Prevention of unauthorized scripts

US 7,606,915 B1
Filed: 02/25/2003
Issued: 10/20/2009
Est. Priority Date: 02/25/2003
Status: Active Grant

First Claim

Patent Images

1. A method of preventing automated access to a service provided by a server coupled to a data communication network, said method comprising:

delivering a first test to a client coupled to the data communication network for rendering to a user in response to the user requesting access to the service via the client, said first test being a human interaction proof test;

delivering a second test to the client as an alternative to the first test, said second test being a human interaction proof test;

delivering a third test to the client as an alternative to the first and second tests, said third test including a computational puzzle to be solved by the client, said first, second, and third tests each having a different correct solution, at least one of said first, second, and third tests being elected by the user;

receiving, via the client, a response to the at least one of the tests elected by the user; and

granting access to the service via the client if the received response is the correct solution to the at least one of the tests elected by the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and system of preventing unauthorized scripting. The invention includes providing one or more tests to a user for distinguishing the user from a machine when the user requests access to the server. By storing information on a correct solution to the test in a block of data and sending the block of data together with the test, the invention provides stateless operation. Moreover, maintaining a database of previously used correct responses prevents replay attacks. The invention also includes providing combinations of alternative tests, such as visually altered textual character strings, audible character strings, and computational puzzles. Other aspects of the invention are directed to computer-readable media for use with the methods and system.

Citations

60 Claims

1. A method of preventing automated access to a service provided by a server coupled to a data communication network, said method comprising:
- delivering a first test to a client coupled to the data communication network for rendering to a user in response to the user requesting access to the service via the client, said first test being a human interaction proof test;
  
  delivering a second test to the client as an alternative to the first test, said second test being a human interaction proof test;
  
  delivering a third test to the client as an alternative to the first and second tests, said third test including a computational puzzle to be solved by the client, said first, second, and third tests each having a different correct solution, at least one of said first, second, and third tests being elected by the user;
  
  receiving, via the client, a response to the at least one of the tests elected by the user; and
  
  granting access to the service via the client if the received response is the correct solution to the at least one of the tests elected by the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1 wherein the first test includes a human-readable textual string of characters to be read by the user, said textual string of characters being visually altered to inhibit computerized character recognition, and wherein the user responds to the first test by repeating the textual string of characters via an input device of the client.
  - 3. The method of claim 2 further comprising varying the visual alteration of the textual string of characters to further inhibit computerized character recognition.
  - 4. The method of claim 2 wherein the second test is an audible string of characters to be heard by the user, said audible string of characters including at least one character different than the textual string of characters of the first test, and wherein the user responds to the second test by repeating the audible string of characters via an input device of the client.
  - 5. The method of claim 4 wherein the client operates a browser program configured to permit the user to communicate on the data communication network and wherein delivering the second test comprises embedding text readable by the browser program and representative of the audible string of characters.
  - 6. The method of claim 5 wherein embedding the text comprises specifying an alternate text attribute in a markup language.
  - 7. The method of claim 4 wherein the audible string of characters to be heard by the user in the second test is in a selected language independent of the textual string of characters to be read by the user in the first test.
  - 8. The method of claim 7 wherein the client operates a browser program configured to permit the user to communicate on the data communication network and wherein the browser program specifies the selected language.
  - 9. The method of claim 7 further comprising receiving, in response to a registration page, a request from the user that the second test be rendered in the selected language.
  - 10. The method of claim 1 wherein said computational puzzle included in said third test is to be solved by the client in a manner incurring a computational cost within a predetermined range.
  - 11. The method of claim 1 further comprising storing the received response in a memory if the received response is the correct solution to the at least one of the tests elected by the user and denying access to the server if a subsequent response received via the client matches the stored received response.
  - 12. The method of claim 11 further comprising deleting the stored received response from the memory after a predetermined time-to-live period.
  - 13. The method of claim 1 further comprising sending a block of data from the server to the client for return by the client with the response.
  - 14. The method of claim 13 further comprising encrypting the block of data.
  - 15. The method of claim 13 wherein the block of data includes a time stamp.
  - 16. The method of claim 13 wherein the block of data includes a unique login identifier associated with the user.
  - 17. The method of claim 13 wherein the block of data includes the correct solution to at least one of the tests for comparison to the received response and further comprising encrypting the correct solution.
  - 18. The method of claim 13 wherein the block of data includes the correct solution to at least one of the tests for comparison to the received response and further comprising hashing the correct solution.
  - 19. The method of claim 13 wherein the block of data is selected from the following:
    - a cookie;
      
      a form field; and
      
      a query string.
  - 20. The method of claim 1 wherein the first and second tests are selected from the following:
    - a human-readable textual string of characters to be read by the user and repeated by the user via an input device, said textual string of characters being visually altered to inhibit computerized character recognition; and
      
      an audible string of characters to be heard by the user and repeated by the user via an input device, said audible string of characters including at least one character different than the textual string of characters of the first test.
  - 21. The method of claim 1 wherein the server is a web server and the data communication network is the Internet.
  - 22. One or more computer-readable storage media having computer-executable instructions for performing the method of claim 1.

23. A method of conducting a Turing test for a user requesting access to a service provided by a server coupled to a data communication network, said user requesting the service via a client computer system also coupled to the data communication network, said method comprising:
- delivering a first test to the client computer system, said first test comprising a human-readable textual string of characters to be read by the user, said textual string of characters being visually altered to inhibit computerized character recognition;
  
  delivering a second test to the client computer system as an alternative to the first test, said second test comprising an audible string of characters to be heard by the user;
  
  delivering a third test to the client computer system as an alternative to the first and second tests, said third test comprising a computational puzzle configured to be executed by the client computer system in a manner requiring a pre-defined minimum amount of time, said first, second, and third tests each having different correct solutions;
  
  enabling the user to elect between the first, second, and third tests;
  
  receiving a response to the elected test and providing access based on the received response.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The method of claim 23 further comprising storing the response received in a memory and denying access to the server if a subsequent response received via the client matches the stored response.
  - 25. The method of claim 24 further comprising deleting the stored response from the memory after a predetermined time-to-live period.
  - 26. The method of claim 23 further comprising sending a block of data to the client for return by the client computer system with the response, said block of data including the correct solution to at least one of the tests for comparison to the received response.
  - 27. The method of claim 23 further comprising varying the visual alteration of the textual string of characters to further inhibit computerized character recognition.
  - 28. One or more computer-readable storage media having computer-executable instructions for performing the method of claim 23.

29. A method of preventing automated access to a service, said method comprising:
- delivering a first human interaction proof challenge and a second human interaction proof challenge to a client coupled to a data communication network in response to a user requesting a service to be provided via the network, said first and second challenges each having a different correct solution;
  
  requesting that the user elect the first or the second challenge;
  
  enabling the user to elect a third challenge as an alternative to the first and second challenges, said third challenge including a computational puzzle to be solved by the client;
  
  receiving via the client a response to the elected challenge;
  
  storing information representative of one or more previously used challenges;
  
  comparing the received response to the stored information; and
  
  granting access to the service via the client if the received response is the correct solution to the challenge elected by the user unless the received response corresponds to the stored information.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 30. The method of claim 29 further comprising deleting the stored information representative of previously used challenges after a predetermined time-to-live period.
  - 31. The method of claim 29 further comprising sending a block of data to the client for return by the client with the response from the user, said block of data being stored after being returned with the response.
  - 32. The method of claim 31 further comprising encrypting the block of data.
  - 33. The method of claim 31 wherein the block of data includes a time stamp.
  - 34. The method of claim 31 wherein the block of data includes a unique login identifier associated with the user.
  - 35. The method of claim 31 wherein the block of data includes the elected challenge for comparison to the received response and further comprising hashing the correct solution for the elected challenge in the block of data.
  - 36. The method of claim 31 wherein the block of data includes the elected challenge for comparison to the received response and further comprising encrypting the correct solution for the elected challenge in the block of data.
  - 37. The method of claim 31 wherein the block of data is selected from the following:
    - a cookie;
      
      a form field; and
      
      a query string.
  - 38. The method of claim 29 wherein the first challenge delivered to the user comprises a human-readable textual string of characters, said textual string of characters being visually altered to inhibit computerized character recognition.
  - 39. The method of claim 38 further comprising varying the visual alteration of the textual string of characters to further inhibit computerized character recognition.
  - 40. The method of claim 38 wherein the second challenge delivered to the user comprises an audible string of characters.
  - 41. The method of claim 29 wherein the computational puzzle is to be solved by the client in a manner incurring a computational cost within a predetermined range.
  - 42. The method of claim 29 wherein the server is a web server and the data communication network is the Internet.
  - 43. One or more computer-readable storage media having computer-executable instructions for performing the method of claim 29.

44. A method of preventing automated access to a service provided by a server coupled to a data communication network, said method comprising:
- delivering at least three tests for identifying unauthorized scripts, said tests being delivered to a client coupled to the data communication network in response to a user requesting access to the service via the network, said tests each having different correct solutions, and at least one of said tests being elected by the user, said tests being selected from a group consisting of;
  
  a human-readable textual string of characters to be read by the user, wherein the textual string of characters is visually altered to inhibit computerized character recognition;
  
  an audible string of characters to be heard by the user; and
  
  a computational puzzle to be solved by the client;
  
  sending, to the client, a block of data representative of the correct solutions to the tests together with the tests, said block of data being returned with a response to the elected test from the user;
  
  receiving the response and the block of data via the network;
  
  determining whether the received response is valid based on the received response and the received block of data; and
  
  granting access to the service if the received response is valid.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59)
- - 45. The method of claim 44 further comprising encrypting the block of data.
  - 46. The method of claim 44 wherein the block of data includes a time stamp.
  - 47. The method of claim 44 wherein the block of data includes a unique login identifier associated with the user.
  - 48. The method of claim 44 further comprising encrypting the correct solutions stored in the block of data.
  - 49. The method of claim 44 further comprising hashing the correct solutions stored in the block of data.
  - 50. The method of claim 44 wherein the block of data is selected from the following:
    - a cookie;
      
      a form field; and
      
      a query string.
  - 51. The method of claim 44 further comprising varying the visual alteration of the textual string of characters to further inhibit computerized character recognition.
  - 52. The method of claim 44 wherein the client operates a browser program configured to permit the user to communicate on the data communication network and wherein delivering the audible string of characters test comprises embedding text readable by the browser program and representative of the audible string of characters.
  - 53. The method of claim 52 wherein embedding the text comprises specifying an alternate text attribute in a markup language.
  - 54. The method of claim 44 further comprising storing information representative of the received response if the received response is valid and denying access to the service if a subsequent response received via the network corresponds to the stored information.
  - 55. The method of claim 54 further comprising deleting the stored information after a predetermined time-to-live period.
  - 56. The method of claim 44 further comprising periodically changing at least one of the plurality of tests.
  - 57. The method of claim 44 wherein the server is a web server and the data communication network is the Internet.
  - 58. The method of claim 44 wherein delivering the tests comprises delivering the tests to the client by a first server coupled to the data communication network and wherein receiving the response and the block of data comprises receiving the response and the block of data by a second server also coupled to the data communication network.
  - 59. One or more computer-readable storage media having computer-executable instructions for performing the method of claim 44.

60. A system for preventing unauthorized access to a service provided via a data communication network comprising:
- a first server coupled to the network, said first server delivering at least three challenges each having different correct solutions to a client also coupled to the network in response to the client requesting access to the service, said tests being selected from a group consisting of;
  
  a human-readable textual string of characters to be read by a user, wherein the textual string of characters is visually altered to inhibit computerized character recognition;
  
  an audible string of characters to be heard by the user; and
  
  a computational puzzle to be solved by the client, said first server sending a block of data to the client together with each of the challenges, said block of data containing information representative of the correct solutions to the challenges; and
  
  a second server coupled to the network, said second server receiving, from the client, a response to at least one of the challenges elected by the client, said second server further receiving the block of data via the client for determining whether the received response is valid before granting access by the client to the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Zhang, Danpo, Couvreur, Julien, Benaloh, Josh, Calinov, Iulian D., Wilkins, Jonathan
Primary Examiner(s)
Mesfin; Yemane

Application Number

US10/374,036
Time in Patent Office

2,429 Days
Field of Search

709/229, 726 2- 7, 726/14, 726/17, 726/21, 726/27
US Class Current

709/229
CPC Class Codes

G06F 21/36   by graphic or iconic repres...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

Prevention of unauthorized scripts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Prevention of unauthorized scripts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links