System and method for managing security testing

US 20070061571A1
Filed: 03/31/2006
Published: 03/15/2007
Est. Priority Date: 09/09/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a user plural times during an access session, comprising the steps of:

(a) receiving a username and password from the user;

(b) authenticating the user at a server;

(c) allowing the user to access a first set of information; and

(d) re-authenticating the user upon receipt of a request from the user to access a second set of information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject matter relates generally to a system and method for managing security testing. Particularly, this invention relates to maintaining a security database by correlating multiple sources of vulnerability data and also to managing security testing from plural vendors. This invention also relates to providing secure session tracking by performing plural authentications of a user.

97 Citations

View as Search Results

68 Claims

1. A method for authenticating a user plural times during an access session, comprising the steps of:
- (a) receiving a username and password from the user;
  
  (b) authenticating the user at a server;
  
  (c) allowing the user to access a first set of information; and
  
  (d) re-authenticating the user upon receipt of a request from the user to access a second set of information.
- View Dependent Claims (2, 13, 14, 15)
- - 2. The method of claim 1 wherein step (a) further comprises:
    - (i) providing a webpage having username and password input fields;
      
      (ii) obtaining a username and password from the user; and
      
      (iii) transmitting the username and password to the server.
  - 13. The method of claim 1 wherein the server controls access from the first network to a second network.
  - 14. The method of claim 1 wherein the username and password received from the user is received via either http or https protocol.
  - 15. The method of claim 1 wherein the first set of information is selected from the group consisting of a first online database, a first secure webpage, a first secure network or a first web application.

3. The method of claim A wherein step (b) further comprises:
- (i) encrypting the password;
  
  (ii) comparing the username and encrypted password with a pre-existing database of usernames and encrypted passwords stored on the server; and
  
  (iii) if the username and encrypted password are found in the database;
  
  (A) encrypting the encrypted password to thereby create a first double encrypted password;
  
  (B) creating a session ID; and
  
  (C) transmitting the first double encrypted password and the session ID to the user.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3 wherein the step of encrypting the encrypted password comprises copying a previously-stored encrypted password for the user.
  - 5. The method of claim 3 wherein the step of encrypting the password is performed using a static salt.
  - 6. The method of claim 3 wherein the step of encrypting the encrypted password is performed using a first random salt.

7. The method of claim A6 further comprising the step of storing the first random salt.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7 wherein step (d) further comprises:
    - (i) receiving a request to access a second set of information, said request including the first double encrypted password and the session ID;
      
      (ii) obtaining the first random salt using the received session ID;
      
      (iii) encrypting the encrypted password with the obtained first random salt to thereby produce a second double encrypted password;
      
      (iv) comparing the first and second double encrypted passwords; and
      
      (v) re-authenticating the user if the first and second double encrypted passwords match.
  - 9. The method of claim 8 wherein the step of encrypting the encrypted password comprises copying a previously-stored encrypted password for the user.
  - 10. The method of claim 9 wherein step (d) further comprises:
    - (vi) creating a second random salt;
      
      (vii) encrypting a copy of the previously-stored encrypted password using the second random salt to thereby produce a third double encrypted password;
      
      (viii) updating the session ID using the second random salt; and
      
      (ix) transmitting to the user the third double encrypted password.
  - 11. The method of claim 10 wherein the step of encrypting the encrypted password to thereby produce the third double encrypted password comprises copying a previously-stored encrypted password for the user.
  - 12. The method of claim 8 further comprising allowing the user to access the second set of information on the computer upon successful re-authentication of the user.

16. A method for authenticating a user plural times during a single access session, comprising the steps of:
- (a) receiving identification information from the user;
  
  (b) encrypting at least a portion of the received identification information using a first salt to thereby produce an encrypted password;
  
  (c) authenticating the user;
  
  (d) upon successful authentication of the user;
  
  (i) encrypting a copy of the encrypted password using a second salt to thereby produce a first double encrypted password;
  
  (ii) producing a session ID using the second salt;
  
  (iii) storing the second salt;
  
  (iv) transmitting the first double encrypted password and the session ID to the user; and
  
  (v) allowing the user to access a first set of information;
  
  (e) receiving at the computer a request from the user to access a second set of information, said request including the first double encrypted password and the session ID;
  
  (f) obtaining the second salt from the received session ID;
  
  (g) encrypting a copy of the encrypted password with the obtained second salt to thereby produce a second double encrypted password;
  
  (h) comparing the first and second double encrypted passwords; and
  
  (i) re-authenticating the user if the first and second double encrypted passwords match.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 17. The method of claim 16 further comprising the steps of:
    - (j) upon successful re-authentication of the user;
      
      (i) encrypting a copy of the encrypted password using a third salt to thereby produce a third double encrypted password;
      
      (ii) updating the session ID using the third salt;
      
      (iii) transmitting the third double encrypted password to the user; and
      
      (iv) allowing the user to access the second set of information.
  - 18. The method of claim 17 wherein at least one of the first, second, and third salt is a random salt.
  - 19. The method of claim 18 wherein the first salt is a static salt.
  - 20. The method of claim 17 wherein each of the steps of encrypting a copy of the encrypted password to thereby produce either the first, the second, or the third double encrypted password, respectively, comprises copying a previously-stored encrypted password for the user.
  - 21. The method of claim 16 wherein at least one of the first and second salt is a random salt.
  - 22. The method of claim 16 wherein the first salt is a static salt and the second salt is a random salt.
  - 23. The method of claim 16 wherein the identification information from the user includes at least one of a password and biometric data.
  - 24. The method of claim 23 wherein the identification information from the user further includes a username.
  - 25. The method of claim 16 further comprising the step of allowing the user to access the second set of information upon successful re-authentication of the user.
  - 26. The method of claim 16 wherein the computer is a server on a first network.
  - 27. The method of claim 26 wherein the server controls access from the first network to a second network.
  - 28. The method of claim 27 wherein the first and second set of information each reside on the second network.
  - 29. The method of claim 16 wherein the identification information received from the user is received at the computer via either http or https protocol.

30. In a method for authenticating a user for accessing a server including a memory which contains a stored username and a stored encrypted password for the user where the encrypted password is a function of a first salt, and where the server receives a username and password from the user and uses at least the password for initially authenticating the user for access to the server, the improvement comprising the steps of:
- (a) transmitting to the user a first set of information comprising;
  
  (i) a first hash comprising the password encrypted by the first salt and a second salt; and
  
  (ii) a session ID produced using the second salt;
  
  (b) receiving from the user a second set of information comprising;
  
  (i) the first hash; and
  
  (ii) the session ID;
  
  (c) obtaining the second salt from the received session ID;
  
  (d) producing a second hash comprising the password encrypted by the first salt and the obtained second salt; and
  
  (e) comparing the first hash and the second hash.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The method of claim 30 further comprising:
    - (f) transmitting to the user a third set of information comprising a third hash comprising the password encrypted by the first salt and a third salt;
      
      (g) receiving from the user a fourth set of information comprising;
      
      (i) the third hash; and
      
      (ii) the session ID;
      
      (h) obtaining the third salt from the received session ID;
      
      (i) producing a fourth hash comprising the password encrypted by the first salt and the obtained third salt; and
      
      (j) comparing the third hash and the fourth hash.
  - 32. The method of claim 31 wherein at least one of the second and third salt is a random salt.
  - 33. The method of claim 32 wherein the first salt is a static salt.
  - 34. The method of claim 30 wherein at least one of the first and second salt is a random salt.
  - 35. The method of claim 30 wherein the first salt is a static salt and the second salt is a random salt.
  - 36. The method of claim 30 wherein the computer is a server on a first network.
  - 37. The method of claim 36 wherein the server controls access from the first network to a second network.
  - 38. The method of claim 30 wherein the username and password received from the user are received at the computer via either http or https protocol.

39. A system for authenticating a user plural times during an access session, comprising:
- (a) a means for receiving a username and password from the user;
  
  (b) a server; and
  
  (c) a computer readable medium containing a program to be executed by the server, when executed, the program to configure the server to;
  
  (i) authenticate the user for access to the server;
  
  (ii) allow the user to access a first set of information; and
  
  (iii) re-authenticate the user upon receipt of a request from the user to access a second set of information.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 40. The system of claim 39 wherein the program, when executed, authenticates the user and further configures the processor to:
    - (c)(i)(A) encrypt the password;
      
      (c)(i)(B) encrypt the encrypted password to thereby create a first double encrypted password;
      
      (c)(i)(C) create a session ID; and
      
      (c)(i)(D) transmit the first double encrypted password and the session ID to the user.
  - 41. The system of claim 40 further comprising a database containing authorized usernames and encrypted passwords, wherein the program, when executed, authenticates the user by comparing the username and the encrypted password against the database of entries of usernames and encrypted passwords.
  - 42. The system of claim 40 wherein the program, when executed, encrypts the encrypted password by copying a previously-stored encrypted password for the user.
  - 43. The system of claim 40 wherein the program, when executed, configures the server to encrypt the password using a static salt.
  - 44. The system of claim 40 wherein the program, when executed, configures the server to encrypt the encrypted password using a random salt.
  - 45. The system of claim 44 wherein the program, when executed, configures the server to create the session ID using the random salt.
  - 46. The system of claim 45 wherein the program, when executed, configures the server to store the random salt.
  - 47. The system of claim 46 wherein the program, when executed, re-authenticates the user and further configures the server to:
    - (c)(iii)(A) receive a request from the user to access a second set of information, said request including the first double encrypted password and the session ID;
      
      (c)(iii)(B) obtain the random salt from the received session ID;
      
      (c)(iii)(C) encrypt the encrypted password with the obtained random salt to thereby produce a second double encrypted password;
      
      (c)(iii)(D) compare the first and second double encrypted passwords; and
      
      (c)(iii)(E) re-authenticate the user if the first and second double encrypted passwords match.
  - 48. The system of claim 47 wherein the program, when executed, encrypts the encrypted password to thereby produce the second double encrypted password by copying a previously-stored encrypted password for the user.
  - 49. The system of claim 39 wherein the computer is a server on a first network.
  - 50. The system of claim 49 wherein the server controls access from the first network to a second network.
  - 51. The system of claim 39 wherein the username and password received from the user is received via either http or https protocol.
  - 52. The system of claim 39 wherein the first set of information is a first secure webpage.

53. In a computer readable medium containing a program to be executed by a server, when executed, the program to configure the processor to authenticate a received user username and a received user password to permit a user access, the improvement comprising further configuring the server to:
- (a) transmit to the user a first set of information comprising;
  
  (i) a first hash comprising a password encrypted by a first salt and a second salt; and
  
  (ii) a session ID produced using the second salt;
  
  (b) receive from the user a second set of information comprising;
  
  (i) the first hash; and
  
  (ii) the session ID;
  
  (c) obtain the second salt from the received session ID;
  
  (d) produce a second hash comprising the password encrypted by the first salt and the obtained second salt; and
  
  (e) compare the first hash and the second hash.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 60, 61)
- - 54. The computer readable medium of claim 53 further configuring the server to:
    - (f) transmit to the user a third set of information comprising a third hash comprising the password encrypted by the first salt and a third salt;
      
      (g) receive from the user a fourth set of information comprising;
      
      (i) the third hash; and
      
      (ii) the session ID;
      
      (h) obtain the third salt from the received session ID;
      
      (i) produce a fourth hash comprising the password encrypted by the first salt and the obtained third salt; and
      
      (j) compare the third hash and the fourth hash.
  - 55. The computer readable medium of claim 54 wherein at least one of the second and third salt is a random salt.
  - 56. The computer readable medium of claim 55 wherein the first salt is a static salt.
  - 57. The computer readable medium of claim 53 wherein at least one of the first and second salt is a random salt.
  - 58. The computer readable medium of claim 53 wherein the first salt is a static salt and the second salt is a random salt.
  - 59. The computer readable medium of claim 53 wherein the computer is a server on a first network.
  - 60. The computer readable medium of claim 59 wherein the server controls access from the first network to a second network.
  - 61. The computer readable medium of claim 53 wherein the received user username and the received user password are received via either http or https protocol.

62. In a computer readable medium containing a program to be executed by a server, when executed, the program to configure the processor to authenticate a received user username and a received user password so as to permit a user access, the improvement comprising further configuring the server to:
- (a) transmit to the user a first set of information comprising a first encrypted password produced using a first salt;
  
  (b) receive from the user a second set of information comprising the first set of information;
  
  (c) determine the first salt using information contained in the second set of information;
  
  (d) produce a second encrypted password using the determined first salt; and
  
  (e) re-authenticate the user if the first encrypted password matches the second encrypted password.
- View Dependent Claims (63, 64, 65, 66, 67, 68)
- - 63. The computer readable medium of claim 62 further configuring the server to:
    - (f) transmit to the user a third set of information comprising a third encrypted password produced using a second salt;
      
      (g) receive from the user a fourth set of information comprising the third set of information;
      
      (h) determine the second salt using information contained in the fourth set of information;
      
      (i) produce a fourth encrypted password using the determined second salt; and
      
      (j) re-authenticate the user if the third encrypted password matches the fourth encrypted password.
  - 64. The computer readable medium of claim 63 wherein at least one of the first and second salt is a random salt.
  - 65. The computer readable medium of claim 62 wherein the first salt is a random salt.
  - 66. The computer readable medium of claim 62 wherein the computer is a server on a first network.
  - 67. The computer readable medium of claim 66 wherein the server controls access from the first network to a second network.
  - 68. The computer readable medium of claim 62 wherein the username and password received from the user is received at the computer via either http or https protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tekmark Global Solutions LLC
Original Assignee
Tekmark Global Solutions LLC
Inventors
Brock, David, Sahlberg, Jeremiah, Hammes, Peter, McNeal, Robert

Application Number

US11/394,026
Publication Number

US 20070061571A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 21/577   Assessing vulnerabilities a...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

System and method for managing security testing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing security testing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links