SIGNED MESSAGE HEADER STORING SENDER ACCOUNT AUTHENTICATION METHOD

US 20200137081A1
Filed: 10/24/2019
Published: 04/30/2020
Est. Priority Date: 10/30/2018
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a delivering email system configured to;

receive a request from a sender to send an email to a recipient;

identify an authentication method of a sender account for the email;

modify one or more email headers of the email to include an indication of the authentication method;

generate one or more digital signatures for the email that include the one or more email headers within a scope of the one or more digital signatures;

modify the email such that an email header of the email includes the one or more digital signatures; and

transmit the email, including the indication of the authentication method and the one or more digital signatures, to the recipient at a receiving email system; and

the receiving email system configured to;

receive the email having the one or more email headers indicating the authentication method of a sender account of the email and the one or more digital signatures of the one or more email headers;

determine that the one or more email headers are unaltered by validating the one or more digital signatures against a public key of the sender domain of the email;

determine whether the authentication method indicated in the one or more email headers meets a criteria; and

execute, in response to the authentication method failing the criteria, a security response against the email.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A delivering email system is configured to receive a request to send an email to a recipient, identify an authentication method of a sender account for the email, modify email headers of the email to include an indication of the authentication method, generate digital signatures for the email that include the email headers within a scope of the digital signatures, modify the email such that an email header of the email includes the digital signatures, and transmit the email, including the indication of the authentication method and the digital signatures, to the recipient at a receiving email system. The receiving email system is configured to receive the email, determine that the email headers are unaltered by validating the digital signatures against a public key of the sender domain, determine whether the authentication method indicated meets a criteria, and execute a security response against the email if not.

Citations

20 Claims

1. A system, comprising:
- a delivering email system configured to;
  
  receive a request from a sender to send an email to a recipient;
  
  identify an authentication method of a sender account for the email;
  
  modify one or more email headers of the email to include an indication of the authentication method;
  
  generate one or more digital signatures for the email that include the one or more email headers within a scope of the one or more digital signatures;
  
  modify the email such that an email header of the email includes the one or more digital signatures; and
  
  transmit the email, including the indication of the authentication method and the one or more digital signatures, to the recipient at a receiving email system; and
  
  the receiving email system configured to;
  
  receive the email having the one or more email headers indicating the authentication method of a sender account of the email and the one or more digital signatures of the one or more email headers;
  
  determine that the one or more email headers are unaltered by validating the one or more digital signatures against a public key of the sender domain of the email;
  
  determine whether the authentication method indicated in the one or more email headers meets a criteria; and
  
  execute, in response to the authentication method failing the criteria, a security response against the email.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the authentication method comprises at least one of:
    - 1) entering a username and password,
      
           2) entering a key from a token,
      
           3) entering a key provided by an external security system,
      
           4) retrieving authentication credentials from a password vault,
      
           5) answering one or more questions,
      
           7) using a hardware or software authentication device,
      
           8) using a certificate file,
      
           9) submitting biometric information,
      
           10) a challenge/response protocol, and any combination thereof.
  - 3. The system of claim 1, wherein the receiving email system is further configured to:
    - associate, in response to a determination that the one or more email headers are altered by validating the one or more digital signatures against a public key of the sender domain of the email, a flag with the email indicating that the email failed the validation of the one or more digital signatures.
  - 4. The system of claim 1, wherein the receiving email system is further configured to:
    - send, in response to a determination that the one or more email headers are altered by validating the one or more digital signatures against a public key of the sender domain of the email, an alert to a system administrator.
  - 5. The system of claim 1, wherein the authentication method meets the criteria when a security level of the authentication method is above a threshold level, the security level indicating a likelihood of the authentication method being compromised by a malicious attacker.
  - 6. The system of claim 1, wherein the security response includes additional security checks to determine whether the email was actually sent by the user associated with the user account indicated in a sender address of the email.
  - 7. The system of claim 1, wherein the indication of the authentication method further includes an indication of one or more configuration settings associated with the authentication method, the one or more configuration settings indicating at least one of:
    - 1) a maximum limit on the number of retries,
      
           2) mandatory delay period between retries,
      
           3) a time of day in which user authentication is allowed,
      
           4) whether each authentication attempt is logged,
      
           5) complexity requirements for the authentication method, and
      
           6) expiry periods, and wherein the security response is modified based on the indication of the one or more configuration settings.
  - 8. The system of claim 1, wherein the delivering email system is further configured to:
    - receive information regarding the authentication method;
      
      convert the authentication method information to a standard format based on a set of one or more rules that indicates a type of indicator to use for each element of the information of the authentication method, wherein the standard format is based on a lookup table, the lookup table indicating a value for each authentication method; and
      
      modify the email header of the email to include as the email header element the converted authentication method information.
  - 9. The system of claim 1, wherein the delivering email system is further configured to:
    - generate a hash of the one or more email headers that includes the indication of the authentication method; and
      
      encrypt the hash with a private key to generate the one or more digital signatures, wherein the hash can be decrypted using a public key stored at publicly verifiable location of the sender domain of the delivering email system.
  - 10. The system of claim 8, wherein the receiving email system is further configured to:
    - access the public key of the delivering email system from the publicly verifiable location;
      
      decrypt the one or more digital signatures using the public key to generate an unverified hash; and
      
      match the unverified hash against a currently generated hash of the one or more email headers of the email to determine that the one or more email headers, including the indication of the authentication method, is unaltered.
  - 11. The system of claim 10, wherein the digital signature is further generated of a body of the email, and wherein the receiving email system is further configured to:
    - match the unverified hash against a currently generated hash of the body of the email to determine that the body of the email is unaltered.
  - 12. The system of claim 1, wherein the receiving email system is further configured to:
    - access a response database that stores one or more security responses for each authentication method;
      
      select the one or more security responses in the response database associated with the one or more authentication methods indicated in the email header; and
      
      execute the selected one or more security responses.
  - 13. The system of claim 1, wherein the receiving email system is further configured to:
    - access a database of security scores, each security score in the database associated with a selected authentication method, the database generated by;
      
      analyzing historical data indicating hijacked user email accounts and selected authentication methods associated with those user email accounts;
      
      assigning a security score to the selected authentication method based on a number of hijacked user email accounts that are associated with the selected authentication method; and
      
      determine a security score associated with the authentication method indicated in the email header element; and
      
      select the security response for execution based on a value of the security score.

14. A computer implemented method, comprising:
- receiving a request from a sender to send an email to a recipient;
  
  identifying an authentication method of a sender account for the email;
  
  modifying one or more email headers of the email to include an indication of the authentication method;
  
  generating one or more digital signatures for the email that includes the one or more email headers within a scope of the one or more digital signatures;
  
  modifying the email such that an email header of the email includes the one or more digital signatures; and
  
  transmitting the email, including the indication of the authentication method and the one or more digital signatures, to the recipient.
- View Dependent Claims (15)
- - 15. The method claim 14, further comprising:
    - generating a hash of the one or more email headers that includes the indication of the authentication method; and
      
      encrypting the hash with a private key to generate the one or more digital signatures, wherein the hash can be decrypted using a public key stored at publicly verifiable location of the sender domain of the delivering email system.

16. A computer implemented method, comprising:
- receiving an email having one or more email headers indicating an authentication method of a sender account of the email and one or more digital signatures of the one or more email headers;
  
  determining that the one or more email headers are unaltered by validating the one or more digital signatures against a public key of the sender domain of the email;
  
  determining whether the authentication method indicated in the one or more email headers meets a criteria; and
  
  executing, in response to the authentication method failing the criteria, a security response against the email.
- View Dependent Claims (17)
- - 17. The method of claim 16, further comprising:
    - associating, in response to a determination that the one or more email headers are altered by validating the one or more digital signatures against a public key of the sender domain of the email, a flag with the email indicating that the email failed the validation of the one or more digital signatures.

18. A non-transitory computer readable storage medium, comprising instructions, that when executed by a processor, cause the processor to perform the operations of:
- receiving a request from a sender to send an email to a recipient;
  
  identifying an authentication method of a sender account for the email;
  
  modifying one or more email headers of the email to include an indication of the authentication method;
  
  generating one or more digital signatures for the email that include one or more email headers within a scope of the one or more digital signatures;
  
  modifying the email such that an email header of the email includes the one or more digital signatures; and
  
  transmitting the email, including the indication of the authentication method and the one or more digital signatures, to the recipient.
- View Dependent Claims (19)
- - 19. The non-transitory computer readable storage medium of claim 18, comprising instructions, that when executed by a processor, cause the processor to perform the operations of:
    - generating a hash of the one or more email headers that includes the indication of the authentication method; and
      
      encrypting the hash with a private key to generate the one or more digital signatures, wherein the hash can be decrypted using a public key stored at publicly verifiable location of the sender domain of the delivering email system.

20. A non-transitory computer readable storage medium, comprising instructions, that when executed by a processor, cause the processor to perform the operations of:
- receiving an email having one or more email headers indicating an authentication method of a sender account of the email and one or more digital signatures of the one or more email headers;
  
  determining that the one or more email headers are unaltered by validating the one or more digital signatures against a public key of the sender domain of the email;
  
  determining whether the authentication method indicated in the one or more email headers meets a criteria; and
  
  executing, in response to the authentication method failing the criteria, a security response against the email.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valimail Inc.
Original Assignee
Valimail Inc.
Inventors
Goldstein, Peter Martin

Granted Patent

US 11,329,997 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/23   Reliability checks, e.g. ac...

H04L 51/48   Message addressing, e.g. ad...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

H04L 63/126   the source of the received ...

SIGNED MESSAGE HEADER STORING SENDER ACCOUNT AUTHENTICATION METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SIGNED MESSAGE HEADER STORING SENDER ACCOUNT AUTHENTICATION METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links