TriCipher Adds to Patent Portfolio with New Password Protection Technology

Newly Patented Authentication Technology Prevents Password Guessing and Denial of Service Attacks

SAN MATEO, CA – May 31, 2005 – TriCipher, Inc., the innovator of strong authentication for the real world, today announced that it has been granted a new patent for password protection technology by the United States Patent and Trademark Office. TriCipher’s patented technology leverages open standards to deliver a manageable, user friendly and cost effective authentication platform that can easily be integrated into an organizations existing security infrastructure.

TriCipher, which owns and licenses exclusively from Verizon Communications an extensive patent portfolio in strong authentication, has been issued U.S. patent number 6,883,095 for a system that protects passwords from two key vulnerabilities: guessing attacks and denial of service attacks. The technology, called "password throttling”, is already implemented on TriCipher’s industry-leading strong authentication and security solution, the TriCipher Armored Credential System TM (TACS), and is being used by healthcare, financial services, and government organizations to protect information assets.

Passwords continue to be a popular method for authenticating users, either alone or in combination with other factors, such as hardware tokens.  One of the intrinsic vulnerabilities of password-based authentication is the ability of an attacker to try to guess a user’s password through multiple login attempts.  The traditional method for preventing password guessing is to limit the number of incorrect authentication attempts. For example, after five failed login attempts, the user is locked out for a certain period. However, this solution opens the door to another vulnerability — denial of service. Given a list of corporate user accounts, an attacker could, for example, launch a wave of unsuccessful login attempts against a corporate website. All users of the target system would quickly be locked out, resulting in productivity losses for the company.

The technology covered by this patent resolves this dilemma by increasing the computational effort required by each successive online guess. A legitimate user who is entering a password for the second or third time would barely notice the added effort, but an attacker who has to try hundreds or thousands of guesses will quickly run out of resources.

"Over the years, attacks against identity systems have increased considerably," said Ravi Sandhu, Chief Scientist, TriCipher and professor of Information Security and Assurance at George Mason University. “At the same time, password guessing and the fact that users must be locked out to prevent the attack have reduced the effectiveness of passwords as an authentication mechanism. With the invention of this technology, password-based systems are more secure.”

"This patent is part of a portfolio of TriCipher–developed technology innovations for strong authentication," said Ravi Ganesan, founder and CEO of TriCipher. "Most authentication systems out there today are at least 20 years old. We are approaching authentication in a new way, finding the balance between security, ease of use and total cost of ownership. This new patent reflects our ability to deliver innovative solutions that solve real world problems.”

TriCipher currently owns or has exclusive license to 10 patents in the areas of cryptography, strong authentication, and identity protection and has several more pending.

About TriCipher, Inc.

TriCipher, Inc. provides strong authentication for the real world. The first authentication system that issues multiple types of credentials from a single infrastructure, the TriCipher Armored Credential System™ (TACS) allows for authentication strength to change in response to new threats without any infrastructure changes. Our patented technology fills the gap between authentication systems that are either not secure enough or too hard to use and deploy. TriCipher’s innovative approach to strong multi-factor authentication protects against phishing and eliminates dictionary attacks. Founded in 2000, TriCipher is headquartered in San Mateo, California. The Company was incubated as NSD Security before launching as a separate entity in 2005. Investors in TriCipher are ArrowPath Venture Capital, Intel® Capital, Trident Capital and Wasatch Venture Partners. For more information, please visit www.tricipher.com or email info@tricipher.com.

Copyright 2005 TriCipher, Inc. TriCipher, Armored Credential, and Armored Credential Appliance are either registered trademarks or trademarks of TriCipher, Inc. in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies.

For More Information Contact:

Elizabeth Safran, Trainer Communications for TriCipher, Inc.

elizabeth@trainercomm.com, (408) 920-0585

Sally Sheward, TriCipher, Inc.

sally@tricipher.com, (650) 372-1312