his or her telephone (2) The authentication device verifies that a call has been received from a telephone number of the user's telephone, and issues a positive verification response to the secured system Upon receiving a positive response, the secured system provides a requested service through the other channel

Abstract: Method of authenticating a client comprising the steps of sending a subscriber identity to an authentication server; obtaining at least one challenge and at least one first secret to the authentication server based on a client's secret specific to the client; forming first credentials; forming a first authentication key using the at least one first secret; encrypting the first credentials using the first authentication key; sending the at least one challenge and the encrypted first credentials to the client; forming an own version of the first authentication key at the client; decrypting the encrypted first credentials using the own version of the first authentication key. In the method, the encrypted credentials are sent together with the at least one challenge to the client so that the client can proceed authentication only if it can derive the first secret from the at least one challenge.

Abstract: A methodology is presented for a network single sign-on (SSO) authentication process using digital certificates. A user has access to protected resources, such as legacy applications, that require verification of a user's authentication data prior to providing access. The user's authentication data is encrypted using the public key of the user, and an attribute certificate containing the encrypted authentication data is generated by an attribute-certificate-issuing authority. When a user requires access to the protected resource, an SSO agent performs an initial authentication process against the user. The SSO agent then retrieves the user's attribute certificate, and for subsequent authentication requests for other protected resources, the SSO agent uses the authentication data from the attribute certificate that corresponds to the targeted protected resource. The SSO agent forwards the required authentication data to the protected resource, and the protected resource then authenticates a user based on the provided authentication data.

Abstract: A system and method for providing pluggable authentication and access control in computer systems and services are described. The authentication and access control process may be categorized into three components: an authentication protocol, a user repository and an access control model. In one embodiment, the authentication and access control mechanism may be implemented as three pluggable modules: an authentication protocol handler module for the authenticator side, an authentication protocol handler for the side to be authenticated, and an access control context module on the authenticator side. The pluggable modules may be exchangeable to support a variety of authentication types, user repositories, and access control models. The authentication protocol handlers provide symmetrical methods to handle requests and responses in the authentication process that reflect the symmetrical nature of the authentication process.

Abstract: An authentication requester 11 uses property 13 thereof to request authentication. When an encryption key 41 for requesting authentication is input into the property 13, the encryption key 41 and a public key 42 (public information for encryption) are combined, such that encrypted information 46 is computed from biometrics information 44 and variable information 45 on varying location, time, etc. The encrypted information 46 is then transmitted as presented information 14 to a verification unit 16 A. In the verification unit 16 A, an encryption key 43 for authentication and the public key 42 (public information for decryption) are used to decode the encrypted information 46, and the decoded information is compared for a match. When a configuration in which the encryption key 41 merely passes through the property 13 and the verification unit 16 A and does not remain as a default value, is adopted, the risk of theft of the encryption key 41 by a third party is reduced.

Abstract: A computer network security arrangement and method are disclosed which provides in a distributed complex computer network an authentication and authorization access for limiting access to network devices. The different levels of authentication involve the login/password process; comparison against access control lists; and mandatory program protocol control. Included are audit trails for authenticated calls and denied access calls.

Abstract: It is an object to provide an user identity authentication system and an user identity authentication method with the Internet and a mobile information communication device. The mobile information communication device includes a liquid crystal device with a built-in image sensor. The image sensor reads individual information of a user, and user's identity is authenticated based on the individual information. A result of the authentication is unicast via the Internet. Alternatively, it is judged whether or not the result of the authentication is required to be unicast in accordance with a degree of requirement preset in the mobile information communication device or a destination terminal of communication, and the result is unicast via the Internet only when needed.

Abstract: Apparatus and method for authentication of a user, the apparatus comprising functionality, associated with a cellular Internet authentication portal, for: communicating via a secure link with an authenticatable device, using secure personalization associated with said authentication portal and said authenticatable device, typically a mobile telephone having a SIM, to verify that the communication is with the intended user, and associating the authentication with an activity request via a non-authenticatable device, thereby to authenticate the activity request of the non-authenticatable device.

Abstract: A device and method capable of communicating with a communication network via a Bluetooth communication protocol, wherein the device includes at least one authentication functionality, at least part of at least one of which is operative to communicate authentication information via the Bluetooth communication protocol.

Abstract: The present invention discloses an authentication method using a cellular phone in internet. According to the present invention, when connecting to internet or performing electronic commerce, the authentication is performed through the cellular phone in parallel with a personal information stored when user"s joining the cellular phone service, a number particular to the cellular phone, a secret number in an authentication required for the connection or the settlement of accounts. Specifically, in authentication process for making up accounts, besides the line connected to internet, a separate cellular phone line is used and if the authentication data of the internet site server is identical to that of the cellular phone service company, the authentication process is completed, thereby eliminating the danger of hacking basically.

Abstract: The results of the implementation of elliptic curve cryptography (ECC) over the field GF(p) on an 80 MHz, 32-bit ARM microprocessor are presented. A practical software library has been produced which supports variable length implementation of the elliptic curve digital signature algorithm (ECDSA). The ECDSA and a previously proposed ECC-based wireless authentication protocol are implemented using the library. Timing results show that the 160-bit ECDSA signature generation and verification operations take around 46 ms and 94 ms, respectively. With these timings, the execution of the ECC-based wireless authentication protocol takes around 140 ms on the ARM7TDMI processor, which is a widely used, low-power core processor for wireless applications.

Abstract: Methods, systems, computer program products and data structures are described which allow a client to communicate with a server even though multiple proxies that require different authentication data must be traversed to allow such communication. In operation, the client first authenticates to a first proxy using authentication data appropriate for the first proxy. The client then authenticates to a second proxy using different authentication data that is appropriate for the second proxy. This proxy authentication continues through as many proxies as necessary until the client is in communication with the server.