WO2007131131A2 - Procédé, système et appareil d'accès/d'authentification à sécurité intégrée avec lancement des supports - Google Patents

Procédé, système et appareil d'accès/d'authentification à sécurité intégrée avec lancement des supports Download PDF

Info

Publication number
WO2007131131A2
WO2007131131A2 PCT/US2007/068178 US2007068178W WO2007131131A2 WO 2007131131 A2 WO2007131131 A2 WO 2007131131A2 US 2007068178 W US2007068178 W US 2007068178W WO 2007131131 A2 WO2007131131 A2 WO 2007131131A2
Authority
WO
WIPO (PCT)
Prior art keywords
access
authentication
data
user
access point
Prior art date
Application number
PCT/US2007/068178
Other languages
English (en)
Other versions
WO2007131131A3 (fr
Inventor
James Downes
Szalewicz Filip
Original Assignee
Imx Solutions, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/682,751 external-priority patent/US20070266428A1/en
Application filed by Imx Solutions, Inc. filed Critical Imx Solutions, Inc.
Publication of WO2007131131A2 publication Critical patent/WO2007131131A2/fr
Publication of WO2007131131A3 publication Critical patent/WO2007131131A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention is directed generally to apparatuses, methods, and systems for securing data and more particularly, to an apparatus, method and system facilitating secure data by providing a series of nested security measures to combat various computer data hacking techniques.
  • One conventional method of attempting to secure data access involves requiring a user to input a password before allowing the user to access certain data on the ATTORNEY DOCKET NO.: 17337-008PC 2
  • the static image verification involves a central server transmitting an image to a data access point.
  • the image often includes measures designed to frustrate automated computer programs implementing optical character recognition modules from automatically accessing the data. For example, a web surfer attempts to get music concert tickets.
  • the ticket distributor transmits a static image to the user's web browser.
  • the static image includes a text-based password, however the text in the image is skewed. The program ensures that an individual will able to discern the text within the static image and enter the text into a text box to proceed.
  • Another conventional data access/entry security measure involves static image password selection and entry. This security measure has been created to defeat certain computer programs that reside on computer and log record user information, including data associated with a user's keystrokes and/or user mouse clicks. For example, a user attempts to access their financial data. The financial data host may ask for a username and/or pin information, before allowing access. Instead of typing the pin information into a data entry point, the financial data host may present the user with an image of a numerical keypad.
  • An object of the invention involves providing a tool that authenticates/verifies an end user's personal identification data (e.g., passwords, pin), in order to protect the user's identifying information, and secure data accessible via the internet.
  • a method for facilitating nested security measures includes three primary elements that work in coordination to secure data.
  • three security elements include: 1.) a dynamic image login generation; 2.) clickable data entry; and 3.) dynamic login verification.
  • a media initiated application may be implemented as a fourth security element either as a stand-alone security element or in combination with other security elements.
  • Fig. 1 of the present disclosure is a high-level diagram illustrating the entities that interact with the system according to an embodiment of the invention for facilitating nested secure access/authentication (NSA);
  • NSA secure access/authentication
  • FIGs. 2 A and 2B of the present disclosure illustrate a high-level flow diagrams illustrating an process flow associated with security elements implemented as a nested secure access system, according to an embodiment of the invention
  • Figs. 3A-3C of the present disclosure illustrate a flow diagrams associated three implementations of the nested secure access system according to various embodiments of the invention
  • Fig. 4 of the present disclosure illustrates a flow diagram associated with a process that generates nested security elements according to an embodiment of the invention
  • FIGs. 5A-5J illustrate aspects of six possible implementations of nested user access security elements of the present disclosure
  • Figs. 5K-5L illustrate implementations of a secure user login associated with the flow diagram illustrated in Fig. 3B.
  • FIG. 6 is a flow diagram illustrating aspects of the access data verification process associated with an embodiment of the invention.
  • FIG. 7 illustrates inventive software module/hardware components of a NSA controller in a block diagram, according to an embodiment of the invention.
  • An Appendix is attached to the document describing various embodiments of security elements associated with the invention.
  • the invention is directed to systems, methods and apparatuses configured to facilitate nested security modules. It is to be understood that depending on the particular needs and/or characteristics of an access point or system user, various embodiments of the system may be implemented that enable a great deal of flexibility and customization.
  • the instant disclosure discusses an embodiment of the system within the context of accessing data online, as well as verifying/authenticating a system's user's identifying information. However, it is to be understood that the system described herein may be readily configured/customized to provide nested security access (NSA) for a wide range of applications or implementations.
  • NSA nested security access
  • aspects of the data access NSA system may be adapted for use in protecting an individual's identification data, such as data submitted as part of a credit card purchase.
  • aspects of the data access NSA system may be adapted for use in protecting and/or securing access to a variety of multi-user and/or embedded systems, such as ATMs or password-protected portable devices.
  • the NSA system may be further adapted to include additional data/transaction security elements.
  • Fig. 1 illustrates a high-level diagram of the entities that interact with the system according to an embodiment of the invention.
  • an implementation includes a core NSA systemization 100 and NSA system databases 1 10.
  • System administrators 120 may configure and maintain the system 100 and various system ATTORNEY DOCKET No.: 17337-008PC 6
  • Fig. 1 For illustrative purposes, the implementation illustrated in Fig. 1 is directed to provide nested security access for a web-enabled access point.
  • the NSA system may be configured to facilitate additional or different nested security elements based on an end user's particular security needs.
  • additional nested security modules may include security elements that facilitate additional aspects of user identification authentication/verification, for example asking a user a personalized question.
  • the system may be adapted to facilitate secure transactions, or provide secure access management for a variety of multi-user or embedded systems.
  • the NSA system is configured to protect data associated with the access point provider 130, the system user 140 attempting to gain access to the access point, as well as the data beyond the access point.
  • an access point provider 130 may be a financial institution that provides web-enabled access for individuals (system users) that maintain financial accounts with the institution. The financial institution is able to use the system to help verify a system user's identify. Alternate implementations include protecting/authenticating a system user's identification/transaction data as part of a online monetary transaction, restricting use of a portable device, restricting access to money from an ATM, and/or the like. In those alternate examples, the role of the Access Point provider 130 may be considered synonymous with an user identification verification entity. [0024] Fig. 1 illustrates the system 100 and system administrator 120 as separate elements of the implementation. However, as discussed above, the invention facilitates a great deal of flexibility and scalability.
  • the system facilitates nested security access module generation; nested security access/authentication data submission; and nested security access/authentication submitted data verification.
  • the system may be configured with additional security elements that protect access to other security elements by acting as a doorkeeper. This particular implementation is illustrated in Figs 2A and 2B and represented by the dashed line connecting elements 240 and 250.
  • the secure access procedure starts with element 250 (with a system user requesting access/authentication) and nested secure access procedure incorporates the elements illustrated in Fig. 2B.
  • a first security element is implemented as a media application initiation security element 200 and incorporates additional security processes, for example the steps shown in Fig. 2A.
  • the system user initiates an authentication media application.
  • a media initiation device with the initiation application may be any type of device capable of storing an application, such as a compact disc, DVD, floppy or zip disk/drive, a thumb drive, flash memory device, RFID or biometric cards, magnetic stripe cards, removable and/or internal hard drives, and/or the like.
  • an authentication media application may be downloaded and/or otherwise installed to a user's computer (e.g., stored on the computer's hard drive) and initiated as needed for authentication.
  • the application may be configured and stored on any number of devices including wireless ATTORNEY DOCKET No.: 17337-008PC 8
  • a further security measure may be instituted whereby a user must enter authenticating information, such as a code or password, on the portable device in order for it to transmit application data.
  • authenticating information such as a code or password
  • the media initiation device will be discussed in the context of a compact disc storage disc that a user may insert into a computer's compact disc (CD) drive.
  • step 200 the system user initiates the authentication media by placing the
  • the CD includes an application that conducts an initial authentication process in step 210.
  • the initial authentication process may, for example, comprise a search for an authenticating data element on the user's computer, such as a cookie, file installed to the computer during CD registration, and/or the like.
  • the application may proceed right into step 220 and spawn a user login application. The process may subsequently transition into the security elements described in Fig. 2B.
  • Fig. 2B of the present disclosure illustrates a high-level flow diagram of three core aspects of system/system user/access point (verification entity) interaction, according to an embodiment of the invention configured to achieve these objectives.
  • step 250 involves a system user requesting access (or requesting system user identification authentication) to an access point (or for an online transaction) with nested secure access/authentication elements.
  • the next step in the process involves generating a nested secure access module in step 260.
  • the nested secure access module is, in one implementation, another ATTORNEY DOCKET No.: 17337-008PC 9
  • the security element that is nested within the overall process and protects both the data maintained beyond the access point and/or the access data associated with system user (in some implementations the element may be configured to authenticate a system user). Accordingly, in step 260 the system user inputs access/authentication data (this process will be described in greater detail in Figs. 3A-3C). The input data may be encapsulated or encrypted depending on the implementation before it is transferred to the system verification module in step 270.
  • the system may generate an authentication indicator that facilitates access to designated portions of a database, entry to an online access point accessible to the particular system user, access to the use of an embedded system and/or portable device, facilitate an online transaction and provide the verification (or access denial) message to a system user, and/or the like in step
  • Figs. 3A-3C illustrate flow diagrams associated with three respective implementations of NSA systems with a media initiated authentication.
  • Fig. 3A is a flow diagram describing an implementation of media initiated authentication. The process is started when a system user initiates media login, such as by inserting a compact disc into a computer, in step 300.
  • the disc stores an application that starts up and conducts an initial authentication (e.g., looks for a cookie or other data key downloaded to the system when the user registered the disc).
  • an initial authentication e.g., looks for a cookie or other data key downloaded to the system when the user registered the disc.
  • Other implementations may omit this step and go directly to the spawning an initial authentication interface 303.
  • the application may be configured to automatically generate the initial authentication interface 312.
  • the media application may be initiated after a user attempts to access a user access/authentication point. For example, a user types ATTORNEY DOCKET No.: 17337-008PC 10
  • a program module may be configured to determine if the media application is stored in a media device that is currently accessible. If the media application is not accessible, the user may be prompted to make the program accessible (e.g., by inserting the compact disc or initiating the application on a wireless device).
  • the media application may be configured to transmit an alert message along with an identifier signaling to a remote server that a user may be attempting to login in step 306.
  • the remote server may be configured to start a watchdog process determining whether a viable login attempt was received and correlated to the identifier within a designated period of time after receiving the initial alert message.
  • the remote server may only grant user access and/or verification if a user authentication process is successfully completed within a prescribed time interval after initiation of the watchdog process.
  • the remote server may be configured to undertake certain security measures, such as sending an email to a user to determine if they need assistance or possibly applying a temporary freeze on account access.
  • the remote server may also monitor whether multiple unsuccessful login attempts are undertaken and, if so, notifying the user and/or applying a temporary freeze on account access.
  • the remote server may directly send an authentication signal and/or notification to the device to establish whether it is being employed for authentication.
  • the media application may be configured to generate a token for use during the login process in step ATTORNEY DOCKET No,: 17337-008PC ⁇
  • the generated token may be configured as time-sensitive and expire after a certain period of time.
  • the system user then inputs identifying information, such as a user id, a password, a PIN, and/or the like, and in some implementations the token data generated in step 315.
  • the local system then transmits the data for remote authentication in step 321.
  • the remote system receives the identifying information and token data (and disables the watchdog process if it was initiated) and conducts the authentication in step 324.
  • the system generates and transmits an authentication confirmation/denial message, which may be displayed to the system user in step 327.
  • the system transmitted authentication confirmation/denial message may be sent to that portable device.
  • Fig. 3 B is a flow diagram describing another implementation of the initial media authentication process (example screen diagrams associated with this process are included as Figs. 5K and 5L).
  • the system user attempts to navigate to an authentication point (e.g., a user login screen associated with a financial institution).
  • an authentication point e.g., a user login screen associated with a financial institution.
  • a program module determines that the media initiated login application is not currently accessible in step 333. For example, the program module may automatically query an access point for a media identification code indicating the presence of the proper media and/or other authentication codes, files, passwords, and/or the like that are associated with the presence of the media application. Therefore, if the media identification code is not found, a "Login denied" message (similar to the one displayed as Fig. 5K) is generated and displayed in the area of the web page where the user login data entry interface is generally located.
  • the system user inserts the compact disc with the media application into the computer and attempts to reload the web page in step 336.
  • the user manually reloads the web page while, in another implementation, the web page automatically reloads upon insertion, execution, and/or recognition of the media and/or media application depending on the particular implementation.
  • the system determines that the media application is now accessible and enables the login request module in step 339.
  • Some implementations of the system include dynamic token generation functionality 342 as described above.
  • the system user's terminal proceeds to the next in the series of secure elements associated with the nested secure access generation/authentication process (e.g., such as those illustrated in Fig. 2B).
  • the system user attempts to enter a web-enabled data access point (alternate implementations may be configured as user identification verification modules - e.g., a user remote system logins instead of web-enabled access points).
  • the access/authentication point requests the login/verification module from the system.
  • the system generates a login/verification module, which is returned to the access point in step 348.
  • the access point executes the login/verification module in step 351.
  • nested security access is bolstered with an additional security element by transferring a login/verification module to the access point and executing the login/verification generation module locally.
  • the system user enters access/authentication data in step 354, which is then transmitted to the NSA system in step 357.
  • the NSA system Upon receiving the access data, the NSA system conducts an authentication procedure in step 360.
  • the NSA system then transmits an access data authenticity indicator to the access point. Based on the authenticity indicator, the access ATTORNEY DOCKET No.: 17337-008PC 13
  • the system may be configured to effectuate periodic, transactional or a number of other types of re-authentication 663 to ensure user authenticity beyond the initial authentication.
  • the system may be configured to re-request the access identifier that is associated with a media authentication application at certain intervals after the access point has cleared the initial authentication process 330-363.
  • the system may be configured to request the access identifier as part of each communication or transaction between the access point and the system. In some implementations the request does not have to necessarily be transmitted with each communication, it may be transmitted with every fifth communication. In further implementations, the request may be transmitted at random intervals to ensure that the initially authenticated access point is still a viable access point.
  • the re-authentication request may be configured to request data beyond the access identifier associated with the media initiated authentication application.
  • the request may be configured to also re-request user identifying information 354 (e.g., user ID, password, PIN, token data or any other types of authentication data).
  • the requests for user identifying information 354 and an access identifier 336 may be made as part of the same request or made independently.
  • the request types may be alternated (or randomly) over a certain interval to ensure that both the media authentication application and the user identifying information remain independently viable beyond the initial authentication process.
  • Fig. 3 C illustrates a flow diagram of a media initiated authentication process that is configured to facilitate encrypted transactions.
  • the system user initiates a transaction application in step 372.
  • transactions may be any number of processes that require additional security elements, such as conducting an online purchase, conducting online banking, operating an ATM machine, operating a portable device, and/or the like.
  • encryption data is generated and distributed to the system user's terminal 366, as well as a remote transaction facilitation server 369.
  • the transaction data is prepared along with token data 381.
  • the token data may be generated as described above or in the alternative, the system user's terminal may send a request for a dynamically generated token in step 384.
  • the remote transaction server may be configured to generate and transmit a dynamic encrypted token.
  • the system user's terminal may finalize the transaction data and transmit the full package in step 390 to a remote transaction server for processing and final authentication in step 393.
  • the remote transaction server responds in step 396 with an Authentication Confirmation/Denial message that may be displayed to the system user in step 399.
  • Fig. 4 illustrates some aspects of the system associated with the generation of the nested secure access login module.
  • the process starts with the access point creating and transmitting a login/verification request to the system in step 410 (described above).
  • the system receives the login/verification request, the system identifies the access point and the type of security provisions associated with the particular access point in step 420 (this type of data may be included in one or more system databases 110 from Fig. 1).
  • certain financial institutions may implement a multi-tiered data entry access point that requires designated user input selected for example from among elements including a ATTORNEY DOCKET No.: 17337-008PC 15
  • the system then creates a login/verification module that includes various instructions for creating the particular login/verification module and forwards the instructions to the access point in step 430. Examples instructions may facilitate the creation of dynamic access image generation (described below), text box element creation, and/or other resources utilized during the login/verification process.
  • the client executes the instructions transmitted by the system for constructing an access login/verification data entry form.
  • the module may include instructions for generating the modules illustrated in Figs. 5A, 5B or a different access/verification data entry form depending on the particular implementation. Executing these instructions on the client provides a first layer of security for the nested security access procedure.
  • Fig. 5 A illustrates an example of an access/verification data entry form wherein a customer's username and pin 510 are requested. These elements provide a second layer of security as they are selected by the customer and assumed to be known only by the customer. Another level of security is added to the NSA process with regard to password 520.
  • the password element of the NSA modules includes at least two parts, the first is a dynamic password display image 520, 525 and the second relates to dynamic image selection input.
  • the access/verification data entry form includes a password selection display 520, the displayed dynamic password images 525, and text data entry box 530.
  • Another layer of security is provided specifically with regard to the generation and display of the displayed dynamic password images 525. More specifically, the display image includes a series of ATTORNEY DOCKET NO.: 17337-008PC 16
  • each password component image 525 is displayed in a random sequence.
  • the number of images corresponding to non- password characters i.e., in Fig. 5A the user's password is "dogs425", so the non-password characters include 0, f, 7, 9, and Z) may vary depending on the implementation. It is to be understood that the values of the non-password characters may also be randomly generated.
  • an implementation generates the non-password characters in accordance with module instructions to include more numerals, than letters (or more letters, than numerals) based on the component make-up of the user-designated password.
  • the next level of security relates to the character images, themselves.
  • characters 525 are individual images that are not necessarily correlated to text for entry in the text box 530.
  • the black circles are simply representative placeholders that assist a user in determining how many elements of the password have been selected.
  • the user may choose between manually typing the elements as in step 450 or simply selecting (e.g, clicking on) the images in the order of the user designated password as in step 455 (e.g., the user would click on the image for "d” followed by "o” and then “g” and so on...) until the full password has been entered.
  • the data is transmitted for verification in step 460.
  • Fig 5B illustrates a similar embodiment of the access request data entry form, but also includes a token entry text box. Similar to the method for image selection, instead of typing the token elements into the text box 570, a token display image may be generated, wherein the system user selects various token elements from among a series of characters/symbols displayed to the user 560. In some implementations of the system, the system user's login module data may be encrypted before it is sent back to the system for authentication.
  • Fig. 5C-5 J illustrate other examples of an access/verification data entry form wherein a customer's username 5100, PIN 5105, and a password or combination code are requested. Some implementations may also require a user to input token data in a dditional to username, PIN, and password information to further bolster secure access.
  • a virtual combination lock interface 575 is employed, allowing the user to specify a code by turning the combination lock knob to the appropriate number and clicking the "ADD" button 580 to populate a code field 590.
  • This illustrative implementation is also equipped with a "CLEAR” button to clear the contents of the code field 590, as well as a "SUBMIT” button 595, to submit the entered code.
  • this implementation produces an open lock graphic 5110, an acceptance message 5115, and grants access to the user.
  • the pattern of knob turning is itself a component of the code, similar to the operation of many actual padlocks and/or combination locks. For example, the system may require the user to turn the knob one full turn counterclockwise, followed by the turning to the first number in a clockwise direction, the second number in a counterclockwise direction, and so forth.
  • slider widgets 5120 are employed to allow the user to enter and submit 5125 a combination code.
  • a widget similar to a briefcase combination lock 5130 is employed, wherein the user sets the code by turning a series of dials to achieve a particular configuration.
  • This illustrative implementation is also equipped with a "RESET” button 5135 to bring the dials back to an initial position, and a "SUBMIT” button to submit the entry for consideration by the system.
  • a collection of character and/or symbol tiles 5145 are displayed, allowing a user to select the appropriate tiles to complete their code and/or password.
  • tiles may be dragged and dropped on a code field 5150, leaving behind empty spaces 5155 in the tile collection field.
  • a completed code 5160 may then be submitted using a "SUBMIT" button 5165.
  • the code field may be populated simply by clicking on the tiles rather than dragging and dropping them.
  • the tiles are rearranged into a proper order within their original location, rather than being moved to a separate code field.
  • Fig. 5K illustrates an example of the Login Access Denied message 5170 discussed above in the context of the flow diagram illustrated in Fig. 3B. Specifically, the message indicates that the system user should initiate media authentication. As discussed ATTORNEY DocKHT No.: 17337-008PC 19
  • Fig. 6 illustrates an access/verification data authentication process associated with an embodiment of the NSA system.
  • the system receives the login/verification module data for authentication in step 600.
  • the first authentication step 610 involves determining what type of system user data has been submitted by the system user. For example, the system user may submit typed text password data 620, clicked password data 630 and/or token data submission 640. After the data type determination has been conducted, the system accesses system databases 1 10 (from Fig. 1) to execute the actual authentication of a system user submission that has been correlated stored user access/verification data 650. The system may effectuate authentication by comparing the sequence of selected figures, with the stored sequences of figures designated by the system user as a password 660; and/or conducting a token data verification 670, if necessary.
  • the NSA system 100 Once the login module access/verification data has been authenticated, the NSA system 100 generates and transmits an authenticity indicator back to the access point in step 680.
  • the authenticity indicator effectively indicates whether the system user should be allowed to proceed beyond the access point (or the user identification has been properly authenticated).
  • Fig. 7 of the present disclosure illustrates inventive aspects of a Nested
  • NSA controller 701 in a block diagram.
  • the NSA controller 701 may serve to process, store, search, serve, identify, instruct, generate, match, and/or update job postings, job applications, and/or other related data.
  • users which may be people and/or other systems, engage information technology systems (e.g., commonly computers) to facilitate information processing.
  • computers employ processors to process information; such processors are often referred to as central processing units (CPU).
  • CPU central processing units
  • a common form of processor is referred to as a microprocessor.
  • a computer operating system which, typically, is software executed by CPU on a computer, enables and facilitates users to access and operate computer information technology and resources.
  • NSA controller 701 may be connected to and/or communicate with entities such as, but not limited to: one or more users from user input devices 712A; peripheral devices 712C; a cryptographic processor device 728; and/or a communications network 713.
  • Networks are commonly thought to comprise the interconnection and interoperation of clients, servers, and intermediary nodes in a graph topology.
  • server refers generally to a computer, other device, software, or combination thereof that processes and responds to the requests of remote users across a communications network. Servers serve their information to requesting "clients.”
  • client refers generally to a computer, other device, software, or combination thereof that is capable of processing and making requests and obtaining and processing any responses from servers across a communications network.
  • a computer, other device, software, or combination thereof that facilitates, processes information and requests, and/or furthers the passage of information from a source user to a destination user is commonly referred to as a "node.”
  • Networks are generally thought to facilitate the transfer of information from source points to destinations.
  • a node specifically tasked with furthering the passage of information from a source to a destination is commonly called a "router.”
  • There are many forms of networks such as Local Area Networks (LANs), Pico networks, Wide Area Networks (WANs), Wireless Networks (WLANs), etc.
  • LANs Local Area Networks
  • WANs Wide Area Networks
  • WLANs Wireless Networks
  • the Internet is generally accepted as being an interconnection of a multitude of networks whereby remote clients and servers may access and interoperate with one another.
  • the NSA controller 701 may be based on common computer systems that may comprise, but are not limited to, components such as: a computer systemization 702 connected to memory 723.
  • a computer systemization may comprise a clock 730, central processing unit
  • CPU central processing unit
  • ROM read only memory
  • RAM random access memory
  • an interface bus 707 and most frequently, although not necessarily, are all interconnected and/or communicating through a system bus 704.
  • the computer systemization may be connected to an internal power source 786.
  • a cryptographic processor 726 may be connected to the system bus.
  • the system clock typically has a crystal oscillator and provides a base signal.
  • the clock is typically coupled to the system bus and various clock multipliers that will increase or decrease the base operating frequency for other components interconnected in the computer systemization.
  • the clock and various components in a computer systemization drive signals embodying information throughout the system. Such transmission and reception of signals embodying information throughout a computer systemization may be commonly referred to as communications.
  • communicative signals may further be transmitted, received, and the cause of return and/or reply signal communications beyond the instant computer systemization to: communications networks, input devices, other computer systemizations, peripheral devices, and/or the like.
  • communications networks may be connected directly to one another, connected to the CPU, and/or organized in numerous variations employed as exemplified by various computer systems.
  • the CPU comprises at least one high-speed data processor adequate to execute program modules for executing user and/or system-generated requests.
  • the CPU may be a microprocessor such as AMD's Athlon, Duron and/or Opteron; IBM and/or Motorola's PowerPC; Intel's Celeron, Itanium, Pentium, Xeon, and/or XScale; and/or the like processor(s).
  • the CPU interacts with memory through signal passing through conductive conduits to execute stored program code according to conventional data processing techniques. Such signal passing facilitates communication within the Nested Security Access ATTORNEY DOCKET No.: 17337-008PC 23
  • PDAs Personal Digital Assistants
  • the power source 786 may be of any standard form for powering small electronic circuit board devices such as the following power cells: alkaline, lithium hydride, lithium ion, nickel cadmium, solar cells, and/or the like. Other types of AC or DC power sources may be used as well. In the case of solar cells, in one embodiment, the case provides an aperture through which the solar cell may capture photonic energy.
  • the power cell 786 is connected to at least one of the interconnected subsequent components of the Nested Security Access thereby providing an electric current to all subsequent components.
  • the power source 786 is connected to the system bus component 704.
  • an outside power source 786 is provided through a connection across the I/O 708 interface. For example, a USB and/or IEEE 1394 connection carries both data and power across the connection and is therefore a suitable source of power.
  • Interface bus(ses) 707 may accept, connect, and/or communicate to a number of interface adapters, conventionally although not necessarily in the form of adapter cards, such as but not limited to: input output interfaces (I/O) 708, storage interfaces 71 1 , network interfaces 710, and/or the like.
  • I/O input output interfaces
  • cryptographic processor interfaces 727 similarly may be connected to the interface bus.
  • the interface bus provides for the communications of interface adapters with one another as well as with other components of the computer ATTORNEY DOCKET No.: 17337-008PC 24
  • Interface adapters are adapted for a compatible interface bus. Interface adapters conventionally connect to the interface bus via a slot architecture. Conventional slot architectures may be employed, such as, but not limited to: Accelerated Graphics Port (AGP), Card Bus, (Extended) Industry Standard Architecture ((E)ISA), Micro Channel Architecture (MCA), NuBus, Peripheral Component Interconnect (Extended) (PCI(X)), PCI Express, Personal Computer Memory Card International Association (PCMCIA), and/or the like.
  • AGP Accelerated Graphics Port
  • Card Bus Card Bus
  • E Industry Standard Architecture
  • MCA Micro Channel Architecture
  • NuBus NuBus
  • PCI(X) Peripheral Component Interconnect
  • PCI Express Personal Computer Memory Card International Association
  • PCMCIA Personal Computer Memory Card International Association
  • Storage interfaces 711 may accept, communicate, and/or connect to a number of storage devices such as, but not limited to: storage devices 714, removable disc devices, and/or the like.
  • Storage interfaces may employ connection protocols such as, but not limited to: (Ultra) (Serial) Advanced Technology Attachment (Packet Interface) ((Ultra) (Serial) ATA(PI)), (Enhanced) Integrated Drive Electronics ((E)IDE), Institute of Electrical and Electronics Engineers (IEEE) 1394, fiber channel, Small Computer Systems Interface (SCSI), Universal Serial Bus (USB), and/or the like.
  • Network interfaces 710 may accept, communicate, and/or connect to a communications network 713.
  • the Nested Security Access controller is accessible through remote clients (e.g., computers with web browsers) by users.
  • Network interfaces may employ connection protocols such as, but not limited to: direct connect, Ethernet (thick, thin, twisted pair 10/100/1000 Base T, and/or the like), Token Ring, wireless connection such as IEEE 802.1 la-x, and/or the like.
  • a communications network may be any one and/or the combination of the following: a direct interconnection; the Internet; a Local Area Network (LAN); a Metropolitan Area Network (MAN); an Operating Missions as Nodes on the Internet (OMNI); a secured custom connection; a Wide ATTORNEY DOCKET NO.: 17337-008PC 25
  • WAN Wide Area Network
  • WAP Wireless Application Protocol
  • I-mode I-mode
  • a network interface may be regarded as a specialized form of an input output interface.
  • multiple network interfaces 710 may be used to engage with various communications network types 713. For example, multiple network interfaces may be employed to allow for the communication over broadcast, multicast, and/or uni-cast networks.
  • I/O Input Output interfaces (I/O) 708 may accept, communicate, and/or connect to user input devices 712A, peripheral devices 712C, cryptographic processor devices 728, and/or the like.
  • I/O may employ connection protocols such as, but not limited to: Apple Desktop Bus (ADB); Apple Desktop Connector (ADC); audio: analog, digital, monaural, RCA, stereo, and/or the like; IEEE 1394a-b; infrared; joystick; keyboard; midi; optical; PC AT; PS/2; parallel; radio; serial; USB; video interface: BNC, coaxial, composite, digital, Digital Visual Interface (DVI), RCA, RF antennae, S-Video, VGA, and/or the like; wireless; and/or the like.
  • a common output device 712C is a television set, which accepts signals from a video interface.
  • a video display which typically comprises a Cathode Ray Tube
  • CTR Liquid Crystal Display
  • LCD Liquid Crystal Display
  • the video interface composites information generated by a computer systemization and generates video signals based on the composited information in a video memory frame.
  • the video interface provides the composited video information through a video connection interface that accepts a video display interface (e.g., an RCA composite video connector accepting an RCA composite video cable; a DVI connector accepting a DVI display cable, etc.).
  • a video display interface e.g., an RCA composite video connector accepting an RCA composite video cable; a DVI connector accepting a DVI display cable, etc.
  • User input devices 712A may be card readers, dongles, finger print readers, gloves, graphics tablets, joysticks, keyboards, mouse (mice), remote controls, retina readers, trackballs, trackpads, and/or the like.
  • Peripheral devices 712C may be connected and/or communicate to I/O and/or other facilities of the like such as network interfaces, storage interfaces, and/or the like.
  • Peripheral devices may be audio devices, cameras, dongles (e.g., for copy protection, ensuring secure transactions with a digital signature, and/or the like), external processors (for added functionality), goggles, microphones, monitors, network interfaces, printers, scanners, storage devices, video devices, video sources, visors, and/or the like.
  • the Nested Security Access controller may be embodied as an embedded, dedicated, and/or monitor-less (i.e., headless) device, wherein access would be provided over a network interface connection.
  • Cryptographic units such as, but not limited to, microcontrollers, processors 726, interfaces 727, and/or devices 728 may be attached, and/or communicate with the
  • a MC68HC16 microcontroller commonly manufactured by Motorola Inc., may be used for and/or within cryptographic units. Equivalent microcontrollers and/or processors may also be used.
  • the MC68HC16 microcontroller utilizes a 16-bit multiply-and-accumulate instruction in the 16 MHz configuration and requires less than one second to perform a 512-bit RSA private key operation.
  • Cryptographic units support the authentication of communications from interacting agents, as well as allowing for anonymous transactions.
  • Cryptographic units may also be configured as part of ATTORNEY DOCKET No.: 17337-008PC 27
  • any mechanization and/or embodiment allowing a processor to affect the storage and/or retrieval of information is regarded as memory 723.
  • memory is a fungible technology and resource, thus, any number of memory embodiments may be employed in lieu of or in concert with one another.
  • the Nested Security Access controller and/or a computer systemization may employ various forms of memory 723.
  • a computer systemization may be configured wherein the functionality of on-chip CPU memory (e.g., registers), RAM, ROM, and any other storage devices are provided by a paper punch tape or paper punch card mechanism; of course such an embodiment would result in an extremely slow rate of operation.
  • memory 723 will include ROM 706, RAM 705, and a storage device 714.
  • a storage device 714 may be any conventional computer system storage. Storage devices may include a drum; a (fixed and/or removable) magnetic disk drive; a magneto-optical drive; an optical drive (i.e., CD ROM/RAM/Recordable(CD-R), Rewritable (RW), DVD R/RW, etc.); and/or other devices of the like.
  • a computer systemization generally requires and makes use of memory.
  • the memory 723 may contain a collection of program and/or database modules and/or data such as, but not limited to: operating system module(s) 715 (operating system); information server module(s) 716 (information server); user interface module(s) 717 (user interface); Web browser module(s) 718 (Web browser); NSA database(s) 720; ATTORNEY DOCKET No.: 17337-008PC 28
  • cryptographic server module(s) 719 cryptographic server
  • the Nested Security Access module(s) 725 and/or the like (i.e., collectively a module collection).
  • These modules may be stored and accessed from the storage devices and/or from storage devices accessible through an interface bus.
  • non-conventional software modules such as those in the module collection, typically, are stored in a local storage device 714, they may also be loaded and/or stored in memory such as: peripheral devices, RAM, remote storage facilities through a communications network, ROM, various forms of memory, and/or the like.
  • the operating system module 715 is executable program code facilitating the operation of the Nested Security Access controller. Typically, the operating system facilitates access of I/O, network interfaces, peripheral devices, storage devices, and/or the like.
  • the operating system may be a highly fault tolerant, scalable, and secure system such as Apple Macintosh OS X (Server), AT&T Plan 9, Be OS, Linux, Unix, and/or the like operating systems. However, more limited and/or less secure operating systems also may be employed such as Apple Macintosh OS, Microsoft DOS, Palm OS, Windows
  • An operating system may communicate to and/or with other modules in a module collection, including itself, and/or the like. Most frequently, the operating system communicates with other program modules, user interfaces, and/or the like. For example, the operating system may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses. The operating system, once executed by the CPU, may enable the interaction with communications networks, data, I/O, peripheral devices, program modules, memory, user input devices, and/or the like.
  • the operating system ATTORNEY DOCKET NO.: 17337-008PC 29
  • Nested Security Access controller may provide communications protocols that allow the Nested Security Access controller to communicate with other entities through a communications network 713.
  • Various communication protocols may be used by the Nested Security Access controller as a subcarrier transport mechanism for interaction, such as, but not limited to: multicast, TCP/IP, UDP, unicast, and/or the like.
  • An information server module 716 is stored program code that is executed by the CPU.
  • the information server may be a conventional Internet information server such as, but not limited to Apache Software Foundation's Apache, Microsoft's Internet Information Server, and/or the.
  • the information server may allow for the execution of program modules through facilities such as Active Server Page (ASP), ActiveX, (ANSI) (Objective-) C (++), C#, Common Gateway Interface (CGI) scripts, Java, JavaScript, Practical Extraction Report Language (PERL), Python, WebObjects, and/or the like.
  • the information server may support secure communications protocols such as, but not limited to, File Transfer Protocol (FTP); Hyper Text Transfer Protocol (HTTP); Secure Hypertext Transfer Protocol (HTTPS), Secure Socket Layer (SSL), and/or the like.
  • FTP File Transfer Protocol
  • HTTP Hyper Text Transfer Protocol
  • HTTPS Secure Hypertext Transfer Protocol
  • SSL Secure Socket Layer
  • the information server provides results in the form of Web pages to Web browsers, and allows for the manipulated generation of the Web pages through interaction with other program modules.
  • DNS Domain Name System
  • the information server resolves requests for information at specified locations on the Nested Security Access controller based on the remainder of the HTTP request. For example, a request such as http://123.124.125.126/mylnformation.html might have the IP portion of the request "'123.124.125.126" resolved by a DNS server to an information server at that IP ATTORNEY DOCKET No.: 17337-008PC 30
  • An information server may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like. Most frequently, the information server communicates with the Nested Security Access database 720 operating systems, other program modules, user interfaces, Web browsers, and/or the like.
  • Access to the Nested Security Access database may be achieved through a number of database bridge mechanisms such as through scripting languages as enumerated below (e.g., CGI) and through inter-application communication channels as enumerated below (e.g., CORBA, WebObjects, etc.). Any data requests through a Web browser are parsed through the bridge mechanism into appropriate grammars as required by the Nested Security Access controller.
  • the information server would provide a Web form accessible by a Web browser. Entries made into supplied fields in the Web form are tagged as having been entered into the particular fields, and parsed as such. The entered terms are then passed along with the field tags, which act to instruct the parser to generate queries directed to appropriate tables and/or fields.
  • the parser may generate queries in standard SQL by instantiating a search string with the proper join/select commands based on the tagged text entries, wherein the resulting command is provided over the bridge mechanism to the Nested Security Access controller as a query.
  • the results are passed over the bridge mechanism, and may be parsed for formatting and generation of a new results Web page by the bridge mechanism.
  • Such a new results Web page is then provided to the information server, which may supply it to the requesting Web browser.
  • an information server may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • GUIs Graphical user interfaces
  • a user interface module 717 is stored program code that is executed by the
  • the user interface may be a conventional graphic user interface as provided by, with, and/or atop operating systems and/or operating environments such as Apple Macintosh OS, e.g., Aqua, Microsoft Windows (NT/XP), Unix X Windows (KDE, Gnome, and/or the like), mythTV, and/or the like.
  • the user interface may allow for the display, execution, interaction, manipulation, and/or operation of program modules and/or system facilities through textual and/or graphical facilities.
  • the user interface provides a facility through which users may ATTORNFY DOCKET NO.: 17337-008PC 32
  • a user interface may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like. Most frequently, the user interface communicates with operating systems, other program modules, and/or the like.
  • the user interface may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • a Web browser module 718 is stored program code that is executed by the
  • the Web browser may be a conventional hypertext viewing application such as Microsoft Internet Explorer or Netscape Navigator. Secure Web browsing may be supplied with 128bit (or greater) encryption by way of HTTPS, SSL, and/or the like. Some Web browsers allow for the execution of program modules through facilities such as Java, JavaScript, ActiveX, and/or the like. Web browsers and like information access tools may be integrated into PDAs, cellular telephones, and/or other mobile devices. A Web browser may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like.
  • the Web browser communicates with information servers, operating systems, integrated program modules (e.g., plug-ins), and/or the like; e.g., it may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • information servers operating systems, integrated program modules (e.g., plug-ins), and/or the like; e.g., it may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • a combined application may be developed to perform similar functions of both. The combined application would similarly affect the obtaining and the provision of information to users, user agents, and/or the like from the Nested Security ATTORNEY DOCKET No.: 17337-008PC 33
  • Access enabled nodes may be nugatory on systems employing standard Web browsers.
  • a cryptographic server module 719 is stored program code that is executed by the CPU 703, cryptographic processor 726, cryptographic processor interface 727, cryptographic processor device 728, and/or the like.
  • Cryptographic processor interfaces will allow for expedition of encryption and/or decryption requests by the cryptographic module; however, the cryptographic module, alternatively, may run on a conventional CPU.
  • the cryptographic module allows for the encryption and/or decryption of provided data.
  • the cryptographic module allows for both symmetric and asymmetric (e.g., Pretty Good
  • the cryptographic module may employ cryptographic techniques such as, but not limited to: digital certificates (e.g., X.509 authentication framework), digital signatures, dual signatures, enveloping, password access protection, public key management, and/or the like.
  • the cryptographic module will facilitate numerous (encryption and/or decryption) security protocols such as, but not limited to: checksum, Data Encryption Standard (DES), Elliptical Curve Encryption (ECC), International Data Encryption Algorithm (IDEA), Message Digest 5 (MD5, which is a one way hash function), passwords, Rivest Cipher (RC5), Rijndael, RSA (which is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman), Secure Hash Algorithm (SHA), Secure Socket Layer (SSL), Secure Hypertext Transfer Protocol (HTTPS), and/or the like.
  • the Nested Security Access may encrypt all incoming and/or outgoing communications and may serve as node within a virtual private network (VPN) ATTORNEY DOCKET No.: 17337-008PC 34
  • the cryptographic module facilitates the process of "security authorization" whereby access to a resource is inhibited by a security protocol wherein the cryptographic module effects authorized access to the secured resource.
  • the cryptographic module may provide unique identifiers of content, e.g., employing and MD5 hash to obtain a unique signature for an digital audio file.
  • a cryptographic module may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like.
  • the cryptographic module supports encryption schemes allowing for the secure transmission of information across a communications network to enable the Nested Security Access module to engage in secure transactions if so desired.
  • the cryptographic module facilitates the secure accessing of resources on the Nested Security Access controller and facilitates the access of secured resources on remote systems; i.e., it may act as a client and/or server of secured resources. Most frequently, the cryptographic module communicates with information servers, operating systems, other program modules, and/or the like.
  • the cryptographic module may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • the Nested Security Access database module 720 may be embodied in a database and its stored data.
  • the database is stored program code, which is executed by the CPU; the stored program code portion configuring the CPU to process the stored data.
  • the database may be a conventional, fault tolerant, relational, scalable, secure database such as Oracle or Sybase. Relational databases are an extension of a flat file. Relational databases consist of a series of related tables. The tables are interconnected via a key field. Use of the ATTORNEY DOCKET No.: 17337-008PC 35
  • key field allows the combination of the tables by indexing against the key field; i.e., the key fields act as dimensional pivot points for combining information from various tables.
  • Relationships generally identify links maintained between tables by matching primary keys.
  • Primary keys represent fields that uniquely identify the rows of a table in a relational database. More precisely, they uniquely identify rows of a table on the "one" side of a one- to-many relationship.
  • the Nested Security Access database may be implemented using various standard data-structures, such as an array, hash, (linked) list, struct, structured text file (e.g., XML), table, and/or the like. Such data-structures may be stored in memory and/or in (structured) files.
  • an object-oriented database may be used, such as Frontier, ObjectStore, Poet, Zope, and/or the like.
  • Object databases can include a number of object collections that are grouped and/or linked together by common attributes; they may be related to other object collections by some common attributes. Object-oriented databases perform similarly to relational databases with the exception that objects are not just pieces of data but may have other types of functionality encapsulated within a given object.
  • the Nested Security Access database is implemented as a data-structure, the use of the Nested Security Access database 720 may be integrated into another module such as the Nested Security Access module 725. Also, the database may be implemented as a mix of data structures, objects, and relational structures. Databases may be consolidated and/or distributed in countless variations through standard data processing techniques. Portions of databases, e.g., tables, may be exported and/or imported and thus decentralized and/or integrated. ATTORNEY DOCKET No.: 17337-008PC 36
  • the NSA database module 720 includes several tables
  • An access/authentication table 720a includes fields related to authenticating user access and/or user identification data.
  • a dynamic image generation/verification data table 720b includes data related to the generated the randomized password element information, as well as the verification processes.
  • a dynamic token generation/verification table 720c includes fields that are used to both generate/verify the selected dynamic token data.
  • An encryption data table 72Od includes fields related to the encryption process.
  • the Nested Security Access database may interact with other database systems.
  • user programs may contain various user interface primitives, which may serve to update the Nested Security Access system. Also, various accounts may require custom database tables depending upon the environments and the types of clients the Nested Security Access system may need to serve.
  • any unique fields may be designated as a key field throughout.
  • these tables have been decentralized into their own databases and their respective database controllers (i.e., individual database controllers for each of the above tables).
  • database controllers i.e., individual database controllers for each of the above tables.
  • one may further distribute the databases over several computer systemizations and/or storage devices.
  • configurations of the decentralized database controllers may be varied by consolidating and/or distributing the various database modules 720a-d.
  • the nested security access controller may be configured to keep track of various settings, inputs, and parameters via database controllers.
  • the Nested Security Access database may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like. Most frequently, the Nested Security Access database communicates with the Nested Security ATTORNEY DOCKET NO.: 17337-008PC 37
  • Access module 725 may contain, retain, and provide information regarding other nodes and data.
  • the Nested Security Access System is The Nested Security Access System
  • the Nested Security Access control module 725 is stored program code that is executed by the CPU.
  • the Nested Security Access control module affects accessing, obtaining and the provision of information, services, transactions, and/or the like across various communications networks, as well as creating and facilitating the nested secure modules as discussed above.
  • the Nested Security Access module enables access of information between nodes may be developed by employing standard development tools such as, but not limited to: (ANSI) (Objective-) C (++), Apache modules, binary executables, database adapters, Java, JavaScript, mapping tools, procedural and object oriented development tools, PERL, Python, shell scripts, SQL commands, web application server extensions, WebObjects, and/or the like.
  • the Nested Security Access server employs a cryptographic server to encrypt and decrypt communications.
  • the Nested Security Access module may communicate to and/or with other modules in a module collection, including itself, and/or facilities of the like. Most frequently, the Nested Security Access module communicates with the Nested Security Access database, operating systems, other program modules, and/or the like.
  • the Nested Security Access system may contain, communicate, generate, obtain, and/or provide program module, system, user, and/or data communications, requests, and/or responses.
  • the structure and/or operation of any of the Nested Security Access node controller components may be combined, consolidated, and/or distributed in any number of ways to facilitate development and/or deployment.
  • the module collection may be combined in any number of ways to facilitate deployment and/or development. To accomplish this, one may integrate the components into a common code base or in a facility that can dynamically load the components on demand in an integrated fashion.
  • the module collection may be consolidated and/or distributed in countless variations through standard data processing and/or development techniques. Multiple instances of any one of the program modules in the program module collection may be instantiated on a single node, and/or across numerous nodes to improve performance through load-balancing and/or data-processing techniques. Furthermore, single instances may also be distributed across multiple controllers and/or storage devices; e.g., databases. All program module instances and controllers working in concert may do so through standard data processing communication techniques.
  • the configuration of the Nested Security Access controller will depend on the context of system deployment. Factors such as, but not limited to, the budget, capacity, location, and/or use of the underlying hardware resources may affect deployment requirements and configuration. Regardless of if the configuration results in more consolidated and/or integrated program modules, results in a more distributed series of program modules, and/or results in some combination between a consolidated and distributed configuration, data may be communicated, obtained, and/or provided. Instances of modules consolidated into a common code base from the program module collection may ATTORNEY DOCKET No.: 17337-008PC 39
  • module collection components are discrete, separate, and/or external to one another, then communicating, obtaining, and/or providing data with and/or to other module components may be accomplished through inter-application data processing communication techniques such as, but not limited to: Application Program Interfaces (API) information passage; (distributed) Component Object Model ((D)COM), (Distributed) Object Linking and Embedding ((D)OLE), and/or the like), Common Object Request Broker Architecture (CORBA), process pipes, shared files, and/or the like.
  • API Application Program Interfaces
  • a grammar may be developed by using standard development tools such as lex, yacc, XML, and/or the like, which allow for grammar generation and parsing functionality, which in turn may form the basis of communication messages within and between modules. Again, the configuration will depend upon the context of system deployment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système d'accès à sécurité intégrée, qui gère des demandes de points d'accès et de vérification afin de créer une série d'applications de sécurité à couches destinées à sécuriser des données d'accès et d'identification des utilisateurs. Le système NSA travaille en coordination avec un module de gestion des points d'accès et de vérification en vue de générer une série d'instructions en tant que module d'ouverture de sessions et de vérification exécutable localement. Le module d'ouverture de session et de vérification est exécuté par le module de gestion des points d'accès et de vérification en vue de la création d'un formulaire de saisie de données d'accès et de vérification pour l'utilisateur du système. Selon la mise en œuvre utilisée, le module de gestion des points d'accès et de vérification peut être configuré pour accepter des données d'accès à et de vérification de texte dactylographié ou d'image cliquée, des données d'accès à et de vérification de jetons, ou des données d'accès à et de vérification de séquences d'images choisies. Lors du processus d'accès à des séquences d'images choisies, l'utilisateur du système choisit une série d'images représentant des éléments individuels d'un mot de passe, sans nécessité de saisir les informations dans un formulaire de saisie de données.
PCT/US2007/068178 2006-05-03 2007-05-03 Procédé, système et appareil d'accès/d'authentification à sécurité intégrée avec lancement des supports WO2007131131A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US74635006P 2006-05-03 2006-05-03
US60/746,350 2006-05-03
US11/682,751 US20070266428A1 (en) 2006-03-06 2007-03-06 Method, System, And Apparatus For Nested Security Access/Authentication
US11/682,751 2007-03-06

Publications (2)

Publication Number Publication Date
WO2007131131A2 true WO2007131131A2 (fr) 2007-11-15
WO2007131131A3 WO2007131131A3 (fr) 2008-10-09

Family

ID=38668569

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2007/068178 WO2007131131A2 (fr) 2006-05-03 2007-05-03 Procédé, système et appareil d'accès/d'authentification à sécurité intégrée avec lancement des supports

Country Status (1)

Country Link
WO (1) WO2007131131A2 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210019451A1 (en) * 2017-04-25 2021-01-21 Wildfi Pty Ltd Process and detachable device for using and managing encryption keys

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6256737B1 (en) * 1999-03-09 2001-07-03 Bionetrix Systems Corporation System, method and computer program product for allowing access to enterprise resources using biometric devices
US6934860B1 (en) * 2000-05-08 2005-08-23 Xerox Corporation System, method and article of manufacture for knowledge-based password protection of computers and other systems

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6256737B1 (en) * 1999-03-09 2001-07-03 Bionetrix Systems Corporation System, method and computer program product for allowing access to enterprise resources using biometric devices
US6934860B1 (en) * 2000-05-08 2005-08-23 Xerox Corporation System, method and article of manufacture for knowledge-based password protection of computers and other systems

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210019451A1 (en) * 2017-04-25 2021-01-21 Wildfi Pty Ltd Process and detachable device for using and managing encryption keys

Also Published As

Publication number Publication date
WO2007131131A3 (fr) 2008-10-09

Similar Documents

Publication Publication Date Title
US20080222417A1 (en) Method, System, And Apparatus For Nested Security Access/Authentication With Media Initiation
US20070266428A1 (en) Method, System, And Apparatus For Nested Security Access/Authentication
US20200304491A1 (en) Systems and methods for using imaging to authenticate online users
US10609019B2 (en) Establishing a secure channel with a human user
US10187211B2 (en) Verification of password using a keyboard with a secure password entry mode
US9032217B1 (en) Device-specific tokens for authentication
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
US7073067B2 (en) Authentication system and method based upon random partial digitized path recognition
Idrus et al. A review on authentication methods
EP2839603B1 (fr) Mots de passe uniques abstraits et randomisés pour une authentification de transaction
US7770002B2 (en) Multi-factor authentication
US10848304B2 (en) Public-private key pair protected password manager
EP3065074A1 (fr) Procédé et dispositif d'authentification d'empreintes digitales, terminal intelligent, et support de stockage informatique
EP3190770A1 (fr) Procédé d'authentification d'utilisateur présentant une sécurité améliorée
JP2009519521A (ja) トランザクション確認の方法およびシステム
JP5563951B2 (ja) 情報入力方法、情報入力システム、情報入力装置及びコンピュータプログラム
TW201544983A (zh) 資料通訊方法和系統及客戶端和伺服器
CA2611549C (fr) Methode et systeme permettant d'obtenir une ouverture de session protegee au moyen de mots de passe a usage unique
WO2007131131A2 (fr) Procédé, système et appareil d'accès/d'authentification à sécurité intégrée avec lancement des supports
CA2579826C (fr) Systeme et procede d'authentification fonde sur la reconnaissance d'un chemin numerise partiel aleatoire

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07761849

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC.COMMUNICATION 1205A DATED:06.03.2009

122 Ep: pct application non-entry in european phase

Ref document number: 07761849

Country of ref document: EP

Kind code of ref document: A2