Abstract: A party can authenticate itself by interacting with multiple servers without revealing the shared secret to any of the involved parties. The stored shared secret is strengthened and broken into shares and saved on the servers. The shared secret is safe against offline brute force attack unless all servers where the shares are stored are compromised. The compromise of any single server, or multiple servers—but less than the maximum number—will not allow the attacker to do a brute force analysis on the shared secret. This back end security enhancement is suitable for probabilistic front end authentication algorithms.

Abstract: An interactive method for authentication is based on two shared secrets, both shared secrets in the form of an ordered path on the frame of reference. An instance of the frame of reference comprises a set of characters which is arranged in a random or other irregular pattern. The first step of authentication that a user performs requires the user to remember one or all of the characters in the displayed instance of the frame of reference found in the locations in the random subset of the first ordered path by indicating characters either in these locations, or any other locations having the same characters. The second step of authentication requires that a user enter the position of the second ordered path, which only they know during an authentication session, where the challenge identifying the position of the ordered path is the single or multiple values that matches the value of the digital content of the frame of reference.

Abstract: An interactive method for authentication is based on a shared secret which is in the form of an enumerated pattern of fields on a frame of reference. An instance of the frame of reference comprises an array of characters in which the characters are arranged in a random or other irregular pattern on a grid of content fields. An authentication challenge includes characters from the character set, and is delivered in- or out-of-band. The authentication response includes the enumerated position numbers on the enumerated pattern of the field locations on the grid at which the challenge characters are found.

Abstract: Two parties can establish a cryptographic key using a matrix based key exchange protocol, for secure communications without any prior distribution of secret keys or other secret data, and without revealing said key to any third party who may have access to all of the transmissions between them. The two parties use a shared secret to produce a common matrix M. The common matrix M, is multiplied by a random matrix K on the sending side, and a different random matrix N on the receiving side. The matrix product KM is sent from the sending side to the receiving side, and the matrix product MN is sent from the receiving side to the sending side. Both sides produce the common matrix product KMN, and use it for producing a symmetric key for encrypted communications, after mutually authenticating one another over an insecure network.

Abstract: A method to authenticate a server to a client is provided, including in-band and out-of-band techniques. At least a first shared secret identifies a server path, including a plurality of pre-defined locations on a frame of reference (e.g. a grid). An authentication session is initiated upon receiving a client identifier at the server-side resources. A current session instance of the grid is presented to the client, populated with characters. The process includes sharing between the client and the server a challenge identifying a random subset of the plurality of predefined locations in the server path, and a response including characters that match the characters in the locations on the server path identified by the challenge. As a result, client is capable of verifying that the server has access to the first shared secret. Then a protocol is executed to authenticate the client to the server.

Abstract: Two parties can establish a cryptographic key using a matrix based key exchange protocol, for secure communications without any prior distribution of secret keys or other secret data, and without revealing said key to any third party who may have access to all of the transmissions between them. A common matrix M, shared in advance, is multiplied by a random matrix K on the sending side, and a different random matrix N on the receiving side. The matrix product KM is sent from the sending side to the receiving side, and the matrix product MN is sent from the receiving side to the sending side. Both sides produce the common matrix product KMN, and use it for producing a symmetric key for encrypted communications.

Abstract: Two parties can establish a cryptographic key using a matrix based key exchange protocol, for secure communications without any prior distribution of secret keys or other secret data, and without revealing said key to any third party who may have access to all of the transmissions between them. The two parties use a shared secret to produce a common matrix M. The common matrix M, is multiplied by a random matrix K on the sending side, and a different random matrix N on the receiving side. The matrix product KM is sent from the sending side to the receiving side, and the matrix product MN is sent from the receiving side to the sending side. Both sides produce the common matrix product KMN, and use it for producing a symmetric key for encrypted communications, after mutually authenticating one another over an insecure network.

Abstract: Two parties can establish a cryptographic key using a matrix based key exchange protocol, for secure communications without any prior distribution of secret keys or other secret data, and without revealing said key to any third party who may have access to all of the transmissions between them. A common matrix M, shared in advance, is multiplied by a random matrix K on the sending side, and a different random matrix N on the receiving side. The matrix product KM is sent from the sending side to the receiving side, and the matrix product MN is sent from the receiving side to the sending side. Both sides produce the common matrix product KMN, and use it for producing a symmetric key for encrypted communications.

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.

Abstract: A method to authenticate a server to a client is provided, including in-band and out-of-band techniques. At least a first shared secret identifies a server path, including a plurality of pre-defined locations on a frame of reference (e.g. a grid). An authentication session is initiated upon receiving a client identifier at the server-side resources. A current session instance of the grid is presented to the client, populated with characters. The process includes sharing between the client and the server a challenge identifying a random subset of the plurality of predefined locations in the server path, and a response including characters that match the characters in the locations on the server path identified by the challenge. As a result, client is capable of verifying that the server has access to the first shared secret. Then a protocol is executed to authenticate the client to the server.

Abstract: The present invention includes devices and methods for enabling private and secure data collection by profile servers relating to users that are associated with a profiling user in a social networking system. Particular aspects of the present invention are described in the claims, specification and drawings.

Abstract: A server executes a protocol that automates transactions involving a customer and a merchant agreeing to trade money in the customer's account for goods or services available from the merchant. The protocol protects personal identifying information of the customer from disclosure to the merchant, and protects all parties from repudiation of the specific transaction. The protocol defines a pre-authenticated form of the specific transaction; obtains authorization from the customer and the merchant to commit on their behalf to the pre-authenticated transaction; and obtains authorization from the bank to commit resources for settlement with the merchant. After obtaining authorizations, a transaction clearance code is generated completing a record of the pre-authenticated transaction for non-repudiation, for proof of a right to receive settlement from the third party and for proof of a right to receive the goods or services from the merchant.

Abstract: An interactive method for authentication is based on two shared secrets, including a first shared secret in the form of an ordered path on the frame of reference, and a second shared secret in the form of locations on the frame of reference at which characters identifying a subset of the ordered path are to be displayed. An instance of the frame of reference comprises a set of characters which is arranged in a random or other irregular pattern. Authentication requires that a user enter the characters in the displayed instance of the frame of reference found in the locations in the random subset of the ordered path by indicating characters either in these locations, or any other locations having the same characters. Thus, a secret challenge identifying the random partial subset is embedded within the displayed instance of the graphical representation of the frame of reference.

Abstract: Financial institution back office computerized transaction-processing system with embedded privacy and security layer (EPSL) enables strong transaction authentication prior to a merchant or vendor contact, based on a user account number, transaction conditions like anticipated transaction time and money, user two-factor authentication with a static transaction PIN and a transaction session-specific random partial password or PIN recognition algorithm. User enters the user name and then, challenged by server with a random session-specific subset of a password or PIN character's consecutive position numbers, enters based on cognitive association a one time authentication response. The authentication session is interactive, transaction session-specific, and followed by either a transaction denial or an alphanumeric transaction signature generated by EPSL for this specific transaction. Then, the user submits her request to a transaction counterpart along with the transaction signature.

Abstract: An interactive client-server authentication system and method are based on Random Partial Pattern Recognition algorithm (RPPR). In RPPR, an ordered set of data fields is stored for a client to be authenticated in secure memory. An authentication server presents a clue to the client via a communication medium, such positions in the ordered set of a random subset of data fields from the ordered set. The client enters input data in multiple fields according to the clue, and the server accepts the input data from the client via a data communication medium. The input data corresponds to the field contents for the data fields at the identified positions of the random subset of data fields. The server then determines whether the input data matches the field contents of corresponding data fields in a random subset.

Abstract: An interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol. The server provides ephemeral encryption keys in response to a request during a Session Random Key (SRK) initiation interval. SRK is provided for all sessions initiated in the SRK initiation interval. A set of ephemeral intermediate Data Random Keys (DRK) is associated with each request. A message carrying the SRK is sent to the requestor. A response from the requester includes a shared parameter encrypted using the SRK verifying receipt of the SRK. After verifying receipt of the SRK at the requester, at least one message is sent by the server carrying an encrypted version of one of said set of ephemeral intermediate DRK to be accepted as an encryption key for the session.

Abstract: A system for authentication of a client includes logic supporting a “what user knows” algorithm for authentication of a client, such as a random partial pattern recognition algorithm, based upon client credentials including an account user name and an account authentication code. Logic supporting client account administration is operable without human intervention on the server side, and includes at least one mode of operation that presents an interface to a client via the data network having at least two tiers of security based on input by the client of secret information shared only between the client and the server. A first tier in said at least two tiers requires entry of one of the account user name and user's email address, and a second tier in the at least two tiers requires entry of one of client profile data sufficient to identify the client and at least a subset of said account authentication code.

Abstract: An interactive mutual authentication protocol, which does not allow shared secrets to pass through untrusted communication media, integrates an encryption key management system into the authentication protocol, so that key management becomes an essential part of the authentication protocol itself. The system provides a secure distribution of a secret session random key used in symmetric cryptography. Successful exchange of this encryption key allows for secure transit of the protocol data over communication lines in encrypted form, permitting explicit mutual authentication of the connected parties. The post-authentication stage of the communication session can use secure encryption for the data exchange, since each party has already obtained the secret session random key.

Abstract: A clocked authentication, authorization and accounting (CAAA) system and method offers private and secure credit/debit card online and offline financial transactions (FT) including an embedded privacy and security layer (EPSL) architecture. EPSL includes an authentication stage prior to the authorization stage that is automated and enabled through a back office, and enhanced by associating the authentication stage with projected timing, security and accounting parameters. It enables legal financial account holders to perform buy/sell or withdraw/deposit transactions without disclosing private personal information to the transaction counterparts, while preserving highly elevated and enhanced security and fraud protection as compared with conventional methods. The CAAA method enables efficient mass user EPSL implementation at back offices utilizing high frequency synchronized global clocking of EPSL logic blocks.

Abstract: Random partial shared secret recognition is combined with using more than one communication channel between server-side resources and two logical or physical client-side data processing machines. After a first security tier, a first communication channel is opened to a first data processing machine on the client side. The session proceeds by delivering an authentication challenge, identifying a random subset of an authentication credential, to a second data processing machine on the client side using a second communication channel. Next, the user enters an authentication response in the first data processing machine, based on a random subset of the authentication credential. The authentication response is returned to the server side on the first communication channel for matching. The authentication credential can be a one-session-only credential delivered to the user for one session, or a static credential used many times.