System and method for anti-phishing authentication

US 10,027,707 B2
Filed: 04/12/2017
Issued: 07/17/2018
Est. Priority Date: 09/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for providing security against phishing attacks, the method comprising:

providing encrypted commitment information to a client;

receiving a dynamic credential from the client, in response to the encrypted commitment information provided;

determining when the dynamic credential is valid based on the received dynamic credential;

sending a commitment key for the encrypted commitment information to the client, when the determination indicates that the dynamic credential is a valid dynamic credential;

receiving a static credential from the client in response to the sent commitment key; and

authenticating the client based on the dynamic credential and the static credential.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing security against phishing attacks. The method can include receiving a login ID from a client, and providing an encrypted commitment to the client. The method can also include receiving a one-time password (OTP) from the client, and validating the OTP. The method can also include sending a commitment key, to be authenticated by the client, receiving a static password from the client and authenticating the client. Embodiments of the invention are directed to a system for providing security against phishing attacks. The system can include one or more servers configured to receive a login ID from a client, and provide an encrypted commitment to the client. The processors can be configured to receive a one-time password (OTP) from the client, validate the OTP, send a commitment key, to be authenticated by the client, receive a static password from the client and authenticate the client.

651 Citations

19 Claims

1. A method for providing security against phishing attacks, the method comprising:
- providing encrypted commitment information to a client;
  
  receiving a dynamic credential from the client, in response to the encrypted commitment information provided;
  
  determining when the dynamic credential is valid based on the received dynamic credential;
  
  sending a commitment key for the encrypted commitment information to the client, when the determination indicates that the dynamic credential is a valid dynamic credential;
  
  receiving a static credential from the client in response to the sent commitment key; and
  
  authenticating the client based on the dynamic credential and the static credential.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising providing the encrypted commitment information appearing to the client as a random sequence of numbers.
  - 3. The method of claim 1, further comprising:
    - determining a value of the dynamic credential before receiving the dynamic credential.
  - 4. The method of claim 1,establishing a client-server session between the client and a server, upon successfully authenticating the client.
  - 5. The method of claim 1, further comprising:
    - receiving user identification information from the client; and
      
      identifying the client based on the received user identification information.
  - 6. The method of claim 1, wherein the dynamic credential comprises a one-time password (OTP).
  - 7. The method of claim 6, wherein the OTP is derived from a name of a server.
  - 8. The method of claim 1, further comprising:
    - terminating a Secure Socket Layer (SSL) session between the client and a server, when the determination indicates that the dynamic credential is an invalid dynamic credential.
  - 9. The method of claim 1, further comprising embedding a name of a server into an algorithm for generating the dynamic credential.

10. A system for providing security against phishing attacks, comprising one or more client devices or server devices, the system comprising a memory, the memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to:
- provide encrypted commitment information to a client;
  
  receive, a dynamic credential from the client, in response to the encrypted commitment information provided;
  
  determine when the dynamic credential is valid based on the received dynamic credential;
  
  send a commitment key for the encrypted commitment information to the client when the determination indicates that the dynamic credential is a valid dynamic credential;
  
  receive, a static credential from the client in response to the sent commitment key; and
  
  authenticate the client based on the dynamic credential and the static credential.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - provide the encrypted commitment information appearing to the client as a random sequence of numbers.
  - 12. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - determine a value of the dynamic credential before receiving the dynamic credential.
  - 13. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - establish a client-server session between the client and a server, upon successfully authenticating the client.
  - 14. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - receive user identification information from the client; and
      
      identify the client based on the received user identification information.
  - 15. The system of claim 10, wherein the dynamic credential comprises a one-time password (OTP).
  - 16. The system of claim 15, wherein the OTP is derived from a name of a server.
  - 17. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - terminate a Secure Socket Layer (SSL) session between the client and a server, when the determination indicates that the dynamic credential is an invalid dynamic credential.
  - 18. The system of claim 10, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to:
    - embed a name of a server into an algorithm for generating the dynamic credential.

19. A non-transitory computer readable storage medium having stored thereon instructions for providing security against phishing attacks, comprising executable code which when executed by one or more processors, cause the one or more processors to:
- provide encrypted commitment information to a client;
  
  receive a dynamic credential from the client, in response to the encrypted commitment information provided;
  
  determine when the dynamic credential is valid based on the received dynamic credential;
  
  send a commitment key for the encrypted commitment information to the client when the determination indicates that the dynamic credential is a valid dynamic credential;
  
  receive a static credential from the client in response to the sent commitment key; and
  
  authenticate the client based on the dynamic credential and the static credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Benson, Glenn S.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/485,288
Publication Number

US 20170279851A1
Time in Patent Office

461 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

H04L 9/3228   One-time or temporary data,...

System and method for anti-phishing authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

651 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for anti-phishing authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

651 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links