Patents by Inventor Kevin D. Bower
Kevin D. Bower has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9614829Abstract: A processing device comprises a processor coupled to a memory and is configured to establish secure communications with a plurality of user devices associated with a particular user, to generate an exclusive authentication token for utilization by each of the plurality of user devices in unlocking of secure functionality associated with that device, to provide the exclusive authentication token to only a subset of the plurality of user devices at a given time, and to force deauthentication of any of the plurality of user devices that do not currently have possession of the exclusive authentication token. These operations in some embodiments are performed by a deauthentication server implemented by the processing device. The processing device implementing the deauthentication server may comprise, for example, a remote server accessible to the plurality of user devices over a network, a smart watch or other wearable device of the user, or a user device.Type: GrantFiled: March 27, 2015Date of Patent: April 4, 2017Assignee: EMC IP Holding Company LLCInventors: Andres D. Molina-Markham, Kevin D. Bowers
-
Patent number: 9467343Abstract: A method includes receiving a first analytics set performed on a first network security appliance operated internal to a first organization, receiving a second analytics set performed on a second network security appliance operated internal to a second organization, processing the first analytics set and the second analytics set, and responsive to the processing, disseminating to the second network security appliance information indicating that the second analytics set has also been performed on at least the first network security appliance, without revealing an identity of the first organization. In one embodiment at least part of the first analytics set or the second analytics set is hashed.Type: GrantFiled: September 30, 2014Date of Patent: October 11, 2016Assignee: EMC CORPORATIONInventors: Yedidya Dotan, Brian P. Girardi, Marcelo Blatt, Oleg Freylafert, Kevin D. Bowers, Michael S. Shreve
-
Patent number: 9461821Abstract: Encryption key(s) and/or other protected material are protected on devices. A secret splitting scheme is applied to a secret, S, that protects at least one data item to obtain a plurality of secret shares. At least one secret share is encrypted to provide at least one encrypted secret share using an encryption scheme that uses at least one other secret share as the encryption key. A subset of the plurality of secret shares and encrypted secret share(s) is required to reconstruct the secret, S. One or more secret shares and/or encrypted secret shares are provided to at least one device, for example, based on a corresponding key-release policy, to allow access to the data item(s) secured by the secret, S. The secret, S, comprises, for example, a secret key used to protect at least one content item and/or a key used to protect one or more of a content container and a vault storing one or more protected data items.Type: GrantFiled: June 30, 2014Date of Patent: October 4, 2016Assignee: EMC CorporationInventors: Salah Machani, Nikolaos Triandopoulos, Kevin D. Bowers, Todd A. Morneau
-
Patent number: 9430673Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to detect at least one subject in a captured image, to provide a notification to the subject regarding the captured image, and to permit the subject to consent to a particular use of the captured image by another party. The providing of the notification is controlled based on at least one of a notification threshold and an automatic consent condition. Additionally or alternatively, at least portions of the captured image are provided to the subject for review only under certain conditions, such as upon receipt of a verification that a subject device associated with the subject was sufficiently near a location at which the image was captured at a time at which the image was captured, or responsive to a result of a comparison of the captured image to known information characterizing the subject.Type: GrantFiled: December 30, 2014Date of Patent: August 30, 2016Assignee: EMC CorporationInventors: Kevin D. Bowers, Andres Molina-Markham, Nikolaos Triandopoulos
-
Patent number: 9361447Abstract: A processing device comprises a processor coupled to a memory and is configured to implement an overlay effects selection interface for use in conjunction with generation of a graphical password. An image is obtained and presented in the overlay effects selection interface with a plurality of user-selectable overlay effects. User input is received identifying at least one overlay effect selected from the plurality of user-selectable overlay effects, and a modified version of the image is presented incorporating the selected at least one overlay effect. Information characterizing the image and the selected at least one overlay effect is utilized to control access to a protected resource. For example, the information characterizing the image and the selected at least one overlay effect may be obtained as part of a graphical password enrollment process and stored as at least a portion of the graphical password for controlling access to the protected resource.Type: GrantFiled: September 4, 2014Date of Patent: June 7, 2016Assignee: EMC CorporationInventors: Kevin D. Bowers, Vihang P. Dudhalkar, Ari Juels, Ronald L. Rivest, Samir Saklikar, Nikolaos Triandopoulos
-
Patent number: 9325499Abstract: In one embodiment, a first message is obtained and encrypted to produce a ciphertext. The first message is encrypted such that decryption of the ciphertext utilizing a first key yields the first message, and decryption of the ciphertext utilizing a second key different than the first key yields a second message that is distinct from the first message but shares one or more designated characteristics with the first message. Encrypting the first message may more particularly comprise mapping the first key to a first seed, mapping the first message to a second seed, determining an offset between the first and second seeds, and generating the ciphertext based on the determined offset. Such an arrangement prevents an attacker from determining solely from the second message if decryption of the ciphertext has been successful or unsuccessful. Other embodiments include decryption methods, apparatus for encryption and decryption, and associated articles of manufacture.Type: GrantFiled: September 30, 2013Date of Patent: April 26, 2016Assignee: EMC CorporationInventors: Ari Juels, Kevin D. Bowers
-
Patent number: 9323909Abstract: Techniques, apparatus and articles of manufacture are provided herein. A method includes providing a first sub-set of authentication information from a set of authentication information associated with a first cryptographic device issued to a user to a second cryptographic device in connection with a first user authentication request responsive to a request from the user to access a first protected resource, wherein the first sub-set comprises a first set of N pre-computed passcodes and corresponding challenges, and providing a second sub-set of authentication information from the set of authentication information associated with the first cryptographic device to a third cryptographic device in connection with a second user authentication request responsive to a request from the user to access a second protected resource, wherein the second sub-set comprises a second set of N pre-computed passcodes and corresponding challenges.Type: GrantFiled: December 7, 2012Date of Patent: April 26, 2016Assignee: EMC CorporationInventors: Guoying Luo, Ari Juels, Kevin D. Bowers
-
Patent number: 9256725Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.Type: GrantFiled: February 26, 2014Date of Patent: February 9, 2016Assignee: EMC CorporationInventors: Alina Oprea, Kevin D. Bowers, Nikolaos Triandopoulos, Ting-Fang Yen, Ari Juels
-
Patent number: 9128739Abstract: A method includes the step of running a set of instances on at least one cloud for a first time interval, each of the instances comprising a bundle of virtualized resources. The method also includes the step of evaluating one or more performance characteristics of each of the instances in the set of instances over the first time interval. The method further includes the step of determining a first subset of the set of instances to maintain for a second time interval and a second subset of the set of instances to terminate for the second time interval responsive to the evaluating step. The steps are performed by at least one processing device comprising a processor coupled to a memory.Type: GrantFiled: December 31, 2012Date of Patent: September 8, 2015Assignee: EMC CorporationInventors: Ari Juels, Kevin D. Bowers, Benjamin Farley, Venkatanathan Varadarajan, Thomas Ristenpart, Michael M. Swift
-
Publication number: 20150242616Abstract: There is disclosed a method for use in credential recovery. In one exemplary embodiment, the method comprises determining a policy that requires at least one trusted entity to verify the identity of a first entity in order to facilitate credential recovery. The method also comprises receiving at least one communication that confirms verification of the identity of the first entity by at least one trusted entity. The method further comprises permitting credential recovery based on the received verification.Type: ApplicationFiled: February 26, 2014Publication date: August 27, 2015Inventors: Alina Oprea, Kevin D. Bowers, Nikolaos Triandopoulos, Ting-Fang Yen, Ari Juels
-
Patent number: 9037858Abstract: An authentication system comprises multiple servers and a controller coupled to or otherwise associated with the servers. The controller is configured to control storage in the servers of respective chaff sets or other types of value sets, each including at least one secret value obscured within a distinct arrangement of other values. Each of the servers comprises a local verifier configured to generate an indication as to whether or not a received input value corresponds to one of the values in its value set. The controller comprises a global verifier configured to authenticate the received input value based on the indications generated by at least a subset of the servers. By way of example, the secret value may comprise a common value which is the same for all of the value sets, with the value sets otherwise including distinct values such that their intersection yields only the common value.Type: GrantFiled: March 12, 2013Date of Patent: May 19, 2015Assignee: EMC CorporationInventors: Ari Juels, Sandra Carielli, Kevin D. Bowers, Guoying Luo
-
Patent number: 9015476Abstract: Methods, apparatus and articles of manufacture for implementing cryptographic devices operable in a challenge-response mode are provided herein. A method includes storing a set of authentication information in a first cryptographic device associated with a user, receiving a challenge in the first cryptographic device in connection with a user authentication request responsive to a request from the user to access a protected resource, wherein the challenge comprises an index of at least one non-sequential portion of the authentication information stored in the first cryptographic device, and outputting a non-sequential portion of the authentication information from the set of authentication information stored in the first cryptographic device in response to the challenge for use in authenticating the user.Type: GrantFiled: December 7, 2012Date of Patent: April 21, 2015Assignee: EMC CorporationInventors: Ari Juels, Guoying Luo, Kevin D. Bowers
-
Patent number: 8984384Abstract: A client device or other processing device comprises a file encoding module, with the file encoding module being configured to separate a file into a plurality of sets of file blocks, to assign sets of the file blocks to respective ones of a plurality of servers, to define a plurality of parity groups each comprising a different subset of the plurality of servers, to assign, for each of the servers, each of its file blocks to at least one of the defined parity groups, and to compute one or more parity blocks for each of the parity groups. The file blocks are stored on their associated servers, and the parity blocks computed for each of the parity groups are stored on respective ones of the servers other than those within that parity group. Such an arrangement advantageously ensures that only a limited number of parity block recomputations are required in response to file block updates.Type: GrantFiled: June 30, 2010Date of Patent: March 17, 2015Assignee: EMC CorporationInventors: Ari Juels, Kevin D. Bowers, Alina Oprea
-
Patent number: 8984363Abstract: A proof of retrievability (POR) mechanism is applicable to a data object for providing assurances of data object possession to a requesting client by transmitting only a portion of the entire data object. The client compares or examines validation values returned from predetermined validation segments of the data object with previously computed validation attributes for assessing the existence of the data object. Since the archive server does not have access to the validation function prior to the request, or challenge, from the client, the archive server cannot anticipate the validation values expected from the validation function. Further, since the validation segments from which the validation attributes, and hence the validation values were derived, are also unknown to the server, the server cannot anticipate which portions of the data object will be employed for validation.Type: GrantFiled: January 30, 2013Date of Patent: March 17, 2015Assignee: EMC CorporationInventors: Ari Juels, Burton S. Kaliski, Jr., Kevin D. Bowers, Alina M. Oprea
-
Patent number: 8904525Abstract: A technique to detect malware on a mobile device which stores a virtual machine image involves establishing a connection from an electronic malware detection apparatus to the mobile device, the electronic malware detection apparatus being external to the mobile device. The technique further involves transferring mobile device data from the mobile device to the electronic malware detection apparatus through the connection to form a copy of the virtual machine image within the electronic malware detection apparatus. The technique further involves performing, by the electronic detection apparatus, a set of malware detection operations on the copy of the virtual machine image to determine whether the mobile device is infected with malware.Type: GrantFiled: June 28, 2012Date of Patent: December 2, 2014Assignee: EMC CorporationInventors: Roy Hodgman, Samir D. Saklikar, Kevin D. Bowers
-
Patent number: 8874904Abstract: A first cryptographic device is configured to store a set of keys that is refreshed in each of a plurality of epochs. The first cryptographic device computes for each of at least a subset of the epochs at least one view based on at least a portion of the set of keys for that epoch, and transmits the views to a second cryptographic device in association with their respective epochs. At least one view computed for a current one of the epochs is configured for utilization in combination with one or more previous views computed for one or more previous ones of the epochs to permit the second cryptographic device to confirm authenticity of the set of keys for the current epoch. The first cryptographic device may include an authentication token and the second cryptographic device may include an authentication server.Type: GrantFiled: December 13, 2012Date of Patent: October 28, 2014Assignee: EMC CorporationInventors: Ari Juels, Kevin D. Bowers
-
Patent number: 8875263Abstract: A technique controls a soft token running within an electronic apparatus. The technique involves providing an initial series of authentication codes based on a first set of machine states. The initial series of authentication codes is provided from the electronic apparatus to a server through a forward channel to authenticate a user. The technique further involves receiving a command from the server through a reverse channel between the electronic apparatus and the server. The reverse channel provides communications in a direction opposite to that of the forward channel. The technique further involves changing the first set of machine states to a second set of machine states in response to the command, and providing a new series of authentication codes based on the second set of machine states. The new series of authentication codes is provided from the electronic apparatus to the server through the forward channel for user authentication.Type: GrantFiled: March 29, 2012Date of Patent: October 28, 2014Assignee: EMC CorporationInventors: Marten van Dijk, Kevin D. Bowers, John G. Brainard, Samuel Curry, Sean P. Doyle, Michael J. O'Malley, Nikolaos Triandopoulos
-
Patent number: 8819769Abstract: An improved technique for managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating the user to the remote network.Type: GrantFiled: March 30, 2012Date of Patent: August 26, 2014Assignee: EMC CorporationInventors: Marten van Dijk, Kevin D. Bowers, Samuel Curry, Sean P. Doyle, Eyal Kolman, Nikolaos Triandopoulos, Riaz Zolfonoon
-
Patent number: 8813234Abstract: A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing transitions between pairs of the nodes are assigned to respective edges in the graph. A minimum cut of the graph is computed, and a defensive strategy is determined based on the minimum cut. The system comprising information technology infrastructure subject to the persistent security threat is configured in accordance with the defensive strategy in order to deter the persistent security threat.Type: GrantFiled: June 29, 2011Date of Patent: August 19, 2014Assignee: EMC CorporationInventors: Kevin D. Bowers, Marten E. van Dijk, Ari Juels, Alina M. Oprea, Ronald L. Rivest, Nikolaos Triandopoulos
-
Patent number: 8752146Abstract: A technique provides authentication codes to authenticate a user to an authentication server. The technique involves generating, by an electronic apparatus (e.g., a smart phone, a tablet, a laptop, etc.), token codes from a cryptographic key. The technique further involves obtaining biometric measurements from a user, and outputting composite passcodes as the authentication codes. The composite passcodes include the token codes and biometric factors based on the biometric measurements. Additionally, the token codes and the biometric factors of the composite passcodes operate as authentication inputs to user authentication operations performed by the authentication server. In some arrangements, the biometric factors are results of facial recognition (e.g., via a camera), voice recognition (e.g., via a microphone), gate recognition (e.g., via an accelerometer), touch recognition and/or typing recognition (e.g., via a touchscreen or keyboard), combinations thereof, etc.Type: GrantFiled: March 29, 2012Date of Patent: June 10, 2014Assignee: EMC CorporationInventors: Marten van Dijk, Kevin D. Bowers, Samuel Curry, Sean P. Doyle, Nikolaos Triandopoulos, Riaz Zolfonoon