Authentication of a server by a client to prevent fraudulent user interfaces

US 7,685,631 B1
Filed: 02/05/2003
Issued: 03/23/2010
Est. Priority Date: 02/05/2003
Status: Active Grant

First Claim

Patent Images

1. A method of establishing a shared secret for use during authentication between a client and an authentication server, said client and authentication server being coupled to a data communication network, the method comprising:

receiving, at the authentication server, a first request from the client to establish the shared secret, said client being accessed by a user at the client;

provisioning an authentication token as the shared secret to the client in response to the received first request, said provisioned authentication token for use by the user accessing the client to authenticate the authentication server;

delivering, to the client for storage, configuration data identifying the provisioned authentication token;

receiving, at the authentication server via a second server, a second request from the client for content, said second request comprising the configuration data;

comparing an address of the second server to a list of valid referrers;

obtaining, from a memory area accessible to the authentication server, the authentication token associated with the received configuration data in response to determining that the second server is on the list of valid referrers; and

delivering the requested content and the obtained authentication token as the shared secret to the client via a frame of a web page of the second server in response to determining the second server to be on the list of valid referrers.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting a user against web spoofing in which the user confirms the authenticity of a web page prior to submitting sensitive information such as user credentials (e.g., a login name and password) via the web page. The web page provides the user with an identifiable piece of information representing a shared secret between the user and the server. The user confirms the correctness of the shared secret to ensure the legitimacy of the web page prior to disclosing any sensitive information via the web page.

Citations

17 Claims

1. A method of establishing a shared secret for use during authentication between a client and an authentication server, said client and authentication server being coupled to a data communication network, the method comprising:
- receiving, at the authentication server, a first request from the client to establish the shared secret, said client being accessed by a user at the client;
  
  provisioning an authentication token as the shared secret to the client in response to the received first request, said provisioned authentication token for use by the user accessing the client to authenticate the authentication server;
  
  delivering, to the client for storage, configuration data identifying the provisioned authentication token;
  
  receiving, at the authentication server via a second server, a second request from the client for content, said second request comprising the configuration data;
  
  comparing an address of the second server to a list of valid referrers;
  
  obtaining, from a memory area accessible to the authentication server, the authentication token associated with the received configuration data in response to determining that the second server is on the list of valid referrers; and
  
  delivering the requested content and the obtained authentication token as the shared secret to the client via a frame of a web page of the second server in response to determining the second server to be on the list of valid referrers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein provisioning the authentication token comprises selecting an authentication token from a plurality of tokens.
  - 3. The method of claim 1, wherein provisioning the authentication token comprises:
    - presenting, in response to the received first request, a plurality of tokens to the client from which the client selects an authentication token as the shared secret; and
      
      receiving notification from the client of the selected authentication token.
  - 4. The method of claim 3, wherein the plurality of tokens comprises a plurality of images, and wherein presenting comprises delivering the plurality of tokens to the client from which the user accessing the client selects two images from the plurality of images as the shared secret.
  - 5. The method of claim 3, wherein the plurality of tokens comprises approximately fifty thousand tokens.
  - 6. The method of claim 3, wherein the plurality of tokens comprises a randomly-generated subset of available tokens.
  - 7. The method of claim 3, wherein each of the tokens is stored in a file conforming to a predetermined data size.
  - 8. The method of claim 3, wherein each of the tokens is stored in a file, and further comprising padding the file to a predetermined data size prior to presenting the plurality of tokens to the client.
  - 9. The method of claim 3, wherein each of the tokens is stored in a file, and further comprising compressing the file to a predetermined data size prior to presenting the plurality of tokens to the client.
  - 10. The method of claim 1, wherein the configuration data comprises a cookie.
  - 11. The method of claim 1, wherein the configuration data identifies the provisioned authentication token.
  - 12. The method of claim 1, wherein the configuration data includes a user identifier, said user identifier associated with the provisioned authentication token.
  - 13. The method of claim 1, wherein the authentication token comprises one or more of the following:
    - a sound, text, a color, and an image.
  - 14. The method of claim 1, wherein the receiving and the delivering occur over a secure sockets layer (SSL) in the data communication network.
  - 15. The method of claim 1, further comprising:
    - receiving, at the authentication server, a third request from the client for content, the third request comprising the configuration data;
      
      obtaining, from the memory area accessible to the authentication server, the authentication token associated with the received configuration data in response to the received request; and
      
      delivering the requested content to the client with the obtained authentication token as the shared secret.
  - 16. One or more computer readable storage media having computer-executable instructions for performing the method recited in claim 1.

17. A system for establishing a shared secret with a client coupled to a data communication network, said system comprising:
- an affiliate server coupled to the data communication network for providing content to the client, said affiliate server having a web page including a frame;
  
  an authentication server coupled to the data communication network, said authentication server being configured for;
  
  receiving a first request from the client, wherein said first request is a request to establish a shared secret;
  
  provisioning, to the client in response to receiving the first request, an authentication token as the shared secret, wherein said provisioned authentication token is for use by a user accessing the client to authenticate the authentication server,delivering, to the client for storage, configuration data identifying the provisioned authentication token,receiving, from the client via the affiliate server, a second request, wherein said second request is a request for content and comprises the configuration data,comparing an address of the affiliate server to a list of valid referrers to determine whether the affiliate server is a valid referrer to the authentication server, andobtaining, from a memory area accessible to the authentication server, the authentication token associated with the received configuration data and delivering, to the client via the frame of the web page of the affiliate server, the requested content and the obtained authentication token as the shared secret in response to determining the affiliate server is a valid referrer to the authentication server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Peterson, Christopher N., Paya, Ismail Cem, Chow, Trevin
Primary Examiner(s)
Davis; Zachary A

Application Number

US10/358,814
Time in Patent Office

2,603 Days
Field of Search

726 2- 4, 726/9, 726/21, 726 26- 30, 726/5, 726/8
US Class Current

726/8
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0869   for achieving mutual authen...

H04L 63/1483   service impersonation, e.g....

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04N 21/2265   Server identification by a ...

H04N 21/25816   involving client authentica...

H04N 21/25875   involving end-user authenti...

Authentication of a server by a client to prevent fraudulent user interfaces

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of a server by a client to prevent fraudulent user interfaces

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links