System and method for managing security testing
First Claim
Patent Images
1. A method for authenticating a user plural times during an access session, comprising the steps of:
- (a) receiving a username and password from the user;
(b) authenticating the user at a server;
(c) allowing the user to access a first set of information; and
(d) re-authenticating the user upon receipt of a request from the user to access a second set of information.
2 Assignments
0 Petitions
Accused Products
Abstract
The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.
97 Citations
68 Claims
-
1. A method for authenticating a user plural times during an access session, comprising the steps of:
-
(a) receiving a username and password from the user;
(b) authenticating the user at a server;
(c) allowing the user to access a first set of information; and
(d) re-authenticating the user upon receipt of a request from the user to access a second set of information. - View Dependent Claims (2, 13, 14, 15)
-
-
3. The method of claim A wherein step (b) further comprises:
-
(i) encrypting the password;
(ii) comparing the username and encrypted password with a pre-existing database of usernames and encrypted passwords stored on the server; and
(iii) if the username and encrypted password are found in the database;
(A) encrypting the encrypted password to thereby create a first double encrypted password;
(B) creating a session ID; and
(C) transmitting the first double encrypted password and the session ID to the user. - View Dependent Claims (4, 5, 6)
-
- 7. The method of claim A6 further comprising the step of storing the first random salt.
-
16. A method for authenticating a user plural times during a single access session, comprising the steps of:
-
(a) receiving identification information from the user;
(b) encrypting at least a portion of the received identification information using a first salt to thereby produce an encrypted password;
(c) authenticating the user;
(d) upon successful authentication of the user;
(i) encrypting a copy of the encrypted password using a second salt to thereby produce a first double encrypted password;
(ii) producing a session ID using the second salt;
(iii) storing the second salt;
(iv) transmitting the first double encrypted password and the session ID to the user; and
(v) allowing the user to access a first set of information;
(e) receiving at the computer a request from the user to access a second set of information, said request including the first double encrypted password and the session ID;
(f) obtaining the second salt from the received session ID;
(g) encrypting a copy of the encrypted password with the obtained second salt to thereby produce a second double encrypted password;
(h) comparing the first and second double encrypted passwords; and
(i) re-authenticating the user if the first and second double encrypted passwords match. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. In a method for authenticating a user for accessing a server including a memory which contains a stored username and a stored encrypted password for the user where the encrypted password is a function of a first salt, and where the server receives a username and password from the user and uses at least the password for initially authenticating the user for access to the server, the improvement comprising the steps of:
-
(a) transmitting to the user a first set of information comprising;
(i) a first hash comprising the password encrypted by the first salt and a second salt; and
(ii) a session ID produced using the second salt;
(b) receiving from the user a second set of information comprising;
(i) the first hash; and
(ii) the session ID;
(c) obtaining the second salt from the received session ID;
(d) producing a second hash comprising the password encrypted by the first salt and the obtained second salt; and
(e) comparing the first hash and the second hash. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A system for authenticating a user plural times during an access session, comprising:
-
(a) a means for receiving a username and password from the user;
(b) a server; and
(c) a computer readable medium containing a program to be executed by the server, when executed, the program to configure the server to;
(i) authenticate the user for access to the server;
(ii) allow the user to access a first set of information; and
(iii) re-authenticate the user upon receipt of a request from the user to access a second set of information. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. In a computer readable medium containing a program to be executed by a server, when executed, the program to configure the processor to authenticate a received user username and a received user password to permit a user access, the improvement comprising further configuring the server to:
-
(a) transmit to the user a first set of information comprising;
(i) a first hash comprising a password encrypted by a first salt and a second salt; and
(ii) a session ID produced using the second salt;
(b) receive from the user a second set of information comprising;
(i) the first hash; and
(ii) the session ID;
(c) obtain the second salt from the received session ID;
(d) produce a second hash comprising the password encrypted by the first salt and the obtained second salt; and
(e) compare the first hash and the second hash. - View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61)
-
-
62. In a computer readable medium containing a program to be executed by a server, when executed, the program to configure the processor to authenticate a received user username and a received user password so as to permit a user access, the improvement comprising further configuring the server to:
-
(a) transmit to the user a first set of information comprising a first encrypted password produced using a first salt;
(b) receive from the user a second set of information comprising the first set of information;
(c) determine the first salt using information contained in the second set of information;
(d) produce a second encrypted password using the determined first salt; and
(e) re-authenticate the user if the first encrypted password matches the second encrypted password. - View Dependent Claims (63, 64, 65, 66, 67, 68)
-
Specification