Abstract: We describe LEAPp (Localized Encryption and Authentication Protocol), a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. LEAPp supports the establishment of four types of keys for each sensor node: an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a global key shared by all the nodes in the network. LEAPp also supports (weak) local source authentication without precluding in-network processing. Our performance analysis shows that LEAPp is very efficient in terms of computational, communication, and storage costs. We analyze the security of LEAPp under various attack models and show that LEAPp is very effective in defending against many sophisticated attacks, such as HELLO flood attacks, node cloning attacks, and wormhole attacks. A prototype implementation of LEAPp on a sensor network testbed is also described.

Abstract: A computer system (200) to authenticate users of vendors supplying services and/or products to the users, the system having programmed processors providing authentication rules (245a), authenticating users according to the authentication rules responsive to user authentication requests (300), configuring the authentication rules in real-time, thereby allowing real-time customization of the system, providing multi-factor user authentication processes (100), using any data sources (230/250) providing information about and/or known to the users to authenticate the users, thereby providing a data agnostic system, and authentication strategies correspond to the authentication rules, thereby allowing the system to support authentication strategy experimentation.

Abstract: A method and system for generating an authentication code that depends at least in part on a dynamic value that changes over time, an event state associated with the occurrence of an event, and a secret associated with an authentication device. By generating the authentication code responsive to an event state, an identity authentication code can be used to verify identity and to communicate event state information, and to do so in a secure manner.

Abstract: The recent proliferation of wireless local area networks (WLAN) has introduced new location privacy risks. An adversary controlling several access points could triangulate a client's position. In addition, interface identifiers uniquely identify each client, allowing tracking of location over time. We enhance location privacy through frequent disposal of a client's interface identifier. The described system curbs the adversary's ability to continuously track a client's position. Design challenges include selecting new interface identifiers, detecting address collisions at the MAC layer, and timing identifier switches to balance network disruptions against privacy protection. Using a modified authentication protocol, network operators can still control access to their network. An analysis of a public WLAN usage trace shows that disposing addresses before reassociation already yields significant privacy improvements.

Abstract: The present invention relates generally to systems for creating and authenticating printed objects using authentication information. One implementation recites: An apparatus for determining authenticity of a digital representation of an object. The digital representation includes embedded first authentication information. The apparatus includes: a storage system in which stored second authentication information is associated with stored reference codes; and a processor which receives the digital representation and a reference code associated therewith. The processor includes: an authentication information reader, and the processor: i) employs the reference code to retrieve the second authentication information associated therewith from the storage system, ii) employs the authentication information reader to recover the embedded first authentication information, and iii) employs recovered first authentication information and the second authentication information to determine authenticity of the digital representation. Other implementations are provided and claimed as well.

Abstract: Tapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small.

Abstract: A method is provided for supporting processing of a transaction conducted between a first party and a second party. The first party accepts payment via a plurality of different payment options selectable by the second party, and the plurality of different payment options are associated with a plurality of different authentication protocols prescribed therefor. The method includes: receiving payment information over a communications network at a server operatively connected to the communications network, the payment information identifying a particular payment option used by the second party for the transaction, and the server being equipped to format and route messages over the communications network in different manners to accommodate the plurality of different authentication protocols; determining from the payment information received at the server which of the different authentication protocols is prescribed for the type of payment option identified in the payment information; selecting, in accordance with the determination, a particular authentication protocol from the plurality of different authentication protocols supported by the server; and, obtaining an authentication determination for the transaction in accordance with the selected authentication protocol, including formatting messages and routing the formatted messages over the communications network in accordance with one or more mandates of the selected authentication protocol.

Abstract: An improved authentication system utilizes multi-factor user authentication. In an exemplary embodiment, one authentication factor is the user's speech pattern, and another authentication factor is a one-time passcode. The speech pattern and the passcode may be provided via voice portal and/or browser input. The speech pattern is routed to a speaker verification subsystem, while the passcode is routed to a passcode validation subsystem. Many other combinations of input types are also possible. For heightened security, the two (or more) authentication factors are preferably, although not necessarily, provided over differing communication channels (i.e., they are out-of-band with respect to each other). If a user is authenticated by the multi-factor process, he is given access to one or more desired secured applications. Policy and authentication procedures may be abstracted from the applications to allow a single sign-on across multiple applications.

Abstract: A process for the production of a uniformly blended textured vegetable protein food product including a mixture of dehydrated food granules containing specifically sized granules of a flavored textured soy protein. The dehydrated food particles including the flavored textured soy granules are mixed in a blender so as to blend the particles together into a uniform mixture. Dehydrated onion flakes of a specific size are then added and finally mixed with the previously blended food particles so as to blend all the particles together whereby oils from certain flavored soy granules (i.e. bacon) are coated on and absorbed by the onion flakes and other dehydrated vegetables and additives.

Abstract: This paper explores computer security in pervasive computing with focus on user authentication. We present the concept of Proximity-Based User Authentication, as a usability-wise ideal for UbiComp systems. We present a context-aware user authentication protocol, which (1) uses a JavaCard for identification and cryptographic calculations, (2) uses a context-awareness system for verifying the user’s location, and (3) implements a security fall-back strategy. We analyze the security of this protocol and discuss the tradeoff between usability and security. We also present our current implementation of the protocol and discuss future work.

Abstract: E-mail-based identification and authentication is an emerging alternative to public-key infrastructure. It overcomes many problems inherent with traditional authentication techniques, such as social security numbers, and. provides functional security when used within a limited context.

Abstract: Most ad hoc networks do not implement any network access control, leaving these networks vulnerable to resource consumption attacks where a malicious node injects packets into the network with the goal of depleting the resources Of the nodes relaying the packets. To thwart or prevent such attacks, it is necessary to employ authentication mechanisms that ensure that only authorized nodes can inject traffic into the network. In this paper we present LHAP a scalable and light-weight authentication protocol for ad hoc networks. LHAP is based on two techniques: (i) hop-by-hop authentication for verifying the authenticity of all the packets transmitted in the network and (ii) one-way key chain and TESLA for packet authentication and for reducing the overhead for establishing trust among nodes. We analyze the security of LHAP and show LHAP is a lightweight security protocol through detailed performance analysis.

Abstract: Generic Internet Protocol (IP) authentication is provided by authentication server (134). Application Programming Interface (API) (310) detects the protocol type of an incoming authentication request and invokes one of a number of authentication mechanisms (318-326) depending on the protocol type detected. A localized repository (520) is provided to store Subscriber Identity Module (SIM) information and other algorithm data as required to facilitate the authentication session.

Abstract: Centralized authentication systems are provided. A representative system, among others, includes a mobile authentication registration system, a content provider and a wireless internet server. The mobile authentication registration system resides on a content provider which is coupled to the internet, and is operable to receive a single identification number and password from a user independent of a platform the user is associated with, and determine that the identification number and password combination provided by the user is associated with a registered user. The content provider provides personalized internet content to any of a plurality of registered users on a plurality of platforms. The wireless internet server receives a connection request from a wireless device, sends an authentication request to the mobile authentication registration system, and provides a personalized internet content from the content provider to said at least one wireless device. Methods and other systems for multiple access portals are also provided.

Abstract: Disclosed is a method for authenticating a mobile node in a wireless local area network including at least two access points and an authentication server. When the mobile node associates with a first access point and performs initial authentication, the mobile node receives a first session key for secure communication from the authentication server by using a first private key generated with a secret previously shared with the authentication server, and the first access point receives the first session key from the authentication server by using a second private key previously shared with the authentication server. When the mobile node is handed over from the first access point to a second access point and performs re-authentication, the mobile node receives a second session key for secure communication from the authentication server by using a third private key generated with authentication information generated during previous authentication and shared with the authentication server and the second access point receives the second session key from the authentication server by using the second private key previously shared with the authentication server.

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

Abstract: A method for authenticating clients and boot server hosts to provide a secure network boot environment. Messages are exchanged between a client and a boot server or authentication server proxy for the boot server during pre-boot operations of the client to authentic the boot server and the client. In one embodiment, authentication is performed by comparing shared secrets stored on each of the client and the boot server or authentication proxy. The shared secret comprises authentication credentials that may be provisioned by an administrator, user, or by the client itself via a trusted platform module. Authentication provisioning schemes include an Extensible Authentication Protocol (EAP) exchange. In one embodiment, authentication is performed during the pre-boot via an authenticated Dynamic Host Configuration Protocol (DHCP) process. The scheme provides a faster and more simplified authentication mechanism, without requiring extensive set-up for IT administrators or significantly changing the login and OS boot user experience.

Abstract: A system and method provides secure authentication of a wireless communication channel for a vehicle telematics device that includes detecting a wireless access point within radio range of a telematics device, requesting authentication information for the access point through a first secure communication channel to a call center, receiving authentication information for the wireless access point from the call center through the first secure communication channel, and providing authentication information for the telematics device to the wireless access point through a second secure communication channel. A computer readable medium storing a computer program is described for implementing one or more steps of the method.

Abstract: An inter-authentication method capable of safely and easily performing inter-authentication In the inter-authentication process, a private key K0 of the initial value is stored in a client and a server (Pc0, Ps0) The client generates a random number R, calculates password data C and authentication data A, and transmits the result to the server (Pc1) The server receives the authentication data A and the password data C from the client, generates a random number R, calculates and returns password data S and authentication data Q, and updates the private key K0 to a new private key K1 (Ps1) The client receives the authentication data B and the password data S from the server, generates a random number R, calculates the password data C2 and the authentication data A2, returns the results to the server, and updates the private key K0 to the new private key K1 (Pc2) The client and the server check whether validity is satisfied

Abstract: A digital rights management system (DRM) (100) for restricting and permitting content access in a digital content distribution network such as a network used to deliver television programming. The DRM uses distributed authentication and provisioning so that the potentially many different entities involved in the content distribution network can have localized management control. Distributed authentication can use single or multiple instances of authentication services. A ticket granting service (TGS) (108) is used to allow clients to request services. In one approach, multiple authentication services use a common key that is known to the TGS (108). In another approach, unique keys are provided to each authentication service and these keys are communicated to the TGS.

Abstract: We perform a systematic expansion of protocol narrations into terms of process algebra in order to make precise some of the detailed checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice for identifying a number of authentication flaws in symmetric key protocols such as Needham-Schroeder, Otway-Rees, Yahalom and Andrew Secure RPC.

Abstract: A method and device for routing data packets of a wireless terminal device in a communication network. When Open system Authentication is used, the system operates similarly as the current Nokia Operator Wireless LAN system, in which the terminal device and the access controller are the parties involved in the authentication. The access controller relays information relating to the authentication between the terminal device and an authenticating server, and it is capable of updating independently the list of users it maintains. When authentication according IEEE 802.1X authentication, the access point operates according to the IEEE 802.1X standard, serving as the authenticating party and relaying information relating to the authentication between the terminal device and the authentication server. In addition, the list maintained by the access controller is updated after a successful authentication, for example by the access point or the authenticating server.

Abstract: In the Universal Mobile Telecommunication System (UMTS), authentication functions are utilized to identify and authenticate a mobile station (MS) and validate the service request type to ensure that the user is authorized to use the particular network services. The authenticating parties are the authentication center (AuC) in the home network and the MS. In the UMTS, the serving general packet radio service support node (SGSN) accesses the AuC to obtain the authentication data, and delegates the AuC to perform mutual authentication with the MS. Since the cost for accessing AuC is expensive, the SGSN may obtain an array of authentication vectors (AVs) at a time so that the number of accesses can be reduced. On the other hand, if the size K of the AV array is large, the AV array transmission from the AuC to the SGSN may be expensive. Thus, it is desirable to select an appropriate K value to minimize the authentication network signaling cost. We propose an analytic model to investigate the impact of K on the network signaling traffic, which is validated by simulation experiments. Then, we propose an automatic K-selection mechanism that dynamically selects the size of the AV array to reduce the network signaling cost. Our study indicates that the automatic K-selection mechanism effectively identifies appropriate size of the authentication vector array.

Abstract: A simple authentication technique for use in the global mobility network (GLOMONET) is proposed. This technique is based on the concept of distributed security management, i.e., the original security manager administrates the original authentication key (long-term secret key) acquired when a user makes a contract with his home network, while a temporary security manager is generated for a roaming user in the visited network that provides roaming services. The temporary security manager will take the place of the original security manager when the roaming user stays in the service area of the visited network. In the proposed authentication protocol for the regular communication phase, the procedures of the original security manager and the temporary security manager are the same except for introducing different parameters. Furthermore, the proposed technique not only reduces the number of transmissions during the authentication phase, but it also can decrease the complexity of mobile equipment. The idea behind the proposed technique is to introduce a simple mechanism which is called "self-encryption". We also suggest that this mechanism can be easily adopted as the authentication function for the secure teleconference service.

Abstract: We present the formalization and verification of a recent cryptographic protocol for certified email. Relying on a tool for automatic protocol analysis, we establish the key security properties of the protocol. This case study explores the use of general correspondence assertions in automatic proofs, and aims to demonstrate the considerable power of the tool and its applicability to non-trivial, interesting protocols.

Abstract: An online transaction system configured to implement authentication methods that allow for strong multi-factor authentication in online environments. The authentication methods can be combined with strong security methods to further ensure that the authentication process is secure. Further, the strong multi-factor authentication can be implemented with zero adoption dependencies through the implementation of automated enrollment methods.

Abstract: This paper discusses the security aspects of a registration protocol in a mobile satellite communication system. We propose a new mobile user authentication and data encryption scheme for mobile satellite communication systems. The scheme can remedy a replay attack.