Abstract: Techniques for providing authentication functionality in a gaming system are disclosed. In one aspect, a gaming system is configured such that, at a given point during a current session of a game in progress that involves at least one user previously granted access by the system to participate in the current session, information available from an authentication token associated with the user is obtained prior to allowing the user to take a particular action in the game. A determination is made as to whether or not the user will be allowed to take the particular action in the game, based on the obtained information. The obtained information may comprise, for example, at least a portion of a one-time password generated by a hardware or software authentication token.

Abstract: Configurable one-time authentication tokens are provided with improved resilience to attacks. A one-time authentication token is configured by providing a plurality of token features that may be selectively incorporated into the configurable one-time authentication token, wherein the plurality of token features comprise at least two of the features; obtaining a selection of at least a plurality of the token features: and configuring the one-time authentication token based on the selected token features, wherein the configuration must always enable forward security for the one-time authentication token and at least one additional selected token feature. A configurable one-time authentication token is provided that comprises a plurality of selectable token features that may be selectively incorporated into the configurable one-time authentication token, wherein the configurable one-time authentication token is always configured with the forward security and at least one additional token feature.

Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

Abstract: A service window optimized system alert engine is disclosed for automated generation and delivery of alerts relating to detected conditions of a monitored system. The service window optimized system alert engine comprises a state monitor, a system configuration and history module, an alert generator, and an alert router. The state monitor is configured to send status data of the monitored system to the alert generator. The system configuration and history module provides information to the alert generator specifying an alert generation policy established for the monitored system. The alert generator is configured to process the status data from the state monitor in accordance with the alert generation policy specified by the system configuration and history module to generate at least one alert. The alert router is configured to determine optimal delivery characteristics for the generated alert and to deliver the alert in accordance with the optimal delivery characteristics.

Abstract: A password-hardening system comprises at least first and second servers. The first server is configured to store a plurality of sets of passwords for respective users with each such set comprising at least one valid password for the corresponding user and a plurality of chaff passwords for that user. The second server is configured to generate valid password indication information indicating for each of the sets which of the passwords in that set is a valid password. The valid password indication information comprises index values computed for respective ones of the password sets by the second server to identify respective valid passwords in the respective password sets. The second server may be further configured to compute the index values utilizing a keyed pseudorandom function, and to send the index values to the first server in association with respective values of a user number counter maintained in the second server.

Abstract: A client device or other processing device comprises a file processing module, with the file processing module being operative to provide a file to a file system for encoding, to receive from the file system a proof of correct encoding of the file, and to verify the proof of correct encoding. The file system may comprise one or more servers associated with a cloud storage provider. Advantageously, one or more illustrative embodiments allow a client device to verify that its files are stored by a cloud storage provider in encrypted form or with other appropriate protections.

Abstract: Methods and apparatus are provided for signing data transactions using one-time authentication passcodes. User authentication passcodes are generated by generating a time-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated time-based user authentication passcode is used for authentication of the user; and generating an event-based user authentication passcode based on a forward-secure pseudorandom number, wherein the generated event-based user authentication passcode is used to sign one or more data transactions. The generation of an event-based user authentication passcode can be performed on-demand. The generation of the event-based user authentication passcode can optionally be performed substantially simultaneously with the generation of the time-based user authentication passcode.

Abstract: A method includes receiving, in a first device, an access request. The method further includes measuring a motion of the first device to determine a first motion value, performing a pairing protocol with a second device, and granting the access request responsive to a successful pairing in accordance with the pairing protocol. The pairing protocol comprises a cryptographic commitment process. The successful pairing is based at least in part on a determination that a second motion value supplied by the second device substantially matches the first motion value. The cryptographic commitment process comprises sending a committed first motion value to the second device prior to receiving the second motion value from the second device.

Abstract: Methods and apparatus are provided for secure transmission of alert messages over a message locking channel. An alert message is transmitted from a Security Alerting System indicating a potential compromise of a protected resource by obtaining the alert message from the Security Alerting System; authenticating the alert message using a secret key known by a server, wherein the secret key evolves in a forward-secure manner; storing the authenticated alert message in a buffer; and transmitting the buffer to the server. The alert message is authenticated by digitally signing the alert message or applying a message authentication code and is possibly encrypted using a secret key known by a server, wherein the secret key evolves in a forward-secure manner. The authenticated alert message can be maintained in the buffer after the transmitting step. The buffer optionally has a fixed-size and alert messages can be stored in a round-robin manner, for example, from a random position.

Abstract: Methods, apparatus and articles of manufacture for decrypting a protected resource on a cryptographic device are provided herein. A method includes decrypting encoded information under a first cryptographic key to access a protected resource, wherein the first cryptographic key is read from a first cryptographic device subsequent to authenticating to the first cryptographic device using a first authentication key, randomly selecting a second cryptographic key, encrypting the protected resource under the second cryptographic key, and writing the second cryptographic key onto the first cryptographic device subsequent to authenticating to the first cryptographic device.

Abstract: A password-hardening system comprises at least first and second servers. The first server is configured to store a plurality of sets of passwords for respective users with each such set comprising at least one valid password for the corresponding user and a plurality of chaff passwords for that user. The second server is configured to store at least a portion of valid password indication information indicating for each of the sets which of the passwords in that set is a valid password. The first and second servers are further configured to proactively update the sets of passwords and the valid password indication information in each of a plurality of epochs. The valid password indication information may comprise, for example, valid password index values for respective ones of the users, with the index values being stored as a shared secret across the first and second servers.

Abstract: In conjunction with a registration mode of operation, a first cryptographic device in one embodiment sends challenges to a second cryptographic device comprising a symmetric-key cryptographic module or other key-based cryptographic module that utilizes one or more secret keys. The first cryptographic device receives from the second cryptographic device responses to respective ones of the challenges, and stores information characterizing the responses. In conjunction with an authentication mode of operation, the first cryptographic device sends a selected one of the challenges to the second cryptographic device, receives from the second cryptographic device a response to the selected challenge, and authenticates the second cryptographic device utilizing the response to the selected challenge and the stored information.

Abstract: A first processing device, which may be, for example, a wireless authentication token or an RFID tag, transmits information in a wireless network in a manner that emulates standard communications of an access point of the wireless network, although the first processing device is not configured to operate as an actual access point of the wireless network. A second processing device, which may be, for example, a computer or other station of the wireless network, receives the transmitted information and is able to determine therefrom that the information originates from an emulated access point rather than an actual access point. The second processing device responds to this condition by utilizing the transmitted information in a manner distinct from its utilization of similar information received from the actual access point of the wireless network.

Abstract: A method includes the step of running a set of instances on at least one cloud for a first time interval, each of the instances comprising a bundle of virtualized resources. The method also includes the step of evaluating one or more performance characteristics of each of the instances in the set of instances over the first time interval. The method further includes the step of determining a first subset of the set of instances to maintain for a second time interval and a second subset of the set of instances to terminate for the second time interval responsive to the evaluating step. The steps are performed by at least one processing device comprising a processor coupled to a memory.

Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.

Abstract: Methods and apparatus are provided for authenticating a user using multi-server one-time passcode verification. A user is authenticated by receiving authentication information from the user; and authenticating the user based on the received authentication information using at least two authentication servers, wherein the received authentication information is based on a secret shared between a security token associated with the user and an authentication authority that provides the at least two authentication servers. For example, the authentication information can comprise a passcode comprised of a tokencode from the security token and a password from the user. The user can be authenticated only if, for example, all of the at least two authentication servers authenticate the received authentication information.

Abstract: Methods and apparatus are provided for generation of forward secure pseudorandom numbers that are resilient to such forward clock attacks. A forward secure pseudorandom number is generated by obtaining a first state si corresponding to a current leaf node ?i in a hierarchical tree, wherein the current leaf ?i produces a first pseudorandom number ri?1; updating the first state si to a second state si+t corresponding to a second leaf node ?i+t; and computing a second pseudorandom number ri+t?1 corresponding to the second leaf node ?i+t, wherein the second pseudorandom number ri+t?1 is based on a forward clock reset index that identifies an instance of the hierarchical tree, wherein the instance of the hierarchical tree is incremented when one or more criteria indicating a forward clock attack are detected. The forward clock reset index can be encoded in a forward secure manner in the hierarchical tree.

Abstract: An authentication system including a first server configured to store identifiers of respective users in association with respective pseudonyms, and a second server configured to store templates of the respective users in association with the respective pseudonyms. Input is received from a given user in conjunction with an authentication attempt. The first server is configured to determine if a first portion of the received input is associated with one of the user identifiers stored in the first server. If the first portion of the received input is associated with one of the user identifiers stored in the first server, the corresponding pseudonym is provided from the first server to the second server. The given user is authenticated based on a determination as to whether or not a second portion of the received input matches one of the stored user templates corresponding to the pseudonym provided to the second server.

Abstract: An authentication system comprises multiple servers and a controller coupled to or otherwise associated with the servers. The controller is configured to control storage in the servers of respective chaff sets or other types of value sets, each including at least one secret value obscured within a distinct arrangement of other values. Each of the servers comprises a local verifier configured to generate an indication as to whether or not a received input value corresponds to one of the values in its value set. The controller comprises a global verifier configured to authenticate the received input value based on the indications generated by at least a subset of the servers. By way of example, the secret value may comprise a common value which is the same for all of the value sets, with the value sets otherwise including distinct values such that their intersection yields only the common value.

Abstract: In one embodiment, a set of servers generates at least one challenge that is sent to a client. The servers receive from the client a response that includes a message generated as a function of the challenge. The response also includes a digital signature computed on the message using a secret key of a key pair generated for a current epoch. The client is authenticated based on indications from respective ones of the servers as to whether or not the received response is accepted as valid by that server. Other embodiments involve interaction between a set of servers and a relying party in authenticating a passcode, password or other information received from a client. The client in some embodiments may comprise a connected authentication token or other type of hardware or software authentication token.