A SYSTEM AND METHOD FOR PROTECTION OF USER AUTHENTICATION AGAINST CAPTURE-AND-REPLAY ATTACKS

    公开(公告)号:MY177380A

    公开(公告)日:2020-09-14

    申请号:MYPI2013004482

    申请日:2013-12-12

    Abstract: The present invention relates to a system (1 00, 200) and method (300) for protection of user authentication against at least single instance of capture-and-replay attacks, by means of input and processing of user credentials on a client-side user interface (UI), and subsequent transmission to a server undertaking credential authentication. The system (100, 200) and method (300) of the present invention utilizes credentials which are context dependent as inputs into ZK integration function which is additionally applicable as an interaction in two actions: firstly, between user and trusted platform, and secondly between trusted platform and client terminal, as similarly protective of user authentication against capture-and-replay attacks. The user submits credentials as an act of authentication based on context of interest (31 0) as deemed correct by user. Optional verification of the submitted context-dependent credential (320) on the client terminal or trusted platform follows. The method (300) involves ZK integration of the context-dependent credential (330) followed by verification of the authenticator (340), such that unauthorised interception of credentials as submitted does not necessarily result in capability of intercepting party to undertake fraudulent authentication. Verification of user-to-server authentication interaction as being correct is additionally dependent on independent determination by server of context of interest, which might include specification and stratification of time and/or location of the authentication interaction. Figure 3

    METHOD FOR SECURE NETWORK ESTABLISHMENT VIA AUTHENTICATION OF SINGLE-USE PASSWORDS WITH COUNTER MEASURES AGAINST PASSWORD REPLAY

    公开(公告)号:MY169097A

    公开(公告)日:2019-02-18

    申请号:MYPI2014702902

    申请日:2014-10-01

    Applicant: MIMOS BERHAD

    Abstract: The present invention provides a method for secure network establishment, via authentication of single-use passwords, or equivalent credentials, between a plurality of nodes (602, 702) undertaking a basic embodiment (602), a hardened embodiment (702) and a mixture of both basic and hardened embodiments. In the basic embodiment, particular node is designated a trusted party (601) with the method comprising previous provision, by the trusted party (501), of a single-use public key (612, 613) for use by any node in plurality thereof to confirm present use of a single-use password or credential (621) as subject to acknowledgment (624) by the trusted party in present instance of secure connectivity; verification (631) by any node in plurality thereof of such acknowledgement; and then independent computation of a session-key (632) also by any node in plurality thereof, with which to establish present instance of secure connectivity by means of Zero-Knowledge (ZK) integration of presently applicable password; previously received single-use public-key; and further provision, by the trusted party, of a subsequent single-use public-key for use by any node in the plurality thereof to confirm use of a subsequent single-use password or credential (523), as presently unknown, for a subsequent instance of secure connectivity. In the hardened embodiment, the method further comprises reciprocal previous provision, by particular node in plurality thereof, of a single-use public-key (717, 718) for use to undertake commitment (740) prior to establishment of present instance of secure connectivity by means of Zero-Knowledge (ZK) integration of presently applicable password or credential; previously transmitted single-use public-key; fine-grained context of commitment; and further provision, by particular node undertaking commitment, of a subsequent single-use public-key to undertake commitment in relation to subsequent instance of secure connectivity. Trusted party is able, by means of undertaking verification (750) of such commitments as received from plurality of nodes, to detect replay of passwords or credentials, or alternatively misuse of node-associated private-keys, by an unauthorized node seeking to participate in present instance of secure connectivity; and thereafter to undertake sanction, on such node that had attempted replay of password or credential, or misuse of private-key.

    A SYSTEM AND METHOD FOR DUTY-SHARED AUTHENTICATED GROUP KEY TRANSPORT

    公开(公告)号:MY168771A

    公开(公告)日:2018-12-04

    申请号:MYPI2012005110

    申请日:2012-11-27

    Applicant: MIMOS BERHAD

    Abstract: A SYSTEM AND METHOD FOR SECURE COMMUNICATION OVER WIRELESS NETWORK IS PROVIDED BY UTILIZING DUTY-SHARED AUTHENTICATED GROUP KEY TRANSPORT TO ENABLE SYMMETRIC-BASED AUTHENTICATED GROUP COMMUNICATION OVER WIRELESS NETWORK. THE SYSTEM (100) INCLUDES AN INITIATOR (102) CONFIGURED TO EXECUTE A SECURE GROUP MANAGER MODULE (108) IN ANNOUNCING GROUP SESSIONS, AUTHENTICATING AND DISTRIBUTING AUTHENTICATED SESSION TOKENS. A PARTICIPANT (104) IS CONFIGURED TO EXECUTED A SECURE GROUP HANDLER MODULE (112) IN AUTHENTICATING, RECEIVING A GROUP SESSION KEY AND JOINING SAID GROUP. A TRUSTED AUTHORITY (106) IS IN COMMUNICATION WITH THE INITIATOR (102) AND PARTICIPANT (104). THE TRUSTED AUTHORITY (106) IS CONFIGURED TO EXECUTE A SECURE GROUP ADMINISTRATOR MODULE (110) IN MEDIATING AND PROVIDING AUTHENTICATED SESSION TOKENS. THE INITIATOR HOST DOES NOT REQUIRE ANY SPECIFIC CONFIGURATION AND CAN BE ANY OF THE PARTICIPANTS. THE SECURE GROUP MANAGER MODULE GENERATES THE GROUP KEY WHILE THE SECURE GROUP ADMINISTRATOR MODULE MONITORS THE SESSION WHICH PROVIDES FOR SEPARATION OF DUTY (INITIATOR-ASSISTED). ENCRYPTION OF THE NONCE AND GROUP SESSION KEY IS PROVIDED BY UTILIZING AUTHENTICATED ENCRYPTION WITH FRESHNESS OF DYNAMIC CREDENTIAL ASSIGNMENT (SESSION IDs). THE MOST ILLUSTRATIVE DRAWING IS FIG. 1.

    METHOD AND SYSTEM FOR DYNAMIC PRIVATE MULTI-STORAGE DATA OUTSOURCING

    公开(公告)号:MY186786A

    公开(公告)日:2021-08-20

    申请号:MYPI2015702118

    申请日:2015-06-23

    Applicant: MIMOS BERHAD

    Abstract: The present invention relates to a method and system for data privacy in a scenario where a data owner (100) wishes to outsource storage of data to multiple remote data storage providers (110) in a private manner, in such a way that every data storage provider (110) only stores partial data of a document. This means no one data storage provider (110) is able to learn the content of any one or more documents outsourced among the data storage providers (110). Existing solutions mainly considered the problem of a data owner submitting storage of data to one data storage provider, for both single-keyword and conjunctive keyword searches. Given today the availability of various data storage providers, the present invention provides solution utilizing different index information in the form of tables and index query mechanisms for the case of direct segmentation and outsourcing with minimal involvement of the data storage providers (110). (Figure 1)

    SYSTEM AND METHOD FOR IDENTITY-BASED ENTITY AUTHENTICATION FOR CLIENT-SERVER COMMUNICATIONS

    公开(公告)号:MY171259A

    公开(公告)日:2019-10-07

    申请号:MYPI2012004830

    申请日:2012-11-05

    Applicant: MIMOS BERHAD

    Abstract: The invention provides a system (100) for identity-based entity authentication for client- server communications comprising: a trusted authority module (110) configured to register at least one client and at least one server involved in the client-server communications and generate public parameters and secret parameters for use in the authentication; a server module (120) configured to securely store secret parameters for the server to authenticate the server to the client, and to authenticate the client to the server; a client module (130) configured to verify the authenticity of the server and to authenticate the client to said server; and a protocol module (140) configured to provide mutual authentication between the client and the server; characterised in that the protocol module (140) provides mutual authentication between the client and the server using ID-based challenge-response protocol and that the server module (120) authenticates the client to the server using ID-based authentication.

    NON-REPUDIABLE COLLABORATIVE UPDATES OF DOCUMENT

    公开(公告)号:MY172679A

    公开(公告)日:2019-12-10

    申请号:MYPI2013002270

    申请日:2013-06-18

    Applicant: MIMOS BERHAD

    Abstract: A system for collaborative document generation comprrsrng: a document management server (102) adapted to manage document storage (101) and having an associated pair of signing and verification keys; at least two clients (104) each having a unique identifier and a pair of signing and verification keys, said verification keys of said clients being available to said document management server and to other clients; a document management module (103) adapted to receive service requests from said clients; an aggregate signature module (105) residing in said document management server; and digital signature modules (106) residing in each of said clients; wherein said aggregate signature module is adapted to sign messages using the document management server signing key by verifying signatures on messages given a signature, verification key and message; aggregating a set of signatures to produce an aggregate signature; and verifying said aggregate signature given said aggregate signature, a set of associated verification keys and a set of associated messages; and wherein said digital signature modules are adapted to: sign messages using the respective client signing keys; verify signatures and messages given a signature, verification key and message; and verify said aggregate signature given said aggregate signature, a set of associated verification keys and a set of associated messages. The most illustrative drawing is FIG. 1.0.

    SYSTEM AND METHOD FOR VERIFYING AUTHENTICITY OF A MEDIA CONTENT

    公开(公告)号:MY168873A

    公开(公告)日:2018-12-04

    申请号:MYPI2012701111

    申请日:2012-12-07

    Applicant: MIMOS BERHAD

    Abstract: The present invention relates to a system (10) for authenticating a media content comprising: a main server (1) for distributing the media content; and at least a client (3) connected to the main server (1) for receiving the media content, characterized in that the system further comprising: a verifier generator (4) operating with the main server (1) for generating key parameter values to extract source verifier data from the media content, wherein the generated key parameter values and source verifier data are sent to the client (3) for authenticating the media content; and a verifier extractor (5) operating with the client (3) for extracting client verifier data from the received media content based on the key parameter values generated by the verifier generator (4), wherein the client verifier data are compared with the source verifier data received from the main server (1) for determining the authenticity of the media content. Most illustrative drawing: Fig. 2

    A SYSTEM AND METHOD FOR PEER-TO-PEER ENTITY AUTHENTICATION WITH NEAREST NEIGHBOURS CREDENTIAL DELEGATION

    公开(公告)号:MY167516A

    公开(公告)日:2018-09-04

    申请号:MYPI2012005356

    申请日:2012-12-11

    Applicant: MIMOS BERHAD

    Abstract: A SYSTEM AND METHOD FOR PEER-TO-PEER ENTITY AUTHENTICATION WITH NEAREST NEIGHBOURS CREDENTIAL DELEGATION IS PROVIDED BY USING A HYBRID APPROACH OF PRE-SHARED SYMMETRIC KEYS ON THE USER LEVEL AND PKI ON THE PEER LEVEL. THE SYSTEM INCLUDES AN INITIATOR MODULE (108) WITHIN A TRUSTED AUTHORITY (102); SAID INITIATOR MODULE (108) IS CONFIGURED FOR REGISTERING USERS AND PEERS, GENERATING AND DISTRIBUTING PRE-SHARED KEYS TO USERS AND PEERS, WHEREIN USER SUBMITS JOB REQUEST AND OBTAINS PROCESSED RESULTS AND A PEER IS AT LEAST A VIRTUAL MACHINE; AN USER AUTHENTICATOR MODULE (114) CONFIGURED FOR MUTUALLY AUTHENTICATING USERS AND PEERS THROUGH PRE-SHARED KEYS AND CREATING AT LEAST ONE SESSION KEY FOR SECURE COMMUNICATION; A PEER AUTHENTICATOR MODULE (124) CONFIGURED FOR MUTUALLY AUTHENTICATING AT LEAST TWO PEERS THROUGH PUBLIC KEY SIGNATURE SCHEME AND CREATING A SESSION KEY FOR SECURE COMMUNICATION; A CREDENTIAL DELEGATOR MODULE (132) CONFIGURED FOR MATCHING, RETRIEVING AND PROVIDING AUTHENTICATION CREDENTIAL OF USER NOT IN THE PEER LIST TO OTHER PEERS, AND FURTHER PROVIDING USER’S SECRET KEY TRANSPORT; AND A JOB-AUTHENTICATION-DELEGATOR MODULE (128) CONFIGURED FOR MATCHING, AUTHENTICATING AND PROVIDING AUTHENTICATION CREDENTIAL FOR DELEGATING JOBS TO PEER WITH APPLICATIONS SUITABLE FOR PROCESSING JOBS. THE HYBRID AUTHENTICATION APPROACH AND AUTHENTICATED CREDENTIAL GENERATION PERMITS FLEXIBLE PEER DISCOVERY FOR DIRECT SUBMISSION OF JOBS. THE MOST ILLUSTRATIVE DRAWING IS

    NON-REPUDIABLE LOG ENTRIES FOR FILE RETRIEVEL WITH SEMI-TRUSTED SERVER

    公开(公告)号:MY166590A

    公开(公告)日:2018-07-17

    申请号:MYPI2013002055

    申请日:2013-06-05

    Applicant: MIMOS BERHAD

    Abstract: NON-REPUDIABLE LOG ENTRIES FOR FILE RETRIEVAL WITH SEMI-TRUSTED SERVER IS PROVIDED BY COERCING USER TO DIGITALLY SIGN THE LOG ENTRY ON THE EVENT THAT THE USER RETRIEVES A FILE FROM THE SERVER WHICH PREVENTS USER OR SERVER FROM INDEPENDENTLY FORGING OR MODIFYING A LOG ENTRY. THE SYSTEM (100) COMPRISING A USER INTERFACE MODULE (102A), A SERVER INTERFACE MODULE (104A), AN ASYMMETRIC ENCRYPTION MODULE (102C), A SYMMETRIC ENCRYPTION MODULE (102E), A DIGITAL SIGNATURE MODULE (102B), A COMBINER MODULE (102D), A REGISTRATION MODULE (104D) AND A LOG FILE (104G). THE ASYMMETRIC ENCRYPTION MODULE (102C) EXPLOITS KEY DUALITIES PROPERTIES BY ENCRYPTING MESSAGES USING PUBLIC KEY AND COMBINED PUBLIC KEY; AND DECRYPTING MESSAGES USING DECRYPTION KEY WHICH INCLUDES ONE SIGNATURE OR A COMBINATION OF SIGNATURES. THE METHOD OF FILE RETRIEVAL IS CONSTRUCTED SUCH THAT THE USER MUST SUBMIT THE FIRST SIGNATURE TO THE SERVER; THE USER MUST SIGN THE CORRECT LOG ENTRY RECORDING THE FILE RETRIEVAL. FURTHER, WHEN THE SERVER COMBINES THE FIRST SIGNATURE WITH ITS OWN SIGNATURE, THE COMBINATION FORMS ONLY PART OF THE DECRYPTION KEY. THE DECRYPTION KEY CAN BE COMPLETED ONLY BY USING THE USER’S SECOND SIGNING KEY WHEREBY THE SERVER CANNOT DECRYPT THE FILE AT ANY TIME. THE METHOD OF PROTECTION OF THE PRESENT INVENTION LIES IN THE COMBINATION OF SERVER’S AND USER’S DIGITAL SIGNATURES ON EVERY LOG ENTRY TO PROTECT AGAINST RECIPIENT OR USER WHO DENIES FROM RETRIEVING A FILE. THE MOST ILLUSTRATIVE DRAWING IS

Patent Agency Ranking