Mutual authentication

US 8,332,627 B1
Filed: 02/08/2007
Issued: 12/11/2012
Est. Priority Date: 02/08/2006
Status: Active Grant

First Claim

Patent Images

1. A method of mutual authentication between an authentication server and a user comprising the steps of:

an authentication server verifying a source of a request received at the authentication server from a first page displayed in a user device;

responsive to the verified request, the authentication server presenting a secured object to a second page in the user device, wherein the secured object is secured with respect to the second page and includes a passphrase, known by a user, and a credentials input text field, wherein the second page is different from the first page, wherein the passphrase is displayed on the second page only when the second page has a keyboard focus, and wherein the credentials input text field, but not the passphrase, is displayed when the second page does not have the keyboard focus;

wherein the presenting the passphrase to the user allows the user to authenticate the authentication server and allows the user to supply credentials of the user if the user successfully authenticates the authentication server from the passphrase;

the authentication server not obtaining the credentials of the user if an authentication of the authentication server by the user failed;

the authentication server obtaining the credentials of the user in response to a successful authentication of the authentication server by the user from the passphrase; and

the authentication server validating the credentials;

wherein the method is performed by one or more processors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mutual authentication systems and methods are described that comprise an authenticating server that is available across a network and capable of authenticating a user based on credentials provided by the user. An embeddable object provided by the authenticating server and containing a passphrase that identifies the server to the user. A credentials entry mechanism identifies the user to the authenticating server. A user device displays an Outer Page that can request authentication. The authenticating server verifies the source of the request and provides the passphrase to the user device. The display of the passphrase confirms the identity of the authenticating server to the user. The source of the request can be verified using a secure cookie. The embeddable object can be provided in a second page and can prevent display of the passphrase if user input is not directed to the second page.

Citations

52 Claims

1. A method of mutual authentication between an authentication server and a user comprising the steps of:
- an authentication server verifying a source of a request received at the authentication server from a first page displayed in a user device;
  
  responsive to the verified request, the authentication server presenting a secured object to a second page in the user device, wherein the secured object is secured with respect to the second page and includes a passphrase, known by a user, and a credentials input text field, wherein the second page is different from the first page, wherein the passphrase is displayed on the second page only when the second page has a keyboard focus, and wherein the credentials input text field, but not the passphrase, is displayed when the second page does not have the keyboard focus;
  
  wherein the presenting the passphrase to the user allows the user to authenticate the authentication server and allows the user to supply credentials of the user if the user successfully authenticates the authentication server from the passphrase;
  
  the authentication server not obtaining the credentials of the user if an authentication of the authentication server by the user failed;
  
  the authentication server obtaining the credentials of the user in response to a successful authentication of the authentication server by the user from the passphrase; and
  
  the authentication server validating the credentials;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the passphrase is maintained by an authenticating entity and the authentication server is provided by the authentication entity.
  - 3. The method of claim 1, wherein the step of validating is performed by the authentication server.
  - 4. The method of claim 3, wherein the step of verifying the source includes verifying a secure cookie provided by the user device and associated with the authenticating entity.
  - 5. The method of claim 3, wherein the user and the passphrase are pre-registered with the authenticating entity.
  - 6. The method of claim 3, wherein a copy of the credentials is maintained by the authenticating entity.
  - 7. The method of claim 3 wherein the first page is provided to the user device by Email.
  - 8. The method of claim 7 wherein the Email is encrypted.
  - 9. The method of claim 1, wherein the credentials include a password.
  - 10. The method of claim 1, wherein the first and second pages are displayed in a browser.
  - 11. The method of claim 10, wherein the second page includes active content and the step of presenting the secured object includes configuring the browser to direct user input of the credentials to the second page.
  - 12. The method of claim 11, wherein the passphrase is displayed at a randomly selected location in the browser.
  - 13. The method of claim 11, wherein the step of configuring the browser includes providing the second page with the keyboard focus.
  - 14. The method of claim 1 wherein the first page is provided to the user device from a web site.
  - 15. The method of claim 1 wherein the first page is provided to the user device by Email.
  - 16. The method of claim 1 wherein the first page is provided to the user device by locally accessible storage.
  - 17. The method of claim 1, wherein a warning phrase is displayed on the second page when the second page does not have the keyboard focus.
  - 18. The method of claim 1, wherein an alarm phrase is displayed on the second page to alert the user of a potential security-breach attack.

19. An apparatus, comprising:
- one or more processors;
  
  a non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  verifying a source of a request received at the authentication server from a first page displayed in a user device;
  
  responsive to the verified request, the authentication server presenting a secured object to a second page in the user device, wherein the secured object is secured with respect to the second page and includes a passphrase, known by a user, and a credentials input text field, wherein the second page is different from the first page, wherein the passphrase is displayed on the second page only when the second page has a keyboard focus, and wherein the credentials input text field, but not the passphrase, is displayed when the second page does not have the keyboard focus;
  
  wherein the presenting the passphrase to the user allows the user to authenticate the authentication server and allows the user to supply credentials of the user if the user successfully authenticates the authentication server from the passphrase;
  
  obtaining the credentials of the user in response to a successful authentication of the authentication server by the user from the passphrase.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. The apparatus of claim 19, wherein the passphrase is maintained by an authenticating entity and the authentication server is provided by the authentication entity.
  - 21. The apparatus of claim 20, wherein the user and the passphrase are pre-registered with the authenticating entity.
  - 22. The apparatus of claim 20, wherein a copy of the credentials is maintained by the authenticating entity.
  - 23. The apparatus of claim 19, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - verifying a secure cookie provided by the user device and associated with the authenticating entity.
  - 24. The apparatus of claim 19, wherein the credentials include a password.
  - 25. The apparatus of claim 19, wherein the first and second pages are displayed in a browser.
  - 26. The apparatus of claim 19, wherein the second page includes active content;
    - wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform;
      
      configuring the browser to direct user input of the credentials to the second page.
  - 27. The apparatus of claim 19, wherein the passphrase is displayed at a randomly selected location in the browser.
  - 28. The apparatus of claim 19, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed by the one or more processors, cause the one or more processors to perform:
    - providing the second page with the keyboard focus.
  - 29. The apparatus of claim 19, wherein the first page is provided to the user device from a website.
  - 30. The apparatus of claim 19, wherein the first page is provided to the user device by Email.
  - 31. The apparatus of claim 19, wherein the first page is provided to the user device by locally accessible storage.
  - 32. The apparatus of claim 19, wherein the first page is provided to the user device by Email.
  - 33. The apparatus of claim 32, wherein the Email is encrypted.
  - 34. The apparatus of claim 19, wherein a warning phrase is displayed on the second page when the second page does not have the keyboard focus.
  - 35. The apparatus of claim 19, wherein an alarm phrase is displayed on the second page to alert the user of a potential security-breach attack.

36. A non-transitory computer-readable storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- verifying a source of a request received at the authentication server from a first page displayed in a user device;
  
  responsive to the verified request, the authentication server presenting a secured object to a second page in the user device, wherein the secured object is secured with respect to the second page and includes a passphrase, known by a user, and a credentials input text field, wherein the second page is different from the first page, wherein the passphrase is displayed on the second page only when the second page has a keyboard focus, and wherein the credentials input text field, but not the passphrase, is displayed when the second page does not have the keyboard focus;
  
  wherein the presenting the passphrase to the user allows the user to authenticate the authentication server and allows the user to supply credentials of the user if the user successfully authenticates the authentication server from the passphrase;
  
  obtaining the credentials of the user in response to a successful authentication of the authentication server by the user from the passphrase.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 37. The computer-readable storage medium of claim 36, wherein the passphrase is maintained by an authenticating entity and the authentication server is provided by the authentication entity.
  - 38. The computer-readable storage medium of claim 36, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform verifying a secure cookie provided by the user device and associated with the authenticating entity.
  - 39. The computer-readable storage medium of claim 36, wherein the user and the passphrase are pre-registered with the authenticating entity.
  - 40. The computer-readable storage medium of claim 36, wherein a copy of the credentials is maintained by the authenticating entity.
  - 41. The computer-readable storage medium of claim 36, wherein the credentials include a password.
  - 42. The computer-readable storage medium of claim 36, wherein the first and second pages are displayed in a browser;
    - wherein the second page includes active content.
  - 43. The computer-readable storage medium of claim 36, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform configuring the browser to direct user input of the credentials to the second page.
  - 44. The computer-readable storage medium of claim 36, wherein the passphrase is displayed at a randomly selected location in the browser.
  - 45. The computer-readable storage medium of claim 36, further comprising instructions which, when executed by the one or more processors, cause the one or more processors to perform providing the second page with the keyboard focus.
  - 46. The computer-readable storage medium of claim 36, wherein the first page is provided to the user device from a website.
  - 47. The computer-readable storage medium of claim 36, wherein the first page is provided to the user device by Email.
  - 48. The computer-readable storage medium of claim 36, wherein the first page is provided to the user device by locally accessible storage.
  - 49. The computer-readable storage medium of claim 36, wherein the first page is provided to the user device by Email.
  - 50. The computer-readable storage medium of claim 36, wherein the Email is encrypted.
  - 51. The computer-readable storage medium of claim 36, wherein a warning phrase is displayed on the second page when the second page does not have the keyboard focus.
  - 52. The computer-readable storage medium of claim 36, wherein an alarm phrase is displayed on the second page to alert the user of a potential security-breach attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Matthews, Brian L., Ullman, Cayce M., Olechowski, Scott, Warty, Ashish, Ullman, Schuyler
Primary Examiner(s)
Popham, Jeffrey D
Assistant Examiner(s)
GRACIA, GARY S

Application Number

US11/672,941
Time in Patent Office

2,133 Days
Field of Search

713182-184, 713/155, 713/186, 726 2- 7, 726/8, 726/22
US Class Current

713/155
CPC Class Codes

G06F 21/42   using separate channels for...

H04L 63/083   using passwords cryptograph...

H04L 63/0869   for achieving mutual authen...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

Mutual authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

52 Claims

Specification

Solutions

Use Cases

Quick Links

Mutual authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

52 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links