A method for providing security using secure computation
US-2015349958-A1 · Dec 3, 2015 · US
Recovery mechanism for fault-tolerant split-server passcode verification of one-time authentication tokens
US9749314B1 · US · B1
| Field | Value |
|---|---|
| Publication number | US-9749314-B1 |
| Application number | US-201615097773-A |
| Country | US |
| Kind code | B1 |
| Filing date | Apr 13, 2016 |
| Priority date | Jun 30, 2014 |
| Publication date | Aug 29, 2017 |
| Grant date | Aug 29, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A recovery mechanism is provided for split-server passcode verification systems. An exemplary token-centric recovery scheme comprises at least one token and a plurality of authentication servers, comprises the steps of: determining that a first one of the plurality of authentication servers is unavailable; applying an authentication mechanism to a message requesting the token to change to a new split-state mode; and sending the authenticated message to the token. The authentication mechanism comprises, for example, a relying party signing the message using a next passcode of the new split-state mode. The new split-state mode comprises, for example, a single server passcode verification and wherein the next passcode of the new split-state mode comprises a next passcode of the single server. A client optionally changes to the new split-state mode after successfully verifying the authentication mechanism.
First claim
Opening claim text (preview).
What is claimed is: 1. A recovery method for a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said recovery method comprising: determining, using at least one processing device, that a first one of said plurality of authentication servers is unavailable; generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and sending, using said at least one processing device, said authenticated message to said token. 2. The method of claim 1 , wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode. 3. The method of claim 1 , wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split-state mode comprises a next passcode of said single server. 4. The method of claim 1 , wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism. 5. The method of claim 1 , wherein said first authentication server and a second authentication server provide an “aliveness” message to at least one other server. 6. The method of claim 1 , wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state. 7. The method of claim 1 , wherein said applying step is responsive to said determination that the first one of said plurality of authentication servers is unavailable. 8. An apparatus of a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said apparatus comprising: a memory; and at least one processing device, coupled to the memory, operative to implement the following steps: determining, using said at least one processing device, that a first one of said plurality of authentication servers is unavailable; generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and sending, using said at least one processing device, said authenticated message to said token. 9. The apparatus of claim 8 , wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode. 10. The apparatus of claim 8 , wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split-state mode comprises a next passcode of said single server. 11. The apparatus of claim 8 , wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism. 12. The apparatus of claim 8 , wherein said first authentication server and a second authentication server provide an “aliveness” message to at least one other server. 13. The apparatus of claim 8 , wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state. 14. The apparatus of claim 8 , wherein said applying step is responsive to said determination that the first one of said plurality of authentication servers is unavailable. 15. An article of manufacture for a split-server passcode verification system comprising at least one token and a plurality of authentication servers, said article of manufacture comprising a non-transitory machine readable medium containing one or more programs which when executed implement the steps of: determining, using at least one processing device, that a first one of said plurality of authentication servers is unavailable; generating an authenticated message by applying, using said at least one processing device, an authentication mechanism to a message requesting said token to change to a new split-state mode, wherein said new split-state mode modifies one or more computations used to compute a next passcode and wherein said authentication mechanism comprises signing said message using said next passcode of said new split-state mode; and sending, using said at least one processing device, said authenticated message to said token. 16. The article of manufacture of claim 15 , wherein said authentication mechanism comprises a relying party signing said message using said next passcode of said new split-state mode. 17. The article of manufacture of claim 15 , wherein said new split-state mode comprises a single server passcode verification and wherein said next passcode of said new split state mode comprises a next passcode of said single server. 18. The article of manufacture of claim 15 , wherein a client changes to said new split-state mode after successfully verifying said authentication mechanism. 19. The article of manufacture of claim 15 , wherein said first authentication server and a second authentication server provide an “aliveness” message to at least one other server. 20. The article of manufacture of claim 15 , wherein said first authentication server and a second authentication server exchange an encrypted version of a respective secret key used to protect a partial secret state.
Assignees
Inventors
Classifications
- H04L63/0838Primary
using one-time-passwords · CPC title
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
Secret sharing or secret splitting, e.g. threshold schemes · CPC title
involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token (network architectures or network communication protocols for supporting authentication of entities using an additional device in a packet data network H04L63/0853) · CPC title
Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9749314B1 cover?
- A recovery mechanism is provided for split-server passcode verification systems. An exemplary token-centric recovery scheme comprises at least one token and a plurality of authentication servers, comprises the steps of: determining that a first one of the plurality of authentication servers is unavailable; applying an authentication mechanism to a message requesting the token to change to a new…
- Who is the assignee on this patent?
- Emc Ip Holding Co Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0838. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 29 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).