Abstract: A user has two asymmetric crypto-keys, the first having a first private key and the second having a second private key, both of which are split into a first private key portion corresponding to a password of the user and to a computation. However, the computation of the first private key portion of the first and the second private keys have different levels of complexity. First and second messages from the user encrypted with the first private key portion of, respectively, the first private key and the second private key, are received centrally. A second private key portion of, respectively, the first private key and the second private key is applied to the received first and the received second messages, as applicable, to authenticate the user at, respectively, a first level of authentication security and a second level of authentication security which is greater than the first level.

Abstract: A first network station encrypts a first message with a first key portion from a first split of a private or public key of a user's asymmetric crypto-key and transmits it during a network session. The second network station decrypts the transmitted encrypted first message with a second key portion from the first split of the one key of the asymmetric crypto-key to initially authenticate the user for access, during the session, to store information. The first network station also encrypts a second message with another first key portion from a second split of that one key, and subsequently transmits it during the same network session. The second network station decrypts the subsequently transmitted encrypted second message with another second key portion from the second split of that same one key to subsequently authenticate the user for access, during the same session, to other stored_information.

Abstract: A processor generates an asymmetric crypto-key, such as an RSA crypto-key, which is associated with the user and includes a private key and a public key. It computes a first key portion based on a stored random number generation function, which has one or more constants such as a salt and/or iteration count, and a first value of a constant, and a second key portion based on the computed first key portion and one of the private key and the public key. It additionally computes another first key portion based on the stored random number generation function and a second value of that constant, and another second key portion based on the computed other first key portion and the one key. The computed first and second key portions and the computed other first and second key portions form first and second splits of the one key of the asymmetric crypto-key.

Abstract: A system for securing information, includes a processor and storage device. The storage device stores information encrypted with one of a first private rolling key and a first public rolling key of an a first asymmetric rolling crypto-key, along with the one first rolling key. The processor has the logic to direct transmission, via a network, of proof of knowledge of the stored one first rolling key to authenticate a user, and of a request for the other of the first private rolling key and the first public rolling key. The processor receives the other first rolling key via the network, responsive to the directed transmission. The processor then decrypts the stored encrypted information with the received other first rolling key, and generates a second asymmetric rolling crypto-key having a second private rolling key and a second public rolling key. The processor encrypts the information with one of the second private rolling key and the second public rolling key.

Abstract: Techniques for authentication are provided. A first authentication request transformed with a private portion of a first type split private key is received. A first user is authenticated for a first level of network access based upon the first request being transformed with the first type of split private key. A second authentication request that is transformed with a private portion of a second type private key is also received. A second user is authenticated for a second level of network access based upon the second request being transformed with the second type of split private key.

Abstract: A method and system for generating asymmetric crypto-keys usable by network users to transform messages is provided. The system includes a first network station associated with a user, a second network station associated with a trusted entity, and a third network station associated with a sponsor. The trusted entity authorizes the sponsor to generate the asymmetric crypto-key. The sponsor generates a symmetric crypto-key and associated user identification. The sponsor both stores the generated symmetric crypto-key and the associated user identification and transmits the symmetric crypto-key and the associated user identification to the trusted entity. The trusted entity then distributes the symmetric crypto-key and user identification to the user. The user then presents the user identification to the sponsor. The sponsor then generates a challenge and transforms the challenge with the stored symmetric crypto-key. The sponsor transmits the transformed challenge to the user.

Abstract: A user has two asymmetric crypto-keys, the first having a first private key and the second having a second private key, both of which are split into a first private key portion corresponding to a password of the user and to a computation. However, the computation of the first private key portion of the first and the second private keys have different levels of complexity. First and second messages from the user encrypted with the first private key portion of, respectively, the first private key and the second private key, are received centrally. A second private key portion of, respectively, the first private key and the second private key is applied to the received first and the received second messages, as applicable, to authenticate the user at, respectively, a first level of authentication security and a second level of authentication security which is greater than the first level.

Abstract: Techniques for user authentication based upon an asymmetric key pair having a public key and a split private key are provided. A first portion of the split private key is generated based upon multiple factors under control of the user. The factors include a password. A challenge is cryptographically combined with a first one of the multiple factors, but not the user password, to form a first message. The first message is transformed with the generated first portion to form a second message, which is then sent to an authentication entity. The sent second message is transformed to authenticate the user by proving direct verification of user control of the first factor.

Abstract: Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

Abstract: Techniques for generating a private portion of a split private key of an asymmetric key pair are provided. Multiple factors upon which the private portion of the split private key is based are received. Each of these multiple factors is under control of a user associated with the asymmetric key pair. Multiple cryptographic operations are then performed using the received multiple factors to generate the private portion.

Abstract: Techniques for providing different levels of access based upon a same authentication factor are provided. A first message is received that is transformed with a first portion of a split private key, the first portion based upon a user password and another factor, and the split private key associated with an asymmetric key pair having a public key and the split private key. The user is authenticated for a first level of network access based upon the received first message being transformed with the first portion. A second message is received that is transformed with a second portion of the split private key, the second portion based upon the password only and not combinable with the first portion to complete the split private key. The user is authenticated for a second level of network access different that the first level based upon the received second message being transformed with the second portion.

Abstract: Techniques for generating a multi-factor asymmetric key pair having a public key and split private key with multiple private portions, at least one of the multiple portions being a multiple factor private key portion, are provided. First and second asymmetric key pairs are generated, each having a private key and a public key. A text string and the first private key are cryptographically combined to make a first private key portion of the split private key. This first private key portion is a multiple factor private key portion. A second private key portion of the split private key is generated based upon the generated first private key portion and the second private key.

Abstract: Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Abstract: A system for authentication of a crypto-system user by the use of both symmetric and asymmetric crypto-keys is provided. A first network station, representing the user, transmits a first request for authentication to a second network station. The second station generates a shared symmetric crypto-key, encrypts it and forwards it to both the first station and a third network station. The third station encrypts the received shared symmetric crypto-key and forwards it to the first network station. The first network station combines the two instances of the received and encrypted shared symmetric crypto-key, decrypts the combined symmetric crypto-key to recover shared symmetric crypto-key, encrypts a second authentication request with the recovered shared symmetric crypto-key, and transmits the encrypted authentication request to authenticate the first station.

Abstract: A system for authentication of network users which is operable in multiple modes, includes a plurality of user network stations and at least one sponsor network station representing a sponsor. Each network station represents a user associated with an asymmetric crypto-key having either a first or second number of private portions, the second number being greater than the first number. The one or more sponsor network stations receive authentication requests from the user network stations, determine the identity of a user associated with each of the received authentication requests, select from two or more available modes of operation based upon the determined identity. If operation in one mode is selected, the sponsor network station signs a particular received authentication request using one private portion of an asymmetric crypto-key having a first number of private portions.

Abstract: A system for accessing multiple different network stations without entry of a password is provided. The password is obtainable by use of a portion of an asymmetric crypto-key. A first station, representing any network entity, transmits an authentication request of a user seeking access. A second station, representing the user, forwards the request and user identity information to a third station. The third station, representing a sponsor, matches the transmitted identity information with stored identity information, generates a certificate, and transmits the certificate. The second station further transmits the certificate to the first station.

Abstract: A communications network is provided for securing communications and updating user identity information. A symmetric crypto-key, an asymmetric crypto-key having first and second private key portions and a public key portion, and a certificate are utilized. A first network station, representing any network entity, transmits a user authentication request. A second network station, representing the user, forwards, either jointly or separately, the request and user identity information to a third network station. The third network station, representing a sponsor, matches the transmitted identity information with stored identity information, modifies the stored identity information to correspond to the received identity information, generates a certificate including the modified identity information, and transmits the certificate and the request. The second station further transmits the certificate to the first station.

Abstract: A first processor generates a private crypto-key and a public crypto-key. The first processor divides the private crypto-key into two portions, a first private key portion, based upon a user's password, and a second private key portion. The private crypto-key and the first private key portion are then destroyed. The remaining portion, second private key portion, and the public crypto-key are stored in a memory. A second processor generates the first private key portion based upon the user's password and responsive to receiving the user's password. The second processor then destroys the generated first private key portion with out storing the generated first private key portion.

Abstract: A network device represents a user having a predefined associated password, a predefined associated symmetric crypto-key and a predefined associated asymmetric crypto-key, including a first private key portion, a second private key portion and a public key portion. The device includes a memory, input device and processor. The memory stores a function. The input device allows the inputting of the user password. The processor operates in either a first or second mode of operation. In the first mode of operation, the processor processes the input password in accordance with the stored function to generate the associated first private key portion, and encrypts and/or decrypts or signs a message with the generated first private key portion. In a second mode of operation, the processor processes the input password in accordance with the same stored function to generate the associated symmetric crypto-key, and encrypts and/or decrypts and/or authenticates a message with the generated symmetric crypto-key.

Abstract: A method for authenticating a user includes receiving a request for access from a user claiming to be a particular user. A first challenge having a first level of complexity is transmitted to the user. A response to the transmitted first challenge is transmitted. A determination is made as to whether or not the transmitted response authenticates the user as the particular user. The requested access by the user is allowed if the transmitted response authenticates the user. However, a second challenge having a second level of complexity, greater than the first level of complexity, is transmitted to the user if the transmitted response does not authenticate the user.