Detecting and preventing man-in-the-middle attacks on an encrypted connection

US 10,171,250 B2
Filed: 07/25/2017
Issued: 01/01/2019
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

determining, by a device, one or more verification domains to be used to verify a public key certificate,the one or more verification domains being different from a host domain associated with the device;

determining, by the device, one or more resources to be requested to verify the public key certificate;

determining, by the device, one or more actions to perform when the public key certificate is not valid;

generating, by the device, executable verification code, for performing the one or more actions without prompting a user to accept or reject the public key certificate, based on determining the one or more verification domains, based on determining the one or more resources, and based on determining the one or more actions;

embedding, by the device, the executable verification code in other code; and

providing, by the device, the other code, with the executable verification code, for execution by a client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

94 Citations

View as Search Results

20 Claims

1. A method comprising:
- determining, by a device, one or more verification domains to be used to verify a public key certificate,the one or more verification domains being different from a host domain associated with the device;
  
  determining, by the device, one or more resources to be requested to verify the public key certificate;
  
  determining, by the device, one or more actions to perform when the public key certificate is not valid;
  
  generating, by the device, executable verification code, for performing the one or more actions without prompting a user to accept or reject the public key certificate, based on determining the one or more verification domains, based on determining the one or more resources, and based on determining the one or more actions;
  
  embedding, by the device, the executable verification code in other code; and
  
  providing, by the device, the other code, with the executable verification code, for execution by a client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where the one or more verification domains include a top-level domain and one or more sub-level domains.
  - 3. The method of claim 1, where determining the one or more verification domains comprises:
    - identifying a plurality of verification domains to be used to verify the public key certificate; and
      
      selecting the one or more verification domains, from the plurality of verification domains, based on user input.
  - 4. The method of claim 1, where the one or more resources include an object accessible from a verification domain of the one or more verification domains.
  - 5. The method of claim 1, where the one or more actions include one or more of:
    - a first action for providing a notification, via the client device, regarding a compromised connection,a second action for terminating a session, ora third action for requiring the user to log in from a different local area network that is different from a local area network that the client device is using.
  - 6. The method of claim 1, where the public key certificate includes an electronic document that uses a digital signature to bind a public key with an identity.
  - 7. The method of claim 6, where the identity is associated with a domain.

8. A system comprising:
- a memory; and
  
  one or more processors to;
  
  determine one or more verification domains to be used to verify a public key certificate,the one or more verification domains being different from a host domain;
  
  determine one or more resources to be requested to verify the public key certificate;
  
  determine one or more actions to perform when the public key certificate is not valid;
  
  generate executable verification code, for performing the one or more actions without prompting a user to accept or reject the public key certificate, based on determining the one or more verification domains, based on determining the one or more resources, and based on determining the one or more actions;
  
  embed the executable verification code in other code; and
  
  provide the other code with the executable verification code for execution by a client device.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, where the one or more verification domains include a top-level domain and one or more sub-level domains.
  - 10. The system of claim 8, where, when determining the one or more verification domains, the one or more processors are to:
    - identify a plurality of verification domains to be used to verify the public key certificate; and
      
      select the one or more verification domains, from the plurality of verification domains, based on user input.
  - 11. The system of claim 8, where the one or more resources include an object accessible from a verification domain of the one or more verification domains.
  - 12. The system of claim 8, where the one or more actions include one or more of:
    - a first action for providing a notification, via the client device, regarding a compromised connection,a second action for terminating a session, ora third action for requiring the user to log in from a different local area network that is different from a local area network that the client device is using.
  - 13. The system of claim 8, where the public key certificate includes an electronic document that uses a digital signature to bind a public key with an identity.
  - 14. The system of claim 13, where the identity is associated with a domain.

15. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by at least one processor, cause the at least one processor to;
  
  determine one or more verification domains to be used to verify a public key certificate,the one or more verification domains being different from a host domain;
  
  determine one or more resources to be requested to verify the public key certificate;
  
  determine one or more actions to perform when the public key certificate is not valid;
  
  generate executable verification code, for performing the one or more actions without prompting a user to accept or reject the public key certificate, based on determining the one or more verification domains, based on determining the one or more resources, and based on determining the one or more actions;
  
  embed the executable verification code in other code; and
  
  provide the other code with the executable verification code for execution by a client device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable medium of claim 15, where the one or more verification domains include a top-level domain and one or more sub-level domains.
  - 17. The non-transitory computer-readable medium of claim 15, where the one or more instructions to determine the one or more verification domains comprise:
    - one or more instructions to;
      
      identify a plurality of verification domains to be used to verify the public key certificate; and
      
      select the one or more verification domains, from the plurality of verification domains, based on user input.
  - 18. The non-transitory computer-readable medium of claim 15, where the one or more resources include an object accessible from a verification domain of the one or more verification domains.
  - 19. The non-transitory computer-readable medium of claim 15, where the one or more actions include an action for requiring a user to log in from a different local area network that is different from a local area network that the client device is using.
  - 20. The non-transitory computer-readable medium of claim 15, where the public key certificate includes an electronic document that uses a digital signature to bind a public key with an identity associated with a domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Gundry, Stephen

Application Number

US15/659,106
Publication Number

US 20170331634A1
Time in Patent Office

525 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/12   Applying verification of th...

H04L 63/1466   Active attacks involving in...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3268   using certificate validatio...

Detecting and preventing man-in-the-middle attacks on an encrypted connection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

94 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Detecting and preventing man-in-the-middle attacks on an encrypted connection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

94 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others