Method and system for identifying a replay attack by an access device to a computer system

US 20030065919A1
Filed: 04/05/2002
Published: 04/03/2003
Est. Priority Date: 04/18/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating a user device requesting access to a computer system, the method including:

encrypting current session data at a connection application of the user device via which a user requests access to the computer system, the current session data changing with each user request;

including the encrypted current session data in user authentication data in an access request which is communicated in plain text;

decrypting the access request and comparing reference session data with the decrypted current session data; and

selectively categorizing the user request dependent upon the outcome of the comparison.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided of authenticating a user device requesting access to a computer system. The method includes encrypting current session data at a connection application of the user device via which a user requests access to the computer system, the current session data changing with each user request. The encrypted current session data is then included in user authentication data in an access request which is communicated in plain text which is then decrypted. Reference session data is then compared with the decrypted current session data and the user request is selectively categorized dependent upon the outcome of the comparison. The encrypted session data is provided in a format suitable for communication using a protocol from one of Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).

258 Citations

34 Claims

1. A method of authenticating a user device requesting access to a computer system, the method including:
- encrypting current session data at a connection application of the user device via which a user requests access to the computer system, the current session data changing with each user request;
  
  including the encrypted current session data in user authentication data in an access request which is communicated in plain text;
  
  decrypting the access request and comparing reference session data with the decrypted current session data; and
  
  selectively categorizing the user request dependent upon the outcome of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, which includes storing the decrypted current session data as reference session data when the user request is categorized as a valid user request.
  - 3. The method of claim 2, in which the session data includes a number that is changed for each user session.
  - 4. The method of claim 3, in which the number is incremented for each user request, the user request being categorized as a replay attack if the number is not greater than the reference number.
  - 5. The method of claim 2, which includes:
    - storing a reference date and time when the current session data is stored as reference session data;
      
      comparing a current date and time associated with the current session data with the reference date and time; and
      
      categorizing the user request as a valid request if the current session data is the same as the reference session data when a difference between the current date and time of the reference date and time is within a predetermined window period.
  - 6. The method of claim 1, which includes providing the encrypted session data in a format suitable for communication using a protocol from one of Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP).
  - 7. The method of claim 1, which includes encrypting the session data using a public/private key pair suitable for use with elliptic curve cryptography.
  - 8. The method of claim 1, in which the session data includes a unique session identification that is uniquely associated with a single user session.
  - 9. The method of claim 1, in which the comparing of the decrypted current session data and the reference session data is performed at least at one of a network access server, a transaction server, and an authentication server, of a service access system including a plurality of service providers.

10. A method identifying a replay attack by an access device requesting access to a computer system, the method including:
- receiving an encrypted access request in plain text from the access device;
  
  decrypting the access request and identifying current session data in the access request, the current session data being generated by the access device;
  
  comparing decrypted current session data with reference session data; and
  
  selectively categorizing the user request as a replay attack dependent upon the outcome of the comparison.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, which includes storing the decrypted current session data as reference session data when the user request is categorized as a valid user request.
  - 12. The method of claim 11, in which the session data includes a number that is changed for each user session, the method including comparing the current number with the reference number and categorizing the user request as a replay attack if the current number is less than the reference number.
  - 13. The method of claim 11, which includes:
    - storing a reference date and time when the current session data is stored as reference session data;
      
      comparing a current date and time associated with the current session data with the reference date and time; and
      
      categorizing the user request as a replay attack if the current session data is the same as the reference session data when a difference between the current date and time of the reference date and time is outside of a predetermined window period.
  - 14. The method of claim 10, which includes:
    - receiving an access request using a protocol from one of Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP); and
      
      extracting the current session data from a user string of the protocol.
  - 15. The method of claim 10, which includes decrypting the session data using a private key of a public/private key pair suitable for use with elliptic curve cryptography.
  - 16. The method of claim 10, in which the comparing of the current session data and the reference session data is performed at least at one of a network access server, a transaction server, and an authentication server, of a service access system including a plurality of service providers.

17. A system for authenticating a user device requesting access to a computer, the system including:
- a session data generator to generate current session data at a connection application of the user device via which a user requests access to the computer, the current session data changing with each user request;
  
  an encryption module to encrypt and include the current session data in user authentication data to provide an encrypted access request which is communicated in plain text; and
  
  a processor to decrypt the encrypted access request;
  
  a comparator to compare the reference session data with the decrypted current session data, the processor selectively categorizing the user request dependent upon the outcome of the comparison.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system of claim 17, which includes memory to store the current session data as reference session data when the user request is categorized as a valid user request.
  - 19. The method of claim 18, in which the session data generator generates the current session data as a number that is changed for each user session.
  - 20. The system of claim 19, in which the session data generator increments the number for each user request, the user request being categorized as a replay attack if the number is not greater than the reference session data.
  - 21. The system of claim 18, in which a reference date and time is stored when the current session data is stored as reference session data, the comparator comparing a current date and time associated with the current session data with the reference date and time and the processor categorizing the user request as a valid request if the current session data is the same as the reference session data when a difference between the current date and time of the reference date and time is within a predetermined window period.

22. A computer server for identifying a replay attack by an access device requesting access to a computer system, the computer server including:
- a receiver to receive an encrypted access request which is in plain text from the access device;
  
  a processor to decrypt and identify current session data in the access request, the current session data being generated by the access device;
  
  a comparator to compare the decrypted current session data with reference session data, the processor selectively categorizing the user request as a replay attack dependent upon the outcome of the comparison.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The computer server of claim 22, which includes memory to store the current session data as reference session data when the user request is categorized as a valid user request.
  - 24. The computer server of claim 23, in which the session data is a number that is changed for each user session, the comparator comparing the current number with the reference number and the processor categorizing the user request as a replay attack if the current number is less than the reference number.
  - 25. The computer server of claim 24, in which a reference date and time is stored in the memory when the current session data is stored as reference session data, and the comparator compares a current date and time associated with the current session data with the reference date and time, the processor categorizing the user request as a replay attack if the current session data is the same as the reference session data when a difference between the current date and time of the reference date and time is outside of a predetermined window period.
  - 26. The computer server of claim 22, in which the receiver is arranged to receive an access request using a protocol from one of Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP), the processor extracting the session data from a user string of the protocol.
  - 27. The computer server of claim 22, which includes a decryption component suitable for decrypting the session data using elliptic curve cryptography.
  - 28. The computer server of claim 22, which defines one of a network access server, a transaction server, and an authentication server, of a service access system including a plurality of service providers.

29. A computer server for identifying a replay attack by an access device requesting access to a computer system, the computer server including:
- means for receiving an access request from the access device;
  
  means for identifying current session data in the access request, the current session data being generated by the access device; and
  
  means for comparing current session data with reference data and selectively categorizing the user request as a replay attack dependent upon the outcome of the comparison.

30. A machine-readable medium embodying a sequence of instructions for identifying a replay attack by an access device requesting access to a computer system, the instructions, when executed by the machine, causing the machine to:
- receive an encrypted access request from the access device in plain text;
  
  decrypt and identify current session data in the access request, the current session data being generated by the access device;
  
  compare current session data with reference data; and
  
  selectively categorize the user request as a replay attack dependent upon the outcome of the comparison.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The machine-readable medium of claim 30, which causes the current session data to be stored as reference session data when the user request is categorized as a valid user request.
  - 32. The machine-readable medium of claim 30, in which the session data is a number that is changed for each user session, the instructions causing the current number to be compared with the reference number and categorizing the user request as a replay attack if the current number is less than the reference number.
  - 33. The machine-readable medium of claim 32, in which the instructions cause:
    - a reference date and time to be stored when the current session data is stored as reference session data;
      
      a current date and time associated with the current session data to be compared with the reference date and time; and
      
      the user request to be categorized as a replay attack if the current session data is the same as the reference session data when a difference between the current date and time of the reference date and time is outside of a predetermined window period.
  - 34. The machine-readable medium of claim 32, in which the instructions cause:
    - an access request to be received using a protocol from one of Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and Secure Remote Password protocol (SRP); and
      
      the session data to be extracted from a user string of the protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ipass Incorporated (Pareteum Corp.)
Original Assignee
Ipass Incorporated (Pareteum Corp.)
Inventors
Edgett, Jeff Steven, Sunder, Singam, Albert, Roy David

Application Number

US10/118,406
Publication Number

US 20030065919A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06Q 20/14   specially adapted for billi...

H04L 63/0442   wherein the sending and rec...

H04L 63/083   using passwords cryptograph...

H04L 63/108   when the policy decisions a...

H04L 9/0844   with user authentication or...

Method and system for identifying a replay attack by an access device to a computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

258 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for identifying a replay attack by an access device to a computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

258 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links