Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Abstract: A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user's asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data, that may be communicated using multiple communications paths. A keyed information dispersal algorithm (keyed IDA) may also be used. The key for the keyed IDA may additionally be protected by an external workgroup key, resulting in a multi-factor secret sharing scheme.

Abstract: A robust computational secret sharing scheme that provides for the efficient distribution and subsequent recovery of a private data is disclosed. A cryptographic key may be randomly generated and then shared using a secret sharing algorithm to generate a collection of key shares. The private data may be encrypted using the key, resulting in a ciphertext. The ciphertext may then be broken into ciphertext fragments using an Information Dispersal Algorithm. Each key share and a corresponding ciphertext fragment are provided as input to a committal method of a probabilistic commitment scheme, resulting in a committal value and a decommittal value. The share for the robust computational secret sharing scheme may be obtained by combining the key share, the ciphertext fragment, the decommittal value, and the vector of committal values.

Abstract: Techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.

Abstract: A processor generates an asymmetric crypto-key, such as an RSA crypto-key, which is associated with the user and includes a private key and a public key. It computes a first key portion based on a stored random number generation function, which has one or more constants such as a salt and/or iteration count, and a first value of a constant, and a second key portion based on the computed first key portion and one of the private key and the public key. It additionally computes another first key portion based on the stored random number generation function and a second value of that constant, and another second key portion based on the computed other first key portion and the one key. The computed first and second key portions and the computed other first and second key portions form first and second splits of the one key of the asymmetric crypto-key.

Abstract: A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user's asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.

Abstract: A system for securing information, includes a processor and storage device. The storage device stores information encrypted with one of a first private rolling key and a first public rolling key of an a first asymmetric rolling crypto-key, along with the one first rolling key. The processor has the logic to direct transmission, via a network, of proof of knowledge of the stored one first rolling key to authenticate a user, and of a request for the other of the first private rolling key and the first public rolling key. The processor receives the other first rolling key via the network, responsive to the directed transmission. The processor then decrypts the stored encrypted information with the received other first rolling key, and generates a second asymmetric rolling crypto-key having a second private rolling key and a second public rolling key. The processor encrypts the information with one of the second private rolling key and the second public rolling key.

Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D,E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time-password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.

Abstract: Techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.

Abstract: Techniques for generating a private portion of a split private key of an asymmetric key pair are provided. Multiple factors upon which the private portion of the split private key is based are received. Each of these multiple factors is under control of a user associated with the asymmetric key pair. Multiple cryptographic operations are then performed using the received multiple factors to generate the private portion.

Abstract: Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Abstract: Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

Abstract: Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: An RSA-based signing scheme that combines essentially optimal efficiency with attractive security properties. One preferred signing routine requires one RSA decryption plus some hashing, verifications requires one RSA encryption plus some hashing, and the size of the signature preferably is the size of the modulus. Given an ideal underlying hash function, the scheme is not only provably secure, but has security tightly related to the security of RSA. An alternative embodiment maintains all of the above features and, in addition, provides message recovery. The techniques can be extended to provide schemes for Rabin-based signatures or signatures using other trapdoor functions.

Abstract: An RSA-based signing scheme that combines essentially optimal efficiency with attractive security properties. One preferred signing routine requires one RSA decryption plus some hashing, verifications requires one RSA encryption plus some hashing, and the size of the signature preferably is the size of the modulus. Given an ideal underlying hash function, the scheme is not only provably secure, but has security tightly related to the security of RSA. An alternative embodiment maintains all of the above features and, in addition, provides message recovery. The techniques can be extended to provide schemes for Rabin-based signatures or signatures using other trapdoor functions.