Count-based challenge-response credential pairs for client/server request validation

US 10,225,255 B1
Filed: 08/26/2016
Issued: 03/05/2019
Est. Priority Date: 05/27/2016
Status: Active Grant

First Claim

Patent Images

1. A server computer system that is programmed to validate requests from a client computer to a server computer, the server computer system comprising:

a memory persistently storing a set of server instructions;

one or more processors coupled to the memory, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to;

generate a first challenge credential comprising a timestamp and a hash generated from the timestamp, to be sent to the client computer, wherein the first challenge credential corresponds to a first response credential in a first challenge-response credential pair;

render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the first response credential in the first challenge-response credential pair, based on the timestamp and the hash generated from the timestamp;

send, to the client computer, the first challenge credential and the one or more first dynamic-credential instructions, but not the first response credential;

receive a first request that includes a first test-challenge credential and a first test-response credential;

determine whether the first test-challenge credential and the first test-response credential are the first challenge-response credential pair;

in response to determining that the first test-response credential is the first response credential, determine that a first count is associated with the first challenge-response credential pair, and determine whether the first count satisfies a first threshold;

in response to determining that the first count does not satisfy the first threshold, determine that the first request is not a replay request and assign a second count to the first challenge-response credential pair.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a server computer system that is programmed to validate requests from a client computer to a server computer, the server computer system comprising: a memory persistently storing a set of server instructions; one or more processors coupled to the memory, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to: generate a first challenge credential to be sent to the client computer, wherein the first challenge credential corresponds to a first response credential in a first challenge-response credential pair; render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the first response credential in the first challenge-response credential pair; send, to the client computer, the first challenge credential and the one or more first dynamic-credential instructions, but not the first response credential; receive a first request that includes a first test-challenge credential and a first test-response credential; determine whether the first test-challenge credential and the first test-response credential are the first challenge-response credential pair; in response to determining that the first test-response credential is the first response credential, determine that a first count is associated with the first challenge-response credential pair, and determine whether the first count satisfies a first threshold; in response to determining that the first count does not satisfy the first threshold, determine that the first request is not a replay request and assign a second count to the first challenge-response credential pair.

25 Citations

View as Search Results

28 Claims

1. A server computer system that is programmed to validate requests from a client computer to a server computer, the server computer system comprising:
- a memory persistently storing a set of server instructions;
  
  one or more processors coupled to the memory, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to;
  
  generate a first challenge credential comprising a timestamp and a hash generated from the timestamp, to be sent to the client computer, wherein the first challenge credential corresponds to a first response credential in a first challenge-response credential pair;
  
  render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the first response credential in the first challenge-response credential pair, based on the timestamp and the hash generated from the timestamp;
  
  send, to the client computer, the first challenge credential and the one or more first dynamic-credential instructions, but not the first response credential;
  
  receive a first request that includes a first test-challenge credential and a first test-response credential;
  
  determine whether the first test-challenge credential and the first test-response credential are the first challenge-response credential pair;
  
  in response to determining that the first test-response credential is the first response credential, determine that a first count is associated with the first challenge-response credential pair, and determine whether the first count satisfies a first threshold;
  
  in response to determining that the first count does not satisfy the first threshold, determine that the first request is not a replay request and assign a second count to the first challenge-response credential pair.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The server computer system of claim 1, wherein the one or more first dynamic-credential instructions cause the first challenge credential, the first response credential, and the first count to be stored in a cookie on the client computer.
  - 3. The server computer system of claim 1, wherein the second count is greater than the first count.
  - 4. The server computer system of claim 1, wherein the first count is encrypted and included in the first request, and determining that the first count is associated with the first challenge-response credential pair comprises decrypting the first count from the first request.
  - 5. The server computer system of claim 1, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to:
    - receive a second request that includes a second test-challenge credential and a second test-response credential;
      
      determine that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and in response;
      
      determine that the second count is associated with the first challenge-response credential pair;
      
      determine whether the second count satisfies a first threshold;
      
      in response to determining that the second count does satisfy the first threshold, determine that the request is a replay request and preform one or more negative actions.
  - 6. The server computer system of claim 1, wherein the one or more processors execute the set of server instructions, which causes the one or more processors to:
    - receive a second request that includes a second test-challenge credential and a second test-response credential;
      
      determine that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and in response, determine whether the second count satisfies a second threshold;
      
      in response to determining that the second count does satisfy the second threshold, generate a second challenge credential to be sent to the client computer, wherein the second challenge credential corresponds to a second response credential in a second challenge-response credential pair;
      
      render one or more second dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the second response credential in the second challenge-response credential pair;
      
      send, to the client computer, the second challenge credential and the one or more second dynamic-credential instructions, but not the second response credential.
  - 7. The server computer system of claim 1, wherein the first response credential in a first challenge-response credential pair is not generated or stored on the server computer system before receiving the first request.
  - 8. The server computer system of claim 1, wherein the set of server instructions cause the one or more processors to:
    - receive a first set of instructions that define one or more original objects, which are configured to cause one or more requests to be sent to the server computer when executed by the client computer;
      
      modify the first set of instructions to produce a second set of instructions, which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer;
      
      send, to the client computer, the second set of instructions.
  - 9. The server computer system of claim 8, wherein the second set of instructions include the first challenge credential and the one or more first dynamic-credential instructions, wherein sending, to the client computer, the second set of instructions to a second computer comprises sending the first challenge credential and the one or more first dynamic-credential instructions to the client computer.
  - 10. The server computer system of claim 1, wherein the first challenge credential includes a nonce, and the one or more first dynamic-credential instructions cause the client computer to generate the first response credential based on the nonce.
  - 11. The server computer system of claim 1, wherein the set of server instructions cause the one or more processors to:
    - receive a second request that includes a second test-challenge credential and a second test-response credential;
      
      determine that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and that the request satisfies one or more criteria, and in response, performing one or more positive actions, without incrementing the first count associated with the first challenge-response credential pair.
  - 12. The server computer system of claim 11, wherein the second request is for a media file, which satisfies the one or more criteria.
  - 13. The server computer system of claim 11, wherein the second request is for a particular web page, which satisfies the one or more criteria.
  - 14. The server computer system of claim 11, wherein the one or more first dynamic-credential instructions cause the second request to include a particular parameter, which satisfies the one or more criteria.

15. A method for validating, at one or more server computers, one or more requests from one or more client computers, comprising:
- generating a first challenge credential comprising a timestamp and a hash generated from the timestamp, to be sent to the client computer, wherein the first challenge credential corresponds to a first response credential in a first challenge-response credential pair;
  
  rendering one or more first dynamic-credential instructions, which when executed by the one or more client computers, cause the one or more client computers to generate the first response credential in the first challenge-response credential pair, based on the timestamp and the hash generated from the timestamp;
  
  sending, to the one or more client computers, the first challenge credential and the one or more first dynamic-credential instructions, but not the first response credential;
  
  receiving a first request that includes a first test-challenge credential and a first test-response credential;
  
  determining whether the first test-challenge credential and the first test-response credential are the first challenge-response credential pair;
  
  in response to determining that the first test-response credential is the first response credential, determining that a first count is associated with the first challenge-response credential pair, and determining whether the first count satisfies a first threshold;
  
  in response to determining that the first count does not satisfy the first threshold, determining that the first request is not a replay request and assign a second count to the first challenge-response credential pair.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, wherein generating the first challenge credential further comprises causing the first challenge credential, the first response credential, and the first count to be stored in a cookie on the client computer.
  - 17. The method of claim 15, wherein receiving the first request that includes the first test-challenge credential and the first test-response credential further comprises including the first count in the first request.
  - 18. The method of claim 15, further comprising encrypting the first count from the first request and decrypting the first count from the first request.
  - 19. The method of claim 15, further comprising:
    - receiving a second request that includes a second test-challenge credential and a second test-response credential;
      
      determining that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and in response;
      
      determining that the second count is associated with the first challenge-response credential pair;
      
      determining whether the second count satisfies a first threshold;
      
      in response to determining that the second count does satisfy the first threshold, determining that the request is a replay request and preform one or more negative actions.
  - 20. The method of claim 15, further comprising:
    - receiving a second request that includes a second test-challenge credential and a second test-response credential;
      
      determining that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and in response, determining whether the second count satisfies a second threshold;
      
      in response to determining that the second count does satisfy the second threshold, generating a second challenge credential to be sent to the client computer, wherein the second challenge credential corresponds to a second response credential in a second challenge-response credential pair;
      
      rendering one or more second dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate the second response credential in the second challenge-response credential pair;
      
      sending, to the client computer, the second challenge credential and the one or more second dynamic-credential instructions, but not the second response credential.
  - 21. The method of claim 15, further comprising:
    - receiving a first set of instructions that define one or more original objects, which are configured to cause one or more requests to be sent to the server computer when executed by the client computer;
      
      modifying the first set of instructions to produce a second set of instructions, which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer;
      
      sending, to the client computer, the second set of instructions.
  - 22. The method of claim 21, wherein sending the second set of instructions further comprises sending the first challenge credential and the one or more first dynamic-credential instructions to the client computer.
  - 23. The method of claim 15, further comprising generating the first response credential based on a nonce.
  - 24. The method of claim 15, further comprising:
    - receiving a second request that includes a second test-challenge credential and a second test-response credential;
      
      determining that the second test-challenge credential and the second test-response credential are the first challenge-response credential pair, and that the request satisfies one or more criteria, and in response, performing one or more positive actions, without incrementing the first count associated with the first challenge-response credential pair.
  - 25. The method of claim 24, wherein receiving the second request comprises receiving the second request for a media file, which satisfies the one or more criteria.
  - 26. The method of claim 24, wherein receiving the second request comprises receiving the second request for a particular web page, which satisfies the one or more criteria.
  - 27. The method of claim 24, wherein sending, to the one or more client computers, the first challenge credential and the one or more first dynamic-credential instructions further comprises including, in the one or more first dynamic-credential instructions, instructions that cause the second request to include a particular parameter, which satisfies the one or more criteria.
  - 28. The method of claim 15, wherein generating the first challenge credential, wherein the first challenge credential corresponds to the first response credential further comprises generating a response credential that is a multiple of the challenge credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Jampani, Ganesh, Irwan, Susanto
Primary Examiner(s)
Tran, Ellen

Application Number

US15/249,133
Time in Patent Office

921 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/45   Structures or tools for the...

G06F 2221/2103   Challenge-response

G06F 2221/2133   Verifying human interaction...

G06F 2221/2135   Metering

H04L 2463/144   Detection or countermeasure...

H04L 63/0281   Proxies

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/12   Applying verification of th...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/0891   Revocation or update of sec...

H04L 9/3271   using challenge-response

Count-based challenge-response credential pairs for client/server request validation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Count-based challenge-response credential pairs for client/server request validation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links