System and method for facilitating secure online transactions

US 20080077796A1
Filed: 02/05/2007
Published: 03/27/2008
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for mutually authenticating a client and a server, the method comprising:

transmitting a token from the server to the client;

establishing a secure data transfer link between the server and the client, a server certificate being transmitted to the client during the establishment of the secure data transfer link;

transmitting to the server a response packet including a full requested Uniform Resource Locator (URL) identifier, a client certificate, the server certificate, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate; and

validating the response packet.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mutually authenticating a client and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server to the client. Thereafter, the method continues with establishing a secure data transfer link between the server and the client. A server certificate is transmitted to the client during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes a client authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet.

61 Citations

View as Search Results

32 Claims

1. A method for mutually authenticating a client and a server, the method comprising:
- transmitting a token from the server to the client;
  
  establishing a secure data transfer link between the server and the client, a server certificate being transmitted to the client during the establishment of the secure data transfer link;
  
  transmitting to the server a response packet including a full requested Uniform Resource Locator (URL) identifier, a client certificate, the server certificate, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate; and
  
  validating the response packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 3. The method of claim 1, wherein validating the response packet further includes validating the full requested URL identifier in the response packet against a URL associated with the server.
  - 4. The method of claim 1, wherein validating the response packet further includes validating the token in the response packet against a token stored on the server, the token in the response packet and the token stored on the server containing a unique code.
  - 5. The method of claim 2, wherein validating the response packet further includes validating a first copy of the server certificate stored in the server against a second copy of the server certificate in the response packet.
  - 6. The method of claim 1, wherein validating the response packet further includes validating the client certificate against a client signature on the response packet, the client signature being associated with the private client key.
  - 7. The method of claim 6, wherein the client certificate is unexpired.
  - 8. The method of claim 6, wherein the client certificate is issued to an organization associated with the server.
  - 9. The method of claim 1, wherein:
    - the client certificate is issued from a certificate server associated with an authorized certification authority; and
      
      the client certificate is linked to an organization associated with the server.
  - 10. The method of claim 8, wherein prior to issuing the client certificate, the method further includes validating the client with a challenge-response sequence.
  - 11. The method of claim 10, wherein a response to the challenge-response sequence is transmitted to a predetermined telephone device associated with a user.
  - 12. The method of claim 10, wherein a response to the challenge-response sequence is transmitted to a predetermined e-mail address associated with a user.

13. A method for authenticating a client to a server, the method comprising:
- receiving a token from the server;
  
  establishing a secure data transfer link between the server and the client, a server certificate being received from the server during the establishment of the secure data transfer link; and
  
  transmitting to the server a response packet including a full requested Uniform Resource Locator (URL) identifier, a client certificate, the server certificate, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 15. The method of claim 13, wherein:
    - the client certificate is issued from a certificate server associated with an authorized certification authority; and
      
      the client certificate is linked to an organization associated with the server.
  - 16. The method of claim 13, wherein prior to issuing the client certificate, the method further includes validating the client with a challenge-response sequence.
  - 17. The method of claim 16, wherein a response to the challenge-response sequence is transmitted to a predetermined telephone device associated with a user.
  - 18. The method of claim 16, wherein a response to the challenge-response sequence is transmitted to a predetermined e-mail address associated with a user.

19. A method for authenticating a server to a client, the method comprising:
- transmitting a token from the server to the client;
  
  establishing a secure data transfer link between the server and the client, a server certificate being transmitted to the client during the establishment of the secure data transfer link; and
  
  transmitting to the server a response packet including a full requested Uniform Resource Locator (URL) identifier, a client certificate, the server certificate, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The method of claim 19, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 21. The method of claim 19, wherein validating the response packet further includes validating the full requested URL identifier in the response packet against a URL associated with the server.
  - 22. The method of claim 19, wherein validating the response packet further includes validating the token in the response packet against a token stored on the server, the token in the response packet and the token stored on the server containing a unique code.
  - 23. The method of claim 19, wherein validating the response packet further includes validating a first copy of the server certificate stored on the server against a second copy of the server certificate stored in the response packet.
  - 24. The method of claim 19, wherein validating the response packet further includes validating the client certificate against a client signature on the response packet, the client signature being associated with the private client key.
  - 25. The method of claim 24, wherein the client certificate is unexpired.
  - 26. The method of claim 24, wherein the client certificate is issued to an organization associated with the server.
  - 27. The method of claim 19, wherein the client certificate is issued from a certificate server associated with an authorized certification authority.

28. A system for bi-directionally authenticating a client and a server comprising:
- a server authentication module associated with the server and including a memory for storing a server certificate and a token, the server authentication module being operative to transmit the token and the server certificate to the client; and
  
  a client authentication module associated with the client and including a memory for storing a client certificate, the token, a full requested URL identifier, and the server certificate, the client authentication module being operative to transmit an authentication packet including the server certificate, the token, and the full requested URL identifier.
- View Dependent Claims (29, 30, 31)
- - 29. The system of claim 28, further comprising:
    - a certificate server including an authentication module operative to issue the client certificate to the client.
  - 30. The system of claim 28, further comprising:
    - a telephony server for transmitting to an out-of-band device a response for a challenge-response sequence presented to the client by the server.
  - 31. The system of claim 28, wherein the client authentication module is an ActiveX component.

32. An article of manufacture comprising a program storage medium readable by a computer, the medium tangibly embodying one or more programs of instructions executable by the computer to perform a method for mutually authenticating a client and a server, the method comprising:
- transmitting a token from the server to the client;
  
  establishing a secure data transfer link between the server and the client, a server certificate being transmitted to the client during the establishment of the secure data transfer link; and
  
  transmitting to the server a response packet including a full requested Uniform Resource Locator (URL) identifier, a client certificate, the server certificate, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate. validating the response packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Moore, Stephen, Grajek, Garret, Lund, Craig

Granted Patent

US 8,327,142 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/173
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

System and method for facilitating secure online transactions

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for facilitating secure online transactions

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links