APPARATUS AND METHOD TO PREVENT MAN IN THE MIDDLE ATTACK

US 20110154021A1
Filed: 05/05/2009
Published: 06/23/2011
Est. Priority Date: 05/05/2008
Status: Active Grant

First Claim

Patent Images

1. A system for authenticating an encryption key before transmitting encrypted messages containing sensitive information, the system comprising:

a client device, the client device being a data processing system having at least one processor and at least one memory, the client device connected to a network and operative to transmit and receive data over the network;

a remote device, the remote device being a data processing system having at least one processor and at least one memory, the remote device connected to the network and operative to transmit data to and receive data from the client device;

a peripheral device operative to encrypt messages before passing the encrypted message to the client device for transmission to the remote device, the peripheral device having at least one processor and a memory containing a first key of a cryptographic key pair, the peripheral device operatively connected to only the client device,wherein the remote device transmits a digital certificate to the client device, the digital certificate containing an encryption key and a first digital signature, the first digital signature issued by a certificate authority to verify the encryption key is associated with the remote device,in response to receiving the digital certificate from the remote device, the client device passing the digital certificate, a root certificate associated with the digital certificate and a second digital signature to the peripheral device, the second digital signature associated with the root certificate and created using a second key of the cryptographic key pair,in response to receiving the digital certificate, the root certificate and the second signature, the peripheral device uses the root certificate to certify the digital certificate and the first digital signature in the digital certificate to verify the encryption key in the digital certificate is associated with the remote device and the peripheral device retrieves the first key of the cryptographic key pair from the memory of the peripheral device and applies the first key of the encryption key pair to the second digital signature to verify the root certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, peripheral device, and method for authenticating an encryption key before transmitting encrypted messages containing sensitive information are provided. Authentication of a client device during the coordination of data transfer among multiple computer devices is possible by providing a peripheral device that does not have a direct connection to a network, but rather, any message to be transmitted over the network must be relayed through a client device. Any sensitive information to be transferred to a remote device is inserted into a message, then the message is encrypted in the peripheral device. This prevents any process running on the client device from fooling the client device into communicating confidential information to a third party rather than the desired remote computer, because the client device never sees the sensitive information in an unencrypted form; only the peripheral device has access to the sensitive information in an unencrypted form.

74 Citations

View as Search Results

36 Claims

1. A system for authenticating an encryption key before transmitting encrypted messages containing sensitive information, the system comprising:
- a client device, the client device being a data processing system having at least one processor and at least one memory, the client device connected to a network and operative to transmit and receive data over the network;
  
  a remote device, the remote device being a data processing system having at least one processor and at least one memory, the remote device connected to the network and operative to transmit data to and receive data from the client device;
  
  a peripheral device operative to encrypt messages before passing the encrypted message to the client device for transmission to the remote device, the peripheral device having at least one processor and a memory containing a first key of a cryptographic key pair, the peripheral device operatively connected to only the client device,wherein the remote device transmits a digital certificate to the client device, the digital certificate containing an encryption key and a first digital signature, the first digital signature issued by a certificate authority to verify the encryption key is associated with the remote device,in response to receiving the digital certificate from the remote device, the client device passing the digital certificate, a root certificate associated with the digital certificate and a second digital signature to the peripheral device, the second digital signature associated with the root certificate and created using a second key of the cryptographic key pair,in response to receiving the digital certificate, the root certificate and the second signature, the peripheral device uses the root certificate to certify the digital certificate and the first digital signature in the digital certificate to verify the encryption key in the digital certificate is associated with the remote device and the peripheral device retrieves the first key of the cryptographic key pair from the memory of the peripheral device and applies the first key of the encryption key pair to the second digital signature to verify the root certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 wherein the first key of the cryptographic key pair stored in the memory of the peripheral device is unalterable in the memory.
  - 3. The system of claim 1 wherein the memory of the peripheral device is a read only memory.
  - 4. The system of claim 1 wherein the memory of the peripheral device is a programmable read only memory.
  - 5. The system of claim 1 wherein the memory of the peripheral device is an EPROM.
  - 6. The system of claim 1 wherein the memory of the peripheral device is an EEPROM.
  - 7. The system of claim 1 wherein the client device passes a certification path beginning with the digital certificate and ending with the root certificate to the peripheral device and the peripheral device uses the certification path with the root certificate to verify the digital certificate.
  - 8. The system of claim 1 wherein the network is the Internet.
  - 9. The system of claim 1 wherein the second signature is contained in a second digital certificate.
  - 10. The system of claim 1 wherein if the peripheral device unsuccessfully verifies the public key in the first certificate and the root certificate, the peripheral device discontinues communication with the remote device through the client device.
  - 11. The system of claim 1 wherein if the peripheral device successfully verifies the public key in the first certificate and the root certificate, the peripheral device negotiates a set of encryption keys and decryption keys with the remote device, the encryption keys and decryption keys never sent to the client device in an unencrypted form.
  - 12. The system of claim 11 wherein the peripheral device generates a master secret which the peripheral device then encrypts with the encryption key before passing the encrypted master secret to the client device for transmission to the remote device.

13. A peripheral device comprising:
- at least one processor; and
  
  at least one memory containing a first key of a cryptographic key pair,the peripheral device operatively connectable to a client device connected to a network, the client device operative to transmit messages to and receive messages from a remote device connected to the network,the peripheral device operative to encrypt messages before passing the encrypted messages to the client device for transmission to the remote device,wherein the peripheral device verifies an encryption key originated from the remote device by;
  
  the client device receiving a digital certificate from the remote device, the digital certificate containing an encryption key and a first digital signature, the first digital signature issued by a certificate authority to verify that the encryption key is associated with the remote device,in response to receiving the digital certificate from the remote device, the client device passing the digital certificate, a root certificate associated with the digital certificate and a second digital signature to the peripheral device, the second digital signature associated with the root certificate and created using a second key of the cryptographic key pair,in response to receiving the digital certificate, the root certificate and the second signature, the peripheral device uses the root certificate to certify the digital certificate and the first digital signature in the digital certificate to verify the encryption key in the digital certificate is associated with the remote device and the peripheral device retrieves the first key of the cryptographic key pair from the memory of the peripheral device and applies the first key of the encryption key pair to the second digital signature to verify the root certificate.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The peripheral device of claim 13 wherein the first key of the cryptographic key pair stored in the at least one memory is unalterable.
  - 15. The peripheral device of claim 13 wherein the at least one memory is a read only memory.
  - 16. The peripheral device of claim 13 wherein the memory of the peripheral device is a programmable read only memory.
  - 17. The peripheral device of claim 13 wherein the memory of the peripheral device is an EPROM.
  - 18. The peripheral device of claim 13 wherein the memory of the peripheral device is an EEPROM.
  - 19. The peripheral device of claim 13 wherein the client device passes a certification path beginning with the digital certificate and ending with the root certificate to the peripheral device and the peripheral device uses the certification path with the root certificate to verify the digital certificate.
  - 20. The peripheral device of claim 13 wherein the network is the Internet.
  - 21. The peripheral device of claim 13 wherein the second signature is contained in a second digital certificate.
  - 22. The peripheral device of claim 13 wherein if the peripheral device unsuccessfully verifies the public key in the first certificate and the root certificate, the peripheral device discontinues communicating with the remote device through the client device.
  - 23. The peripheral device of claim 13 wherein if the peripheral device successfully verifies the public key in the first certificate and the root certificate, the peripheral device negotiates a set of encryption keys and decryption keys with the remote device, the encryption keys and decryption keys never sent to the client device in an unencrypted form.
  - 24. The peripheral device of claim 23 wherein the peripheral device generates a master secret which the peripheral device then encrypts with the encryption key before passing the encrypted master secret to the client device for transmission to the remote device.

25. A method of authenticating a remote server, the method comprising:
- providing a client device operatively connected to a remote device over a network;
  
  providing a peripheral device operatively connected to only the client device and having a memory containing a key;
  
  the client device receiving a digital certificate containing an encryption key and a first signature from the remote device, the first signature issued by a certificate authority to verify the encryption key is associated with the remote device;
  
  passing the digital certificate from the client device to the peripheral device;
  
  passing a certification path beginning with the digital certificate and ending with a root certificate from the client device to the peripheral device;
  
  the peripheral device verifying the encryption key in the digital certificate with the first signature in the digital certificate using the certification path including the root certificate;
  
  passing a second signature certifying the root certificate to the peripheral device;
  
  the peripheral device retrieving the key from the memory of the peripheral device; and
  
  the peripheral device checking the second signature using the retrieved key to verify the root certificate.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The method of claim 25 wherein the key stored in the memory of the peripheral device is unalterable in the memory.
  - 27. The method of claim 25 wherein the memory of the peripheral device is a read only memory.
  - 28. The method of claim 25 wherein the memory of the peripheral device is a programmable read only memory.
  - 29. The method of claim 25 wherein the memory of the peripheral device is an EPROM.
  - 30. The method of claim 25 wherein the memory of the peripheral device is an EEPROM.
  - 31. The method of claim 25 wherein the client device passes a certification path beginning with the digital certificate and ending with the root certificate to the peripheral device and the peripheral device uses the certification path with the root certificate to verify the digital certificate.
  - 32. The method of claim 25 wherein the network is the Internet.
  - 33. The method of claim 25 wherein the second signature is contained in a second digital certificate.
  - 34. The method of claim 25 wherein if the peripheral device unsuccessfully verifies the key in the digital certificate and the root certificate, the peripheral device discontinues communication with the remote device through the client device.
  - 35. The method of claim 25 wherein if the peripheral device successfully verifies the key in the digital certificate and the root certificate, the peripheral device negotiates a set of encryption keys and decryption keys with the remote device, the encryption keys and decryption keys never sent to the client device in an unencrypted form.
  - 36. The method of claim 35 wherein the peripheral device generates a master secret which the peripheral device then encrypts with the encryption key before passing the encrypted master secret to the client device for transmission to the remote device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetSecure Innovations, Inc.
Original Assignee
NetSecure Innovations, Inc.
Inventors
McCann, Daniel, Sharifimehr, Nima

Granted Patent

US 8,417,941 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 9/3247 involving digital signatures

H04L 9/3263 involving certificates, e.g...

APPARATUS AND METHOD TO PREVENT MAN IN THE MIDDLE ATTACK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD TO PREVENT MAN IN THE MIDDLE ATTACK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links