Authentication of a server by a client to prevent fraudulent user interfaces
First Claim
1. A method of authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display and a user interface selection device, the method comprising:
- delivering a plurality of data to the client for rendering on the client display;
selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device;
associating the selected two pieces of data with an authentication token as the shared secret;
delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root;
maintaining, by the server, an association between the authentication token and the configuration data;
receiving, at the server, a request from the client for content via the user interface selection device, the request comprising the configuration data associated with the authentication token;
obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request;
storing, at the server, the authentication token in a file conforming to a predetermined data size;
modifying the requested content to include the obtained authentication token; and
delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token.
1 Assignment
0 Petitions
Accused Products
Abstract
Protecting a user against web spoofing in which the user confirms the authenticity of a web page prior to submitting sensitive information such as user credentials (e.g., a login name and password) via the web page. The web page provides the user with an identifiable piece of information representing a shared secret between the user and the server. The user confirms the correctness of the shared secret to ensure the legitimacy of the web page prior to disclosing any sensitive information via the web page.
-
Citations
17 Claims
-
1. A method of authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display and a user interface selection device, the method comprising:
-
delivering a plurality of data to the client for rendering on the client display; selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device; associating the selected two pieces of data with an authentication token as the shared secret; delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root; maintaining, by the server, an association between the authentication token and the configuration data; receiving, at the server, a request from the client for content via the user interface selection device, the request comprising the configuration data associated with the authentication token; obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request; storing, at the server, the authentication token in a file conforming to a predetermined data size; modifying the requested content to include the obtained authentication token; and delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. One or more tangible computer-readable storage media not including propagating signals having computer-executable instructions stored thereon for authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display, the instructions comprising instructions for:
-
delivering a plurality of data to the client for rendering on the client display; selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device; associating the selected two pieces of data with an authentication token as the shared secret; delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root before a request is made to the server for content; maintaining, by the server, an association between the authentication token and the configuration data; receiving, at the server via the data communication network, the request from the client for content, the request comprising the configuration data associated with the authentication token; obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request; storing, at the server, the authentication token in a file conforming to a predetermined data size; modifying the requested content to include the obtained authentication token; and delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token. - View Dependent Claims (15)
-
-
16. A system for authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display, the system comprising:
-
a database accessible to the server, said database storing a record having a first field storing configuration data and a second field identifying an authentication token associated with the configuration data stored in the first field; and a processor associated with the server, said processor executing computer-executable instructions to perform; delivering a plurality of tokens to the client for rendering on the client display, wherein a user selects an authentication token from the delivered plurality of tokens; delivering, by the server, the configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root; maintaining, by the server on the database, an association between the authentication token and the configuration data; receiving, at the server, a request from the client for content, the request comprising the configuration data; obtaining, from the database, the authentication token associated with the received configuration data in response to the received request; storing, at the server, the authentication token in a file conforming to a predetermined data size, said file being padded to the predetermined data size; modifying the requested content to include the obtained authentication token; delivering the requested content to the client with the file as the shared secret, the requested content including a field for receiving a credential from the client after the client authenticates the server with the authentication token. - View Dependent Claims (17)
-
Specification