System and method for facilitating secure online transactions

US 8,327,142 B2
Filed: 02/05/2007
Issued: 12/04/2012
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method for mutually authenticating a client and a server, the method comprising:

transmitting over a first data link a token including a unique session identifier generated by the server and signed with a private server key associated with a server certificate from the server to the client;

initiating a secure data transfer link from the client to the server in response to receiving the token, the secure data transfer link being independent of the first data link;

completing the secure data transfer link, the server certificate and a full requested Uniform Resource Locator (URL) identifier of the server as initially specified by the client being transmitted to the client during the completing of the secure data transfer link;

transmitting to the server over the secure data transfer link, a response packet including the full requested URL identifier of the server transmitted to the client during the completing of the secure data transfer link, a client certificate, the server certificate as received from the server during the completing of the secure data transfer link, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate; and

validating the response packet.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mutually authenticating a client and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server to the client. Thereafter, the method continues with establishing a secure data transfer link between the server and the client. A server certificate is transmitted to the client during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes a client authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet.

Citations

28 Claims

1. A method for mutually authenticating a client and a server, the method comprising:
- transmitting over a first data link a token including a unique session identifier generated by the server and signed with a private server key associated with a server certificate from the server to the client;
  
  initiating a secure data transfer link from the client to the server in response to receiving the token, the secure data transfer link being independent of the first data link;
  
  completing the secure data transfer link, the server certificate and a full requested Uniform Resource Locator (URL) identifier of the server as initially specified by the client being transmitted to the client during the completing of the secure data transfer link;
  
  transmitting to the server over the secure data transfer link, a response packet including the full requested URL identifier of the server transmitted to the client during the completing of the secure data transfer link, a client certificate, the server certificate as received from the server during the completing of the secure data transfer link, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate; and
  
  validating the response packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 3. The method of claim 1, wherein validating the response packet further includes validating the full requested URL identifier in the response packet against a URL associated with the server.
  - 4. The method of claim 1, wherein validating the response packet further includes validating the token in the response packet against a token stored on the server.
  - 5. The method of claim 2, wherein validating the response packet further includes validating a first copy of the server certificate stored in the server against a second copy of the server certificate in the response packet.
  - 6. The method of claim 1, wherein validating the response packet further includes validating the client certificate against a client signature on the response packet, the client signature being associated with the private client key.
  - 7. The method of claim 6, wherein the client certificate is unexpired.
  - 8. The method of claim 6, wherein the client certificate is issued to an organization associated with the server.
  - 9. The method of claim 1, wherein:
    - the client certificate is issued from a certificate server associated with an authorized certification authority; and
      
      the client certificate is linked to an organization associated with the server.
  - 10. The method of claim 8, wherein prior to issuing the client certificate, the method further includes validating the client with a challenge-response sequence.
  - 11. The method of claim 10, wherein a response to the challenge-response sequence is transmitted to a predetermined telephone device associated with a user.
  - 12. The method of claim 10, wherein a response to the challenge-response sequence is transmitted to a predetermined e-mail address associated with a user.

13. A method for authenticating a client to a server, the method comprising:
- receiving a token from the server over a first data link, the token including a unique session identifier generated by the server and signed with a private server key associated with a server certificate;
  
  initiating a secure data transfer link from the client to the server in response to receiving the token;
  
  receiving, from the server, the server certificate and a full requested Uniform Resource Locator (URL) identifier of the server as initially specified by the client, during completion of the secure data transfer link; and
  
  transmitting to the server over the secure data transfer link a response packet including the full requested URL identifier of the server received from the server by the client during the completion of the secure data transfer link, a client certificate, the server certificate as received from the server during completion of the secure data transfer link, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The method of claim 13, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 15. The method of claim 13, wherein:
    - the client certificate is issued from a certificate server associated with an authorized certification authority; and
      
      the client certificate is linked to an organization associated with the server.
  - 16. The method of claim 13, wherein prior to issuing the client certificate, the method further includes validating the client with a challenge-response sequence.
  - 17. The method of claim 16, wherein a response to the challenge-response sequence is transmitted to a predetermined telephone device associated with a user.
  - 18. The method of claim 16, wherein a response to the challenge-response sequence is transmitted to a predetermined e-mail address associated with a user.

19. A method for authenticating a server to a client, the method comprising:
- transmitting a token from the server to the client over a first data link, the token including a unique session identifier generated by the server and signed with a private server key associated with a server certificate;
  
  completing a secure data transfer link between the server and the client based upon a request therefor from the client, the server certificate and a full requested Uniform Resource Locator (URL) identifier of the server as specified by the client in the request being transmitted to the client during the completing of the secure data transfer link; and
  
  transmitting to the server a response packet including the full requested URL identifier of the server transmitted to the client during the completing of the secure data transfer link, a client certificate, the server certificate as transmitted to the client during the completing of the secure data transfer link, the token, and an authenticity identifier corresponding to a private, client key, the private client key being associated with the client certificate.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. The method of claim 19, wherein the authenticity identifier is a cryptographic hash of the response packet, the authenticity identifier being signed with the private client key.
  - 21. The method of claim 19, wherein validating the response packet further includes validating the full requested URL identifier in the response packet against a URL associated with the server.
  - 22. The method of claim 19, wherein validating the response packet further includes validating the token in the response packet against a token stored on the server.
  - 23. The method of claim 19, wherein validating the response packet further includes validating a first copy of the server certificate stored on the server against a second copy of the server certificate stored in the response packet.
  - 24. The method of claim 19, wherein validating the response packet further includes validating the client certificate against a client signature on the response packet, the client signature being associated with the private client key.
  - 25. The method of claim 24, wherein the client certificate is unexpired.
  - 26. The method of claim 24, wherein the client certificate is issued to an organization associated with the server.
  - 27. The method of claim 19, wherein the client certificate is issued from a certificate server associated with an authorized certification authority.

28. An article of manufacture comprising a non-transitory program storage medium readable by a computer, the medium tangibly embodying one or more programs of instructions executable by the computer to perform a method for mutually authenticating a client and a server, the method comprising:
- transmitting over a first data link a token including a unique session identifier generated by the server and signed with a private server key associated with a server certificate from the server to the client;
  
  initiating a secure data transfer link from the client to the server in response to receiving the token, the secure data transfer link being independent of the first data link;
  
  completing the secure data transfer link, the server certificate and a full requested Uniform Resource Locator (URL) identifier of the server as specified by the client being transmitted to the client during the completing of the secure data transfer link;
  
  transmitting to the server over the secure data transfer link, a response packet including the full requested URL identifier of the server transmitted to the client during the completing of the secure data transfer link, a client certificate, the server certificate as received from the server during the completing of the secure data transfer link, the token, and an authenticity identifier corresponding to a private client key, the private client key being associated with the client certificate; and
  
  validating the response packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Lund, Craig, Grajek, Garret, Moore, Stephen
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Le, David

Application Number

US11/702,371
Publication Number

US 20080077796A1
Time in Patent Office

2,129 Days
Field of Search

None
US Class Current

713/169
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

System and method for facilitating secure online transactions

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for facilitating secure online transactions

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links