Computer networks, and in particular Wide Area Networks (WANs) such as the Internet, provide opportunities for the misuse and abuse of communications traveling thereover. For example, two users (e.g., a human user and an enterprise server) communicating via the WAN may have their communications intercepted and/or altered. Also, it is possible for one user to misrepresent his, her, or its identity to another user.
Thus, there is a need for both privacy and authentication between users of the network communicating with one another. In other words, users should be able to rely on the fact that their transmissions will not be intercepted or altered, and that transmissions from someone purporting to be a particular user do in fact originate from that user.
In many secure communication applications, a seed is required in order to perform certain cryptographic operations such as encryption, decryption, authentication, etc. The seed may comprise, by way of example, a symmetric key or other secret shared by two or more entities.
One such application is in authentication tokens, such as the RSA SecurID® authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A. The RSA SecurID® authentication token is used to provide two-factor authentication. As used herein token generator and OTP generator may be used interchangeably. Authorized users are issued individually-registered tokens that generate one time passcodes (OTPs), which change based on a time code algorithm. OTPs may be used for various forms of authentication such as user, machine, transaction and message authentication. For example, a different OTP may be generated every 60 seconds. In a given two-factor authentication session, the user is required to enter a personal identification number (PIN) plus the current OTP from his or her authentication token. This information is supplied to an OTP validation entity. The OTP validation entity may be a server or other processing device equipped with RSA Authentication Manager® software, available from RSA Security Inc. The PIN and current OTP may be transmitted to the OTP validation entity via an encryption agent equipped with RSA Authentication Agent® software, also available from RSA Security Inc. If the PIN and current OTP are determined to be valid, the user is granted access appropriate to his or her authorization level. Thus, the OTPs are like temporary passwords that cannot be guessed by an attacker, with other than a negligible probability.
A given RSA SecurID® token typically contains one or more seeds that are utilized in computing the token outputs. The OTP validation entity performing the verification of the token outputs requires access to one or more seeds associated with the token in question. Typically, such authentication entities have access to the same seed or set of seeds that the token uses to generate its output.