Certificate system for verifying authorized and unauthorized secure sessions

US 10,425,417 B2
Filed: 03/08/2017
Issued: 09/24/2019
Est. Priority Date: 03/08/2017
Status: Active Grant

First Claim

Patent Images

1. A system for identifying potential compromised interactions, the system comprising:

one or more memory devices having computer readable code store thereon; and

one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer readable code to;

access an organization application;

identify stored certification requirements from the organization application, wherein the stored certification requirements include at least a number of required verified certificates required by an organization from different certification authorities to verify the organization application;

receive one or more certificates and received certification requirements from the organization application;

verify the one or more certificates from the organization application to determine a number of verified certificates provided by the organization;

compare the stored certification requirements identified with the received certification requirements from the organization application to determine when the stored certification requirements meet the received certification requirements; and

notify a user through a user application with a certification requirement notification or prevent an interaction with the organization application when the received certification requirements fail to meet the stored certification requirements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, computer products, and methods are described herein for an improved secure certificate system for identifying potential authorized and unauthorized interactions between a web browser and a website. The certificate system utilizes stored certification requirements (e.g., pinned certification requirements, third-party certification requirement system, or the like), and compares the stored certification requirements with received certification requirements. The system may notify the user or prevent the interaction between the web browser and website when the stored certification requirements do not meet the received certification requirements (e.g., a threshold requirement of certificates to validate, validated certificates, or the like). The certificate system allows the interaction between the web browser and website when the stored certification requirements meet the received certification requirements and the website is verified based on the certification requirements. It should be also understood that the certificate system may also be utilized for interactions between dedicated applications.

93 Citations

View as Search Results

20 Claims

1. A system for identifying potential compromised interactions, the system comprising:
- one or more memory devices having computer readable code store thereon; and
  
  one or more processing devices operatively coupled to the one or more memory devices, wherein the one or more processing devices are configured to execute the computer readable code to;
  
  access an organization application;
  
  identify stored certification requirements from the organization application, wherein the stored certification requirements include at least a number of required verified certificates required by an organization from different certification authorities to verify the organization application;
  
  receive one or more certificates and received certification requirements from the organization application;
  
  verify the one or more certificates from the organization application to determine a number of verified certificates provided by the organization;
  
  compare the stored certification requirements identified with the received certification requirements from the organization application to determine when the stored certification requirements meet the received certification requirements; and
  
  notify a user through a user application with a certification requirement notification or prevent an interaction with the organization application when the received certification requirements fail to meet the stored certification requirements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the stored certification requirements are stored by:
    - accessing the organization application a first time;
      
      receiving first certification requirements for the first time; and
      
      pinning the first certification requirements as pinned certification requirements for future use.
  - 3. The system of claim 2, wherein identifying the stored certification requirements comprises identifying the pinned certification requirements for the organization application.
  - 4. The system of claim 1, wherein identifying the stored certification requirements comprises:
    - accessing a certification requirement system;
      
      providing a reference to the organization application; and
      
      receiving the stored certification requirements from the certification requirement system.
  - 5. The system of claim 4, wherein the certification requirement system is maintained by a third party and wherein the one or more processing devices are configured to execute the computer readable code to:
    - receive one or more second certificates from the certification requirement system; and
      
      verify the certification requirement system using the one or more second certificates.
  - 6. The system of claim 1, wherein identifying the stored certification requirements comprises:
    - receiving a certification requirement certificate from the organization application;
      
      verifying the certification requirement certificate; and
      
      identifying the stored certification requirements from the certification requirement certificate.
  - 7. The system of claim 6, wherein the certification requirement certificate is validated by a certification authority and wherein verifying the certification requirement certificate at least comprises comparing the certification authority that validated the certification requirement certificate with a stored list of trusted certification authorities.
  - 8. The system of claim 1, wherein notifying the user when the received certification requirements fail to meet the stored certification requirements comprises notifying the user application that there is a potential unauthorized entity using a compromised certificate.
  - 9. The system of claim 1, wherein preventing the interaction with the organization application when the received certification requirements fail to meet the stored certification requirements comprises preventing the user application from communicating with the organization application.
  - 10. The system of claim 1, wherein the stored certification requirements comprise requiring at least two or more required verified certificates.
  - 11. The system of claim 1, wherein the stored certification requirements comprise requiring that at least two or more certificates are provided by the different certification authorities.
  - 12. The system of claim 1, wherein the one or more processing devices are further configured to execute the computer readable code to:
    - provide a verification notification to the user through the user application or preventing the interaction with the organization application when the number of verified certificates is less than the number of required verified certificates; and
      
      allow the interaction to occur when the number of verified certificates is equal to or more than the number of required verified certificates and proceeding to initiating a secure session.
  - 13. The system of claim 1, wherein verifying the one or more certificates comprises determining if the one or more certificates are expired, compromised, or revoked.
  - 14. The system of claim 1, wherein when the stored certification requirements meet the received certification requirements, the one or more processing devices are configured to execute the computer readable code to:
    - receive two or more public keys from the organization application, through an organization system, wherein at least one of the two or more public keys from the organization application is a self-created public key from a self-created public and private key pair within a self-signed certificate generated or provided by the organization application;
      
      create a symmetric session key for a secure session with the organization application;
      
      encrypt the symmetric session key to create an encrypted symmetric session key using the two or more public keys;
      
      send the encrypted symmetric session key to the organization application, through the organization system, wherein the encrypted symmetric session key is decrypted by the organization application using two or more private keys corresponding to the two or more public keys; and
      
      receive and send information from and to the organization application using the symmetric session key.

15. A computer implemented method for identifying potential compromised interactions, the method comprising:
- accessing, by one or more processors, an organization application;
  
  identifying, by the one or more processors, stored certification requirements from the organization application, wherein the stored certification requirements include at least a number of required verified certificates required by an organization from different certification authorities to verify the organization application;
  
  receiving, by the one or more processors, one or more certificates and received certification requirements from the organization application;
  
  verifying, by the one or more processors, the one or more certificates from the organization application to determine a number of verified certificates provided by the organization;
  
  comparing, by the one or more processors, the stored certification requirements identified with the received certification requirements from the organization application to determine when the stored certification requirements meet the received certification requirements; and
  
  notifying, by the one or more processors, a user through a user application with a certification requirement notification or prevent an interaction with the organization application when the received certification requirements fail to meet the stored certification requirements.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the stored certification requirements are stored by:
    - accessing the organization application a first time;
      
      receiving first certification requirements for the first time;
      
      pinning the first certification requirements as pinned certification requirements for future use; and
      
      wherein identifying the stored certification requirements comprises identifying the pinned certification requirements for the organization application.
  - 17. The method of claim 15, wherein identifying the stored certification requirements comprises:
    - accessing a certification requirement system, wherein the certification requirement system is maintained by a third party;
      
      providing a reference to the organization application; and
      
      receiving the stored certification requirements from the certification requirement system;
      
      receiving one or more second certificates from the certification requirement system with; and
      
      verifying the certification requirement system using the one or more second certificates.
  - 18. The method of claim 15, wherein identifying the stored certification requirements comprises:
    - receiving a certification requirement certificate from the organization application, wherein the certification requirement certificate is validated by a certification authority;
      
      verifying the certification requirement certificate, wherein verifying the certification requirement certificate at least comprises comparing the certification authority that validated the certification requirement certificate with a stored list of trusted certification authorities; and
      
      identifying the stored certification requirements from the certification requirement certificate.
  - 19. The method of claim 15, wherein notifying the user when the received certification requirements fail to meet the stored certification requirements comprises notifying the user application that there is a potential unauthorized entity using a compromised certificate;
    - and wherein preventing the interaction with the organization application when the received certification requirements fail to meet the stored certification requirements comprises preventing the user application from communicating with the organization application.

20. A computer program product for identifying potential compromised interactions, the computer program product comprising at least one non-transitory computer-readable medium having computer-readable program code portions embodied therein, the computer-readable program code portions comprising:
- an executable portion configured to access an organization application;
  
  an executable portion configured to identify stored certification requirements from the organization application, wherein the stored certification requirements include at least a number of required verified certificates required by an organization from different certification authorities to verify the organization application;
  
  an executable portion configured to receive one or more certificates and received certification requirements from the organization application;
  
  an executable portion configured to verify the one or more certificates from the organization application to determine a number of verified certificates provided by the organization;
  
  an executable portion configured to compare the stored certification requirements identified with the received certification requirements from the organization application to determine when the stored certification requirements meet the received certification requirements; and
  
  an executable portion configured to notify a user through a user application with a certification requirement notification or prevent an interaction with the organization application when the received certification requirements fail to meet the stored certification requirements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of America Corp.
Original Assignee
Bank of America Corp.
Inventors
Frederick, Carl R., Kazin, Joel S.
Primary Examiner(s)
Su, Sarah

Application Number

US15/453,649
Publication Number

US 20180262504A1
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0435   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 9/006   involving public key infras...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3268   using certificate validatio...

Certificate system for verifying authorized and unauthorized secure sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

93 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Certificate system for verifying authorized and unauthorized secure sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links