US008.495372B2
`
`(12) United States Patent
`Bailey et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8.495,372 B2
`Jul. 23, 2013
`
`(54)
`
`(75)
`
`(73)
`
`(*)
`
`(21)
`(22)
`(65)
`
`(63)
`
`(60)
`
`(51)
`
`(52)
`
`(58)
`
`AUTHENTICATION METHODS AND
`APPARATUS USING PARING PROTOCOLS
`AND OTHERTECHNIQUES
`Inventors: Daniel Vernon Bailey, Pepperell, MA
`(US); John G. Brainard, Sudbury, MA
`(US); Ari Juels, Brookline, MA (US);
`Burton S. Kaliski, Jr., Wellesley, MA
`(US)
`Assignee: EMC Corporation, Hopkinton, MA
`(US)
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1582 days.
`Appl. No.: 11/939,232
`
`Notice:
`
`Filed:
`
`Nov. 13, 2007
`
`Prior Publication Data
`US 2008/OO65892 A1
`Mar. 13, 2008
`
`Related U.S. Application Data
`Continuation of application No. 1 1/671.264, filed on
`Feb. 5, 2007.
`Provisional application No. 60/764,826, filed on Feb.
`3, 2006.
`
`(2006.01)
`(2006.01)
`
`Int. C.
`H04L 9M32
`H04L 9/00
`U.S. C.
`USPC ............................ 713/171; 713/172;380/277
`Field of Classification Search
`USPC .......... 713/171, 168, 172,155, 159; 380/277;
`726/5, 9
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,347,580 A * 9/1994 Molva et al. .................. 713/159
`5,600,722 A * 2/1997 Yamaguchi et al. .......... 713,155
`5,657,388 A
`8, 1997 Weiss
`6,085,320 A * 7/2000 Kaliski, Jr. .................... T13,168
`6,996,722 B1* 2/2006 Fairman et al. ............... T13, 192
`7,039,021 B1
`5, 2006 Kokudo
`7,080.259 B1* 7/2006 Nakanishi et al. ............ T13, 193
`7,181,015 B2* 2/2007 Matt ..............
`... 380,279
`7,266,695 B2 * 9/2007 Nakayama ...
`T13,172
`7.464,865 B2 * 12/2008 Brown et al. ................. 235,380
`(Continued)
`OTHER PUBLICATIONS
`J. Zheng et al., “Will IEEE 802.15.4 Make Ubiquitous Networking a
`Reality?: A Discussion on a Potential Low Power, Low Bit Rate
`Standard.” IEEE Communications Magazine, Topics in Emerging
`Technologies, Jun. 2004, pp. 140-146.
`(Continued)
`Primary Examiner — Zachary A Davis
`(74) Attorney, Agent, or Firm — Ryan, Mason & Lewis, LLP
`(57)
`ABSTRACT
`In one aspect, a first processing device, which may be an
`authentication token, establishes a shared key through a pair
`ing protocol carried out between the first processing device
`and a second processing device. The pairing protocol also
`involves communication between the second processing
`device and an authentication server. As part of the pairing
`protocol, the first processing device sends identifying infor
`mation to the second processing device, and the second pro
`cessing device utilizes the identifying information to obtain
`the shared key from the authentication server. The first pro
`cessing device encrypts authentication information utilizing
`the shared key, and transmits the encrypted authentication
`information from the first processing device to the second
`processing device. The second processing device utilizes the
`shared key to decrypt the encrypted authentication informa
`tion.
`
`12 Claims, 2 Drawing Sheets
`
`
`
`108
`ACCESS
`POINT
`
`12
`
`COMPUTER
`
`02
`AUTHENTICATION-2--
`OKEN
`
`PROCESSOR
`
`114
`MEMORY
`
`
`
`AUTHENTCATION
`SERVER
`
`USR Exhibit 2020, Page 1
`
`

`

`US 8,495,372 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`7,571.489 B2 * 8/2009 Ong et al. ....................... 726/29
`7,597,250 B2 * 10/2009 Finn ............
`235,380
`7,672,459 B2* 3/2010 O’Hara et al.
`380,278
`7,774,611 B2* 8/2010 Muntz et al.
`713, 182
`7,822.209 B2 * 10/2010 Fu et al. ...
`380,284
`7,827.409 B2 * 1 1/2010 Fascenda .
`713, 171
`7,934,005 B2 * 4/2011 Fascenda ...................... 709,229
`2004/0222878 A1 11, 2004 Juels
`2007/0250712 A1* 10/2007 Salgado et al. ............... 713,171
`
`
`
`OTHER PUBLICATIONS
`J.-H. Hoepman, “The Ephemeral Pairing Problem.” Financial Cryp
`tography ’04, Lecture Notes in Computer Science, 2004, pp. 1-15,
`Springer-Verlag.
`F. Stajano et al., “The Resurrecting Duckling: Security Issues for
`Ad-hoc Wireless Networks.” 7th International Workshop Proceed
`ings on Security Protocols, Lecture Notes in Computer Science,
`1999, pp. 1-11, vol. 1796, Springer-Verlag.
`G. Itkis et al., “Intrusion-Resilient Signatures, or Towards Obsoletion
`of Certificate Revocation.” Advances in Cryptology CRYPTO '02,
`2002, pp. 1-16, Springer-Verlag.
`M. Jakobsson, “Fractal Hash Sequence Representation and Tra
`versal.” Proceedings of the 2002 IEEE International Symposium on
`Information Theory (ISIT '02), 2002, pp. 1-8.
`
`D. Boneh et al., “Identity-Based Encryption from the Weil Pairing.”
`Lecture Notes in Computer Science: Advances in Cryptology—
`CRYPTO 2001, 2001, pp. 1-27.
`J. Hastadet al., “Funkspiel Schemes: An Alternative to Conventional
`Tamper Resistance.” Seventh ACM Conference on Computer and
`Communications Security, 2000, 9 pages.
`Microsoft Corporation, “Scanning 802.11 Networks.” Microsoft
`Developer Network Library, 2007, pp. 1-3.
`Ensure Technologies, “XyLoc for the Healthcare Industry,” www.
`ensuretech.com, 2004, 5 pages.
`Privaris, “plusID Universal Biometric Device,” www.privaris.com,
`2006, 2 pages.
`Privaris, “Achieving Universal Secure Identity Verification with Con
`venience and Personal Privacy.” A Privaris Business White Paper,
`Dec. 11, 2006, 9 pages, Version 0.1.
`M. Comer, “Transient Authentication for Mobile Devices.” PhD The
`sis, University of Michigan, 2003, 111 pages.
`IEEE Standard 802.11, Wireless LAN Medium Access Control
`(MAC) and Physical Layer (PHY) Specifications, 1999 Edition, 528
`pageS.
`A.J. Menezes et al., Handbook of Applied Cryptography, CRC Press,
`1997, pp. 1-780.
`“RAWether for Windows, Windows Networking Architecture.”
`PCAUSA—Introduction to the Windows Networking Architecture,
`http://www.rawether.net/product/tourO1.htm, 2007, 2 pages.
`
`* cited by examiner
`
`USR Exhibit 2020, Page 2
`
`

`

`U.S. Patent
`
`Jul. 23, 2013
`
`Sheet 1 of 2
`
`US 8,495,372 B2
`
`FIC. 1
`100
`
`
`
`
`
`
`
`108
`ACCESS
`POINT
`
`
`
`\
`
`
`
`12
`
`104
`COMPUTER
`
`102
`AUTHENTICATION-2--
`TOKEN
`
`
`
`PROCESSOR
`
`114
`MEMORY
`
`116
`NETWORK
`INTERFCs
`
`AUTHENTICATION
`SERVER
`
`FIC. 2
`
`NAS 206
`
`INTERFACE
`CIRCUITRY
`
`
`
`208
`
`CONTROL
`BUTTONS
`
`
`
`
`
`200
`
`PROCESSOR
`
`
`
`
`
`
`
`
`
`202
`
`MEMORY
`
`USR Exhibit 2020, Page 3
`
`

`

`U.S. Patent
`
`Jul. 23, 2013
`
`Sheet 2 of 2
`
`US 8,495,372 B2
`
`FIC. 3
`
`
`
`
`
`
`
`
`
`
`
`AUTHENTICATION TOKEN IS NORMALLY
`IN LOW-POWER SLEEP MODE
`
`302
`
`AUTHENTICATION TOKEN WAKES UP
`AND TRANSMITS FRAMES IN MANNER
`EMULATING A WLAN ACCESS POINT
`
`304
`
`COMPUTER RECEIVES TRANSMITTED
`FRAMES FROM AUTHENTICATION TOKEN
`
`306
`
`
`
`SSID INDICATES AUTHENTICATION
`
`
`
`312
`
`FRAMES PROCESSED AS
`ORDINARY WLAN
`ACCESS POINT FRAMES
`
`
`
`COMPUTER INITIATES AUTHENTICATION
`PROCESS FOR AUTHENTICATION TOKEN
`USING AUTHENTICATION INFORMATION
`EXTRACTED FROM FRAMES
`
`310
`
`USR Exhibit 2020, Page 4
`
`

`

`US 8,495,372 B2
`
`1.
`AUTHENTCATION METHODS AND
`APPARATUS USING PARING PROTOCOLS
`AND OTHER TECHNIQUES
`
`RELATED APPLICATION(S)
`The present application is a continuation of U.S. patent
`application Ser. No. 1 1/671,264, filed Feb. 5, 2007, and
`entitled “Wireless Authentication Methods and Apparatus.”
`which claims the priority of U.S. Provisional Patent Applica
`tion Ser. No. 60/764,826, filed Feb. 3, 2006 and entitled “The
`RFID Authenticator, both of which are incorporated by ref
`erence herein. Another related application is U.S. patent
`application Ser. No. 1 1/768,608, entitled “Authentication
`Methods and Apparatus Utilizing Hash Chains,” which is also
`a continuation of above-noted U.S. patent application Ser.
`No. 1 1/671,264, and is incorporated by reference herein.
`
`10
`
`15
`
`2
`physically demanding environments like hospitals and fac
`tory floors, and rapid fire authentication for temporally
`demanding situations, such as online auctions.
`Conventional aspects of wireless authentication tokens are
`described in, for example, M. Corner, “Transient Authentica
`tion for Mobile Devices.” PhD Thesis, University of Michi
`gan, 2003. The approach disclosed therein is designed to
`protect information on mobile devices Such as laptops from
`exposure in the event of theft or loss. Its authentication pro
`tocol utilizes bidirectional communication between mobile
`devices and authentication tokens. Such an approach is prob
`lematic, however, in that authentication tokens that accept
`input in their authentication protocols can be vulnerable to
`active attacks.
`Accordingly, a need exists for improvements in wireless
`authentication tokens and other processing devices utilized in
`authentication operations.
`
`FIELD OF THE INVENTION
`
`SUMMARY OF THE INVENTION
`
`The present invention relates generally to techniques for
`authentication, and more particularly to authentication tokens
`or other processing devices utilized in authentication opera
`tions.
`
`BACKGROUND OF THE INVENTION
`
`25
`
`30
`
`35
`
`The growing need for better user authentication is drawing
`increased attention to technologies Such as one-time pass
`words. In a one-time password system, a user typically carries
`a device or “token' that generates and displays a series of
`passwords over time. The user reads the currently displayed
`password and enters it into a personal computer, e.g., via a
`Web browser, as part of an authentication operation. Such a
`system offers a significant improvement over conventional
`password-based authentication since the password is
`dynamic and random. Previously misappropriated one-time
`passwords are of no help to an attacker in determining the
`current password, which remains hard to guess.
`One particular example of a one-time password device of
`40
`the type described above is the RSA SecurlDR) user authen
`tication token, commercially available from RSA, The Secu
`rity Division of EMC Corporation, of Bedford, Mass., U.S.A.
`For a number of years, SecurlDR) has been the dominant
`Solution in two factor authentication. Its relative simplicity
`combined with its independence from client-side software
`has contributed in no small measure to its success in many
`large enterprises. In a typical embodiment, a SecurDR)
`authentication token may comprise a small handheld device
`with an LCD screen that displays a new one-time tokencode
`50
`consisting of six to eight decimal digits every 60 seconds. An
`ordinary user would utilize this tokencode, possibly in com
`bination with a personal identification number (PIN) with the
`resulting combination called a passcode, instead of a static
`password to access secure resources. Each displayed token
`55
`code is based on a secret seed and the current time of day. Any
`Verifier with access to the seed and a time of day clock can
`verify that the presented tokencode is valid.
`A wireless authentication token, that is, a token that trans
`mits authentication information over the air rather than via the
`user, can offer many attractions. Such a token can alleviate
`much of the burden on users in manually entering tokencodes
`or other authentication information. It can also achieve con
`siderably higher transmission bandwidth, opening up a range
`of new functions beyond simple authentication, such as
`encryption. Wireless tokens can offer several other potential
`advantages as well. Such as hands-free authentication for
`
`45
`
`60
`
`65
`
`Illustrative embodiments of the present invention meet the
`above-identified need by providing improved techniques for
`authentication utilizing authentication tokens or other pro
`cessing devices.
`In accordance with one aspect of the invention, a first
`processing device, which may be, for example, a wireless
`authentication token oran RFID tag, establishes a shared key
`through a pairing protocol that is carried out between the first
`processing device and a second processing device and
`involves communication between the second processing
`device and an authentication server. As part of the pairing
`protocol, the first processing device sends identifying infor
`mation to the second processing device, and the second pro
`cessing device utilizes the identifying information to obtain
`the shared key from the authentication server. The first pro
`cessing device encrypts authentication information utilizing
`the shared key, and transmits the encrypted authentication
`information from the first processing device to the second
`processing device. The second processing device utilizes the
`shared key to decrypt the encrypted authentication informa
`tion.
`In a given illustrative embodiment, the identifying infor
`mation may comprise a MAC address of the first processing
`device. The first processing device may generate the shared
`key using a key derivation function applied to a secret seed,
`where the Secret seed is known to the first processing device
`and the authentication server but not known to the second
`processing device. As part of the pairing protocol the first
`processing device further sends a tokencode to the second
`processing device, and the second processing device utilizes
`the identifying information and the tokencode to obtain the
`shared key from the authentication server. Also as part of the
`pairing protocol, the second processing device may send
`information to the first processing device indicating that the
`second processing device is authorized by the authentication
`server to pair with the first processing device. The first pro
`cessing device may generate the shared key using a key deri
`Vation function applied to at least part of the information sent
`to the first processing device by the second processing device.
`In accordance with another aspect of the invention, a base
`point on an elliptic curve is derived in a first processing
`device. Authentication information is generated in the first
`processing device utilizing the base point and a private key of
`the first processing device, and the authentication information
`is transmitted from the first processing device to a second
`processing device. The base point on the elliptic curve may be
`derived, for example, by applying a one-way function to a
`
`USR Exhibit 2020, Page 5
`
`

`

`3
`current time value, or by computation based on a message to
`be signed. The authentication information transmitted from
`the first processing device to the second processing device
`may also be transmitted to an authentication server.
`In accordance with a further aspect of the invention, one or
`more key-encapsulating ciphertexts are generated and stored
`in a processing device. The processing device receives
`authentication information from another processing device,
`and utilizes the authentication information to decrypt at least
`one of the key-encapsulating ciphertexts to recover an asso
`ciated key. The authentication information may comprise, for
`example, a tokencode.
`In an illustrative embodiment, the authentication informa
`tion may comprise a plurality of gradually rotating keys with
`overlapping refresh intervals. As a more particular example,
`the authentication information may comprise a plurality of
`hash chains wherein successive ones of the hash chains over
`lap one another in a designated number of time steps. Ele
`ments of a given one of the hash chains may be computed one
`time step at a time, starting at a tail of the chain, and when a
`particular one of the elements is output, an associated
`memory location may be released so as to be made available
`for storage of other hash chain elements. The processing
`devices may jointly associate a unique identity with a given
`one of a plurality of time steps over which the authentication
`information is released such that public keys can be computed
`for respective ones of the time steps and utilized for identity
`based encryption without knowledge of corresponding secret
`keys.
`In accordance with yet another aspect of the invention,
`authentication information is received from a first processing
`device in a second processing device, and a digital signature
`is generated in the second processing device by signing data
`that incorporates at least a portion of the received authentica
`tion information. The received authentication information is
`generated at least in part from a secret seed stored in the first
`processing device. The received authentication information
`may be combined with the digital signature generated by the
`second processing device to form a joint signature that is
`transmitted to an authentication server.
`In an illustrative embodiment, the received authentication
`information comprises a tokencode and the digital signature
`is generated by signing data that incorporates the tokencode.
`The data that is signed to generate the digital signature may
`45
`comprise an electronic document having the tokencode
`appended thereto.
`In accordance with a further aspect of the invention,
`authentication information is generated in a first processing
`device, and data to be signed is received from a second pro
`cessing device. A digital signature is generated in the first
`processing device by signing the received data utilizing at
`least a portion of the authentication information. The digital
`signature is generated only after the first processing device
`receives out-of-band verification of the data to be signed. For
`example, the received data may comprise an electronic docu
`ment or a hash of an electronic document, and the out-of-band
`verification may provide the first processing device with evi
`dence that the data to be signed has one or more characteris
`tics perceptible to a user that requested generation of the
`digital signature.
`The techniques of the illustrative embodiments overcome
`one or more of the problems associated with the conventional
`techniques described previously. For example, certain of the
`techniques can be implemented at least in part in an authen
`tication token with limited computation and communication
`SOUCS.
`
`25
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`US 8,495,372 B2
`
`10
`
`15
`
`4
`These and other features and advantages of the present
`invention will become more readily apparent from the accom
`panying drawings and the following detailed description.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`FIG. 1 is a block diagram of an exemplary one-time pass
`word system in an illustrative embodiment of the invention.
`FIG. 2 shows one possible implementation of a wireless
`authentication token of the FIG. 1 system.
`FIG. 3 is a flow diagram illustrating exemplary communi
`cations between a wireless authentication token and a com
`puter in conjunction with an authentication protocol in an
`illustrative embodiment of the invention.
`
`DETAILED DESCRIPTION
`
`The present invention will be described herein with refer
`ence to an example one-time password system in which a
`wireless authentication token emulates standard wireless
`communication messages of an access point to transmit
`authentication information. It is to be appreciated, however,
`that the invention is not restricted to use in this or any other
`particular system configuration.
`Additional details regarding certain conventional crypto
`graphic techniques referred to herein may be found in, e.g., A.
`J. Menezes et al., Handbook of Applied Cryptography, CRC
`Press, 1997, which is incorporated by reference herein.
`The term “password as used herein is intended to be
`construed broadly, so as to encompass any type of authenti
`cation information that may be required in order to obtain
`access to an access-controlled application or other resource.
`Thus, the term is intended to encompass, for example, token
`codes, passcodes or other numeric or alphanumeric codes,
`sets of words, sentences, phrases, answers to questions,
`responses to challenges, or any other type of authentication
`information.
`Also, although the illustrative embodiments are described
`in the context of one-time passwords, that is, passwords that
`are typically used only for a single access, other embodiments
`can use passwords that are not limited to single use, that is,
`passwords that each can be used for two or more accesses.
`The present invention in an illustrative embodiment pro
`vides an improved one-time password device comprising an
`output-only wireless authentication token that does not
`accept external input in its authentication protocol. Alterna
`tive embodiments are not limited to such output-only wireless
`authentication tokens.
`FIG. 1 shows a one-time password system 100 in one
`embodiment of the invention. The system 100 includes a
`wireless authentication token 102, a computer 104 and a
`network 106. The wireless authentication token 102 is able to
`communicate with the computer 104 via a wireless connec
`tion, as will be described in greater detail below. The com
`puter 104 communicates with network 106 in a conventional
`manner, which may utilize a wired or wireless connection.
`The wireless authentication token 102 may be in the form
`of an otherwise conventional handheld authentication token,
`such as a key fob, or may be in the form of an RFID tag or
`other type of stand-alone authentication token. Alternatively,
`it may be incorporated in or implemented in the form of
`another type of processing device, such as a mobile tele
`phone, personal digital assistant (PDA), wireless email
`device, multimedia player, handheld or portable computer,
`game System, etc.
`Techniques for incorporating one-time password function
`ality into a multimedia player are disclosed in U.S. patent
`
`USR Exhibit 2020, Page 6
`
`

`

`15
`
`5
`application Ser. No. 1 1/556,506, filed Nov. 3, 2006 and
`entitled “Password Presentation for Multimedia Devices.”
`which is commonly assigned herewith and incorporated by
`reference herein. The present invention may make use of
`audio, video or other multimedia passwords, as described
`therein.
`The computer 104 may be a desktop or portable personal
`computer, a microcomputer, a workstation, a mainframe
`computer, a wired telephone, a television set top box, a game
`system, a kiosk, or any other processing device which can
`serve as an intermediary between a given wireless authenti
`cation token 102 and the network 106. Certain processing
`devices may comprise dual functionality, that is, may include
`both wireless authentication token capabilities for authenti
`cating themselves to other devices, while also including capa
`bilities for authenticating other wireless authentication
`tokens.
`Thus, it is to be appreciated that elements such as 102 and
`104 in the system 100 need not take any particular physical
`form. A wide variety of different system configurations are
`possible. For instance, a wireless authentication token could
`be used to authorize a mobile telephone to place a call over a
`wireless network. Similarly, the wireless authentication token
`could comprise software running on a PDA or mobile tele
`phone authenticating the user to a vending machine in a
`wireless payments scenario.
`It is assumed in this embodiment that the network 106 is an
`Internet protocol (IP) network, and Such a network may com
`prise, for example, a global computer network Such as the
`Internet, a wide area or metropolitan area network, or various
`portions or combinations of these and other types of net
`works. Moreover, the computer 104 communicates with an
`access point 108 using a standard wireless local area network
`(WLAN) communication protocol, which in the present
`embodiment is assumed to be in accordance with the IEEE
`802.11 standard, also commonly known as “Wi-Fi. The
`802.11 standard is described in, for example, IEEE Standard
`802.11, Wireless LAN Medium Access Control (MAC) and
`Physical Layer (PHY) Specifications, 1999 Edition, which is
`incorporated by reference herein. The term “802.11 standard
`as used herein is intended to be construed generally, so as to
`encompass individual portions of 802.11, such as 802.11a,
`802.11b. 802.11g, etc. as described in their respective stan
`dard documents.
`The access point 108 may also be coupled to the IP network
`106, as shown, although it may alternatively be connected to
`a separate IP network or other type of network. The access
`point 108 is assumed to be part of a WLAN that includes one
`or more access points and one or more stations. The computer
`104 may be viewed as representing one particular station of
`the WLAN in the present illustrative embodiment.
`The network 106 is assumed to have associated therewith a
`validation service or other type of authentication authority
`that is capable of authenticating passwords Submitted via the
`computer 104. Such an authority may be configured in a
`well-known conventional manner. It may comprise, for
`example, one or more servers accessible over the network
`106, such as an authentication server 110.
`The computer 104 as shown includes a processor 112, a
`memory 114 and a number of network interfaces 116. One
`Such network interface is utilized for communicating in a
`conventional manner with the IP network 106, while another
`is used for communicating in a conventional manner with
`access point 108 over the WLAN. In the illustrative embodi
`ment, the network interface that the computer utilizes to com
`65
`municate with access point 108 over the WLAN is also uti
`lized to receive authentication information from the wireless
`
`40
`
`45
`
`50
`
`55
`
`60
`
`US 8,495,372 B2
`
`5
`
`10
`
`25
`
`30
`
`35
`
`6
`authentication token 102, as will be described in greater detail
`below in conjunction with the flow diagram of FIG. 3.
`Although the wireless authentication token 102 and com
`puter 104 are shown as separate devices in FIG. 1, other
`embodiments of the invention may combine the functionality
`of these elements into a single processing device. For
`example, a given wireless authentication token may be con
`figured to connect to the network 106 via a wireless connec
`tion established with the access point 108, without the use of
`a separate intermediary device Such as computer 104. In Such
`an arrangement, the access point 108 may be configured to
`extract authentication information from frames transmitted
`by the wireless authentication token.
`It is to be appreciated that a given embodiment of the
`system 100 may include multiple instances of wireless
`authentication token 102, computer 104, network 106, access
`point 108 and authentication server 110, as well as additional
`or alternative elements, although only single instances of
`elements 102,104,106, 108 and 110 are shown in the system
`diagram for clarity of illustration.
`FIG. 2 shows a more detailed view of the wireless authen
`tication token 102 of FIG.1. As indicated above, suchadevice
`is an example of what is more generally referred to herein as
`a processing device. The wireless authentication token 102 in
`this implementation includes a processor 200 coupled to a
`memory 202 and to interface circuitry 204. These device
`elements may be implemented in whole or in part as a con
`ventional microprocessor, digital signal processor, applica
`tion-specific integrated circuit (ASIC) or other type of cir
`cuitry, as well as portions or combinations of Such circuitry
`elements. The interface circuitry 204 is coupled to an antenna
`206. The interface circuitry 204 communicates via antenna
`206 with a corresponding network interface 116 of the com
`puter 104.
`The wireless authentication token 102 as shown includes
`one or more control buttons 208. A given such button may be
`used, for example, to cause the wireless authentication token
`to transmit authentication information to the computer 104. In
`other embodiments, such buttons may be eliminated entirely,
`with the wireless authentication token autonomously control
`ling its communication functions without user intervention,
`for example, based on automatic detection of proximity of the
`token to the computer, sensor activation, periodic or continu
`ous transmission, etc. For example, continuous transmission
`may be advantageous to users in physical environments that
`favor hands-free authentication, e.g., fast-paced medical
`environments and factory floors. It should be noted, however,
`that the lack of user initiation increases the risk of relay and
`replay attacks.
`Hybrid arrangements may also be used. For example, a
`dual-use token may be configured to generate output in
`response to a button press by the user as well as to generate
`output based on proximity detection or other automatic tech
`nique. As another example, a dual-use token may generate
`output in response to button activation, but may be “locked”
`to transmit continuously if desired. Such hybrid tokens are
`advantageous in that they allow the user to choose a tradeoff
`between security and convenience.
`As will be appreciated by those skilled in the art, portions
`of a wireless authentication technique in accordance with an
`embodiment of the invention can be implemented at least in
`part in the form of one or more software programs that are
`stored in memory 202 and executed by the corresponding
`processor 200. Thus, the memory 202, in addition to storing
`seeds or other information used to generate one-time pass
`words or other authentication information, may be used to
`store program instructions and other information used to per
`
`USR Exhibit 2020, Page 7
`
`

`

`7
`form operations associated with generation, transmission and
`other processing of such authentication information. Memory
`202 may comprise, for example, multiple physically-separate
`storage elements of various types, including random access
`memory (RAM), read-only memory (ROM), Flash or other
`non-volatile memory, disk-based memory, etc. in any combi
`nation.
`The wireless authentication token 102 is advantageously
`configured to transmit authentication information to the com
`puter 104 by emulating an actual access point of the WLAN.
`10
`More specifically, in this embodiment the processor 200 of
`the wireless authentication token is operative to control the
`transmission of information via the network interface cir
`cuitry 204 in a manner that emulates standard communica
`tions of the access point 108 of the WLAN, although the
`wireless authentication token itself is not configured to oper
`ate as an actual access point of the WLAN. A given station of
`the WLAN that receives the transmitted information, such as
`computer 104, is able to determine that the transmitted infor
`mation originates from an emulated access point rather than
`an actual access point. The computer 104 responds to this
`condition by utilizing the transmitted information in conjunc
`tion with a protocol that is not part of the standard commu
`nications. For example, the computer in the present embodi
`ment may extracta one-time password or other authentication
`information from the transmitted information and initiate an
`authentication process using the extracted authentication
`information.
`The communications of the wireless authentication token
`in the present embodiment emulate communications compli
`ant with the 802.11 standard. For example, as will be
`described in greater detail below, the transmitted information
`may comprise an 802.11 beacon frame or probe response
`frame, with the one-time password or other authentication
`information being carried at least in part in a Service Set
`Identifier (SSID) field of the beacon frame or probe response
`frame. As indicated previously, Such information may be
`transmitted, for example, responsive to a user command
`entered via one of the control buttons 208, or may be trans
`mitted periodically or continuously without user interven
`tion. The authentication information may be encrypted by the
`wireless authentication token prior to transmission using a
`key established through interaction with the computer.
`This approach exploits the methods by which 802.11 sta
`tions determine which wireless networks in range offer ser
`vice. 802.11 wireless access points and ad-hoc network par
`ticipants advertise their existence by sending out beacon
`frames, which are unsolicited management frames sent to a
`broadcast address, and probe response frames, which are sent
`in response to probe frames sent out by stations seeking
`access points or other stations with which to potentially asso
`ciate. Beacon frames and probe response frames contain
`many data fields. The present embodiment utilizes the SSID
`field, which in conventional practice is typically used to indi
`cate the natural language name of a network (e.g., “RSA Labs
`Wireless'), to carry authentication information. The SSID
`field can be given an arbitrary value and will still be received
`and propagated unchanged up the protocol stack by commod
`ity 802.11 hardware and drivers on Windows platforms a