Abstract: Distributed proactive threshold password-based secret sharing schemes are provided. An exemplary method comprises obtaining a difference between updated and prior values of a share for at least one fixed-share party. The updated value comprises a fixed share that is one of a plurality of shares of a secret held by a plurality of parties. A fixed-share party randomly selects a first correction polynomial employed by a polynomial-based secret sharing scheme such that at least one polynomial coefficient corresponding to the fixed-share party is a value that depends on the difference. A non-fixed-share party randomly selects a second correction polynomial such that at least one corresponding polynomial coefficient corresponding to the non-fixed-share party is approximately zero.

Abstract: A recovery mechanism is provided for split-server passcode verification systems. An exemplary token-centric recovery scheme comprises at least one token and a plurality of authentication servers, comprises the steps of: determining that a first one of the plurality of authentication servers is unavailable; applying an authentication mechanism to a message requesting the token to change to a new split-state mode; and sending the authenticated message to the token. The authentication mechanism comprises, for example, a relying party signing the message using a next passcode of the new split-state mode. The new split-state mode comprises, for example, a single server passcode verification and wherein the next passcode of the new split-state mode comprises a next passcode of the single server. A client optionally changes to the new split-state mode after successfully verifying the authentication mechanism.

Abstract: Techniques are provided for delegating evaluation of pseudorandom functions to a proxy. A delegator delegates evaluation of a pseudorandom function to a proxy, by providing a trapdoor ? to the proxy based on a secret key k and a predicate P using an algorithm T, wherein the predicate P defines a plurality of values for which the proxy will evaluate the pseudorandom function, wherein the plurality of values comprise a subset of a larger domain of values, and wherein the trapdoor ? provides an indication to the proxy of the plurality of values. A proxy evaluates a pseudorandom function delegated by a delegator by receiving a trapdoor ? from the delegator that provides an indication of a plurality of values to be evaluated, wherein the plurality of values comprise a subset of a larger domain of values; and evaluating an algorithm C on the trapdoor ? to obtain the pseudorandom function value for each of the plurality of values.

Abstract: Techniques are provided for protecting encryption key(s) and other protected material on devices, such as mobile devices. A device stores an encrypted container received from an online authentication service, wherein the encrypted container is encrypted using a first key stored by the online authentication service, wherein the encrypted container comprises a data item stored on the device. The device transmits the encrypted container using an online connection to the online authentication service to decrypt the encrypted container using the first key, wherein the encrypted container is decrypted by the online authentication service to provide a decrypted container only if the online connection satisfies one or more predefined online connection criteria. The device then receives the decrypted container from the online authentication service and obtains the data item from the decrypted container. Online secure containers are also disclosed that are optionally protected using a multi-layer encryption scheme.

Abstract: Methods and apparatus are provided for improving resilience to forward clock attacks. A token generates a passcode from a user authentication token for presentation to an authentication server by detecting a forward clock attack; and communicating an indication of the forward clock attack to the authentication server. The generation of the user authentication passcodes is optionally suspended upon detecting the forward clock attack. The detection may be based on a comparison of a current device time of the token and a last used device time during a generation of a user authentication passcode.

Abstract: Methods and apparatus are provided for silent alarm channels using one-time passcode authentication tokens. A message is transmitted indicating a potential attack on a protected resource by obtaining the message; combining the message with a tokencode generated by a security token to generate a one-time passcode; and transmitting the one-time passcode to a receiver. A plurality of the messages can be obtained in parallel, and the plurality of parallel messages can be combined with the tokencode to generate the one-time passcode. A subsequent message can optionally be generated by applying a hash function to a prior n-bit value to provide a counter identifying each message. The message optionally also comprises one or more additional bits to provide an annotation of the message.

Abstract: Methods and apparatus are provided for encoding and decoding via authenticated error correcting codes, such as secure LT codes, secure Raptor codes, block codes and/or rateless codes. Encoded symbols are generated via an authenticated error correcting code by applying a Luby Transform (LT) code to a plurality of message symbols to produce one or more intermediate symbols using a pseudo random number generator (PRNG) to select the plurality of message symbols to combine to produce the intermediate symbols; encrypting the intermediate symbols to produce encrypted symbols; computing an authentication value, such as a message authentication code (MAC), over one or more of the one or more encrypted symbols; and appending the authentication value to the corresponding encrypted symbols to form the encoded symbols. Block scalable and random scalable constructions are also provided, as well as decoding techniques for all of the constructions.

Abstract: Methods and apparatus are provided for authenticated hierarchical set operations. A third party server processes a query (possibly from a client) on data sets outsourced by a source of the data. The query comprises a hierarchical set operation between at least two of the data sets. Authenticated Set Operation techniques for flat set operations can be iteratively applied for hierarchical set operations. In addition, bilinear accumulators are extended to provide an extractable accumulation scheme comprising a primary bilinear accumulator and a secondary bilinear accumulator. The client receives (i) an encoding of an answer to the query, (ii) a verification comprising, for example, one or more of subset witnesses, completeness witnesses, and/or accumulation values, and (iii) at least one argument for at least one intersection operation, union operation and/or set difference operation.

Abstract: Encryption key(s) and/or other protected material are protected on devices. A secret splitting scheme is applied to a secret, S, that protects at least one data item to obtain a plurality of secret shares. At least one secret share is encrypted to provide at least one encrypted secret share using an encryption scheme that uses at least one other secret share as the encryption key. A subset of the plurality of secret shares and encrypted secret share(s) is required to reconstruct the secret, S. One or more secret shares and/or encrypted secret shares are provided to at least one device, for example, based on a corresponding key-release policy, to allow access to the data item(s) secured by the secret, S. The secret, S, comprises, for example, a secret key used to protect at least one content item and/or a key used to protect one or more of a content container and a vault storing one or more protected data items.

Abstract: A method includes (1) receiving, by a mobile computing device (MCD), user-specific data from a user, (2) processing (a) a user share of a cryptographic key, the user share being fixed based on the received user-specified data, and (b) a local share of the cryptographic key to recreate the cryptographic key, wherein the local share was created by applying a secret splitting algorithm to the cryptographic key and the user share to yield a set of non-fixed shares including the local share, the user share and the set of non-fixed shares making up a set of shares of the cryptographic key, the cryptographic key being recreatable from a strict subset of the set of shares, and (3) decrypting encrypted data stored on the MCD using the recreated cryptographic key, thereby providing access, using the decrypted encrypted data, to the resource.

Abstract: Multi-server one-time passcode verification is provided for respective high order and low order passcode portions. A user is authenticated by receiving an authentication passcode generated by a token associated with the user; and authenticating the user based on the received authentication passcode using at least a first authentication server and a second authentication server, wherein the first authentication server verifies a high-order portion of the received authentication passcode and wherein the second authentication server verifies a low-order portion of the received authentication passcode. The received authentication passcode is based on, for example, at least two protocodes PR,t and PB,t generated by the token and/or pseudorandom information RA,t. A codebook Ct, based on the pseudorandom information RA,t, can be used to embed additional auxiliary information into the authentication passcode.

Abstract: Secure storage and retrieval of data is provided with multiple data classes and data identifiers. Data values of a client are stored by receiving one or more authentication sets, at least one data value, an associated data class of the data value and a pseudo-random client value; calculating a data seed value based on the pseudo-random client value, a pseudo-random server value and the associated data class of the data value; generating a random data index value; generating a database index value based on the data seed value and the random data index value; storing the database index value; and providing the random data index value to the client. The client can be authenticated at the time of storage based on the one or more authentication sets. The authentication of the client and the storage of the data can be atomic such that only authenticated clients store the one or more data values. Techniques are also provided for the retrieval of stored data.

Abstract: Techniques are provided for security-aware split-server passcode verification for one-time authentication tokens. An exemplary method comprises receiving an authentication passcode generated by a token; and processing the received authentication passcode using at least a first authentication server and a second authentication server. The received authentication passcode is based on a protocode and/or embedded auxiliary information. The embedded auxiliary information comprising a silent alarm and/or a drifting key is extracted from the received authentication passcode. In another exemplary method, the received authentication passcode is processed using a single processing device to extract the embedded auxiliary information comprising one or more of a silent alarm and a drifting key.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to detect at least one subject in a captured image, to provide a notification to the subject regarding the captured image, and to permit the subject to consent to a particular use of the captured image by another party. The providing of the notification is controlled based on at least one of a notification threshold and an automatic consent condition. Additionally or alternatively, at least portions of the captured image are provided to the subject for review only under certain conditions, such as upon receipt of a verification that a subject device associated with the subject was sufficiently near a location at which the image was captured at a time at which the image was captured, or responsive to a result of a comparison of the captured image to known information characterizing the subject.

Abstract: Multi-server passcode verification is provided for one-time authentication tokens with auxiliary channel compatibility. An exemplary method comprises receiving an authentication passcode generated by a token associated with a user; and processing the received authentication passcode using at least a first authentication server and a second authentication server, wherein the received authentication passcode is based on at least one protocode and embedded auxiliary information and wherein at least one of the first authentication server, the second authentication server and a relying party extract the embedded auxiliary information from the received authentication passcode. The disclosed method can extend an existing multi-server verification process to provide the processing of the received authentication passcode based on the embedded auxiliary information.

Abstract: A processing device comprises a processor coupled to a memory and is configured to implement an overlay effects selection interface for use in conjunction with generation of a graphical password. An image is obtained and presented in the overlay effects selection interface with a plurality of user-selectable overlay effects. User input is received identifying at least one overlay effect selected from the plurality of user-selectable overlay effects, and a modified version of the image is presented incorporating the selected at least one overlay effect. Information characterizing the image and the selected at least one overlay effect is utilized to control access to a protected resource. For example, the information characterizing the image and the selected at least one overlay effect may be obtained as part of a graphical password enrollment process and stored as at least a portion of the graphical password for controlling access to the protected resource.

Abstract: A recovery mechanism is provided for split-server passcode verification systems. An exemplary server-centric recovery scheme enables the system to respond to authentication attempts even if an authentication server is unavailable. The exemplary server-centric recovery scheme allows a periodic exchange of encrypted partial secret states among the authentication servers. Recovery occurs by allowing the decryption of the encrypted partial secret state that corresponds to the server that is unresponsive. An exemplary token-centric recovery scheme comprises determining that a first authentication server is unavailable; applying an authentication mechanism to a message requesting a token to change to a new split-state mode; and sending the authenticated message to the token.

Abstract: Server methods and apparatus are provided for processing passcodes generated by configurable one-time authentication tokens. An authentication server is configured to process an original passcode generated by a configurable one-time authentication token by configuring the authentication server to have a server configuration that is compatible with a selected configuration of the configurable one-time authentication token; receiving a candidate passcode based on the original passcode generated by the configurable one-time authentication token; and processing the Is candidate passcode based on the server configuration. The selected configuration of the configurable one-time authentication token must always enable a forward-secure pseudorandom number generation feature for the one-time authentication token and at least one additional selected token feature.

Abstract: Methods and apparatus are provided for cryptographically linking data identifiers and authentication identifiers without storing the association between the authentication and data secrets in the database of the server. A data secret of a client is provided to a server for storage with an authentication identifier (AuthId) and a pseudo-random client value. The server provides the client with a sequence number of the stored data secret that is associated with a data identifier (DataId) identifying the data secret obtained using a Key Derivation Function and a storage seed. The client registers with the server to obtain the authentication identifier (AuthId). Techniques are also provided for retrieving and updating the data secret.

Abstract: Configurable one-time authentication tokens are provided with improved resilience to attacks. A one-time authentication token is configured by providing a plurality of token features that may be selectively incorporated into the configurable one-time authentication token, wherein the plurality of token features comprise at least two of the features; obtaining a selection of at least a plurality of the token features: and configuring the one-time authentication token based on the selected token features, wherein the configuration must always enable forward security for the one-time authentication token and at least one additional selected token feature. A configurable one-time authentication token is provided that comprises a plurality of selectable token features that may be selectively incorporated into the configurable one-time authentication token, wherein the configurable one-time authentication token is always configured with the forward security and at least one additional token feature.