Abstract: A method and apparatus for utilizing a token which is preferably a "dumb token" to provide secure access by authorized users to a selected resource. The token stores a secret user code in machine readable form, which code is read by a token processor. The token processor also receives a time-varying value and an algorithm, both of which may be stored or generated at either the token or the token processor and preferably a secret personal identification code which may be inputted at the token, but is preferably inputted at the token processor. The secret user code, time-varying value and secret personal identification code are then algorithmically combined by the algorithm, preferably in the token processor, to generate a one-time nonpredictable code which is transmitted to a host processor. The host processor utilizes the received one-time nonpredictable code to determine if the user is authorized access to the resource and grants access to the resource if the user is determined to be authorized.
Abstract: A method and apparatus are provided for enhancing security for a private key or other multibit secure token code stored in a token by (a) assuring that the secure token code is not stored in the token except for short intervals when the token is actually in use by an authorized user and (b) by assuring that the secure token code cannot be obtained from the token except by an authorized user. This is accomplished by algorithmically combining a PIN or other secret code memorized by the user with the secure token code, either in the token or at a suitable terminal, to generate a meaningless multibit sequence/token secret which is stored in the token. The multibit sequence stored in the token is selected such that when it is algorithmically combined with the secret memorized code known only to the user, either in the token or at a terminal, it produces the private key or other secure token code.
Abstract: A method and apparatus for the integrated compression and encryption (concryption) of clear data and for the deconcryption of concrypted data to obtain the clear data for utilization. For concryption, the clear data and an encryption key are obtained, at least one compression step is performed and at least one encryption step is performed utilizing the encryption key. The encryption step is preferably performed on the final or intermediate results of a compression step, with compression being a multistep operation. For deconcryption, decompression and deencryption steps are performed on concrypted data in essentially the reverse order for the performance of corresponding compression and encryption steps during the concryption operation.
Abstract: A method and apparatus are provided for verifying the identity of a system user. Each user has a token which processes an inputted seed to generate a stored value which is either a current seed value or a function thereof. This value is then changed to generate a new current seed in response to each of a plurality of selectively generated trigger signals. The stored current seed or a selected function thereof is outputted, for example by being displayed on the token, and is received and inputted into a host verification unit. This unit either has or generates the current seed value (and the outputted function thereof where required) for the user, the user being indicated by an input also provided to the host with the token output, and compares the received and generated seed function values to verify the user.
Abstract: An integrated network security system is provided which permits log-on to a normally locked client on the network in response to at least one coded non-public input to the client by a user. At least a selected portion of the coded input is encrypted and sent to a network server where the user is authenticated. After authentication, the server preferably returns a decryption key, an encryption key for future use and any critical files previously stored at the server to the client. The decryption key is utilized to decrypt any material at the client which were encrypted when the client was locked, including any material sent from the server, thereby unlocking the client. The decryption key may be combined with untransmitted portions of the original coded input in a variety of ways to generate an encryption key for the next time the terminal is to be locked.
Abstract: A method and apparatus for providing improved security for a personal identification number (PIN) in a personal identification and verification system of the type wherein a time dependent nonpredictable code is generated at a device in the possession of the individual, which code is unique to the individual and this code is communicated to, and compared with a nonpredictable code generated at a central verification computer. In this system, the PIN is mixed with the nonpredictable code before transmission of these values to the central verification computer. A nonsecret code is previously transmitted to the central verification computer and is used to retrieve the PIN and the appropriate nonpredictable code for the user. These values are used to strip the PIN from the transmitted nonpredictable code and the stripped PIN and remaining nonpredictable code are compared with the corresponding retrieved values in order to determine verification.
Abstract: A method and apparatus for performing personal identification and/or verification at perdetermined stations or checkpoints is provided. Each person to be identified has a unit such as a card, badge or other token or device which stores a predetermined coded value, at least a predetermined portion of which is changed at selected time intervals in accordance with an algorithm, the algorithm being such that the value of the predetermined portion of the stored coded value at any given time is nonpredictable. The unit has a triggering signal generator, the unit being responsive to the triggering signal to present an indication of the current stored coded value to the station, the station responding to the predetermined coded value for identifying the person. Triggering may be in response to detection of a predetermined beacon from the station, in response to a user keypad input or may be periodically generated.