| System and method for validating a network session -> Monitor Keywords |
|
|
  System and method for validating a network sessionUSPTO Application #: 20070255960Title: System and method for validating a network session Abstract: A system and method for preventing interception and decryption of information by an unauthorized party when that information is transmitted over a network is provided. A token is used to encrypt one-time password that is different for each network session, to prevent decryption thereof. The encrypted one-time password is returned to a network server for authentication by the server. The network server generates its response in a similar fashion. The server compares its response to the one-time password, to determine if they match. If they match, then the client is granted access to the network. If they responses do not match, then the client is denied access to the network by the server. (end of abstract)
Agent: Stevens Law Group - San Jose, CA, US Inventors: Henry Hon, Fred Cheng USPTO Applicaton #: 20070255960 - Class: 713185000 (USPTO) Related Patent Categories: Electrical Computers And Digital Processing Systems: Support, System Access Control Based On User Identification By Cryptography, Using Record Or Token The Patent Description & Claims data below is from USPTO Patent Application 20070255960. Brief Patent Description - Full Patent Description - Patent Application Claims
CROSS-REFERENCE TO RELATED APPLICATIONS [0001] This Application is a non-provisional application of Provisional Application No. 60/347,581, filed on Oct. 26, 2001. BACKGROUND OF THE INVENTION [0002] 1. Field of the Invention [0003] The present invention relates generally to data encryption and decryption systems and methods and, more particularly, to a system and method for preventing interception and decryption of information by an unauthorized party when that information is transmitted over a network. [0004] 2. Background Information [0005] A computer network session is the time during which two computers in a network maintain a connection. In an interactive computer program running on the network, a network session can be considered the time during which one computer, such as a server, accepts, processes, and outputs information from another computer, such as a client. Programs designed for contacting different servers on the Internet are commonly known as "web applications" or "web browsers". [0006] During a network session, a user, or client, accesses a remotely located computer, or server, to exchange data with the server via a computer network, such as the Internet or an Intranet, for example. During the network session the client may further exchange data with a second client via the server and may exchange data with one or more additional servers. [0007] Frequently, confidential data is exchanged between the client and server during a network session and this data may be valuable to outside parties. Such confidential data may include personal information, financial information, and proprietary information, for example. Thus, if an unauthorized party were to obtain a client's confidential information they could use that information however they desire. [0008] The processes of data encryption and decryption are well known for inhibiting unauthorized access to confidential data. Data encryption is the process of encoding data to prevent unauthorized access to the data, especially during transmission. Encryption of data is usually based on an encryption/decryption key, or key, that may comprise a predetermined sequence of data, that is essential for decoding the data. The encryption key is used to encrypt the data prior to transmission. The intended recipient of the data is provided with a like key for decrypting the data, to allow access to the data by the intended recipient. [0009] One common method of data encryption/decryption is "Public Key Encryption". Public key encryption comprises an asymmetric scheme that uses a pair of keys for encryption. A public key is one of two keys in public key encryption. A user releases the public key to the public. The public uses the public key for encrypting data this is sent to the user and for decrypting the user's digital signature. A private key is the other of the two keys in public key encryption. The user keeps the private key secret and uses it to encrypt digital signatures and to decrypt received messages. A disadvantage of public key encryption is that it may be vulnerable to "Man-In-The-Middle" (MITM) attacks, since the client and server are unable to verify the identity of each other. [0010] A Man-In-The-Middle (MITM) attack typically involves an interceptor posing as a target, which may be a sever, for example. The interceptor uses its own public key, instead of the target's public key, for asymmetric encryption. This allows the interceptor to decrypt confidential data that is intended for the target. The interceptor can then use this decrypted information to gain unauthorized access to the target's confidential information. [0011] A known attempt to defend against MITM attacks is, to ensure that the public key is coming from its legitimate owner. To ensure that a public key is coming from its legitimate owner, an encrypted link can be created between a server, such as a web server on the Internet, and web browser software. Secure Sockets Layer (SSL) is a security technology standard for creating encrypted links between web servers and browsers. This encrypted link attempts to ensure that data transmitted between the web server and browser remains private and integral. SSL technology requires the use of an electronic certificate, issued by a trusted Certification Authorities (CA), to be used to generate the encrypted link. The electronic certificate is an electronic document that binds some pieces of information together, such as a user's identity and their public key. The pieces of information are bound by the signature of the CA. [0012] A trusted Certification Authority (CA) is a trusted third party responsible for issuing digital certificates and managing them throughout their lifetime. Digital certificates are electronic files containing the user's public key and specific identifying information about the user. [0013] Digital signatures are also used to defend against MITM and other attacks. With digital signatures, a sender uses a secret key to create a unique electronic number. This unique electronic number can be read by anyone possessing the corresponding public key, which verifies that the message is truly from the sender. [0014] Another known method of attempting unauthorized access to encrypted data is a "replay" attack. Web browsers may be vulnerable to a replay attacks, if a user's authentication tokens are captured or intercepted by an attacker. In a replay attack, an attacker directly uses authentication tokens, such as a session ID in a URL cookie, for example. For clarification, "URL" is an acronym for Uniform Resource Locator. A URL is an address for a resource on the Internet used by Web browsers to locate Internet resources. The attacker uses the authentication token to obtain or create service to a user's account, while bypassing normal user authentication, such as logging in with the appropriate username or password. [0015] For example, an attacker discovers a URL that contains session ID information. With this information, the attacker may be able to obtain or create service to user's account contained in the session ID information, simply by pasting that URL back into the internet address widow of their web browser. The legitimate user may not need to be logged into the application at the time of the replay attack. BRIEF SUMMARY OF THE INVENTION [0016] The present invention provides a system and method for preventing interception and decryption of information by an unauthorized party when that information is transmitted over a network. The present invention uses more than one round of data encryption and a symmetric shared secret to prevent decryption of information intended for an authorized party. A one-time password, that is generated through encryption of an identifier code which is unique for each network session, inhibits against "Man-In-The-Middle" (MITM), "replay", and other attacks. [0017] A unique token device, or token, of the present invention may include a processor running a data encryption/decryption program and a memory device for storing data. Symmetric shared secrets are embedded in the memory device. This eliminates the need for key exchanges between two parties, and thus, inhibits MITM from stealing encryption/decryption keys. [0018] When a client requests access to a network server, to activate a web page stored on the server, for example, the client first couples their token to a computer. The invented method queries the server to generate a challenge. The challenge may include a challenge puzzle, an encryption/decryption key ID, and a network identifier code, also referred to in the art as session ID code. The challenge may be in the form of a 128-bit number. [0019] The token receives the challenge and processes it. The challenge is decomposed to recover the challenge puzzle, key ID, and network identifier code. The challenge puzzle and key ID determine which two particular shared secrets stored in the token's memory device are to be sent to the token's processor. [0020] The token's processor, may be running a data encryption/decryption algorithm, such as an Advanced Encryption Standard (AES) technology type data encryption/decryption algorithm. The two shared secrets are fed into the data encryption/decryption algorithm to generate an encrypted puzzle key. The network identifier code and encrypted puzzle key are then fed into the data encryption/decryption algorithm to generate the encrypted response, or one-time password (OTP). Since the OTP is used only once, replay attacks are prevented. [0021] The OTP is sent to the network server. Once the server receives the OTP, the server generates its response using the same process that the token used to generate the OTP. The server then compares its response to the OTP to see if they match. If they match, the client is granted access to the network and if they do not match, the client is denied access to the network. Continue reading... Full patent description for System and method for validating a network session Brief Patent Description - Full Patent Description - Patent Application Claims Click on the above for other options relating to this System and method for validating a network session patent application. ###  How KEYWORD MONITOR works... a FREE service from FreshPatents1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored. 3. Each week you receive an email with patent applications related to your keywords. Start now! - Receive info on patent apps like System and method for validating a network session or other areas of interest. ### Previous Patent Application: Claim transformations for trust relationships Next Patent Application: Intelligent encryption key with biometric identification function and operating method for the same Industry Class: Electrical computers and digital processing systems: support ### FreshPatents.com Support Thank you for viewing the System and method for validating a network session patent info. IP-related news and info Results in 3.80886 seconds Other interesting Feshpatents.com categories: Tyco , Unilever , Warner-lambert , 3m |
||
