Facilitating secure online transactions

US 9,294,288 B2
Filed: 03/27/2014
Issued: 03/22/2016
Est. Priority Date: 09/27/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request for a Uniform Resource Locator (URL) identifier;

generating a unique session identifier;

transmitting, over a first TCP connection, a token including the unique session identifier, said token signed with a private key associated with a server certificate;

receiving a first response to transmitting the token comprising a request to initiate a secure data transfer link over a second TCP connection, the second TCP connection being distinct from the first TCP connection;

transmitting the server certificate and the Uniform Resource Locator (URL) identifier over the second TCP connection;

in response to transmitting the server certificate and the Uniform Resource Locator (URL) identifier over the second TCP connection, receiving a second response over the first TCP connection comprising the URL identifier and an authenticity identifier corresponding to a second private key associated with a second certificate distinct from the server certificate; and

validating the second response,said method performed by a computing system that comprises one or more computing devices.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for mutually authenticating an identity and a server is provided in accordance with an aspect of the present invention. The method commences with transmitting a token from the server. Thereafter, the method continues with establishing a secure data transfer link. A server certificate is transmitted during the establishment of the secure data transfer link. The method continues with transmitting a response packet to the server, which is validated thereby upon receipt. The system includes an authentication module that initiates the secure data transfer link and transmits the response packet, and a server authentication module that transmits the token and validates the response packet.

Citations

24 Claims

1. A method comprising:
- receiving a request for a Uniform Resource Locator (URL) identifier;
  
  generating a unique session identifier;
  
  transmitting, over a first TCP connection, a token including the unique session identifier, said token signed with a private key associated with a server certificate;
  
  receiving a first response to transmitting the token comprising a request to initiate a secure data transfer link over a second TCP connection, the second TCP connection being distinct from the first TCP connection;
  
  transmitting the server certificate and the Uniform Resource Locator (URL) identifier over the second TCP connection;
  
  in response to transmitting the server certificate and the Uniform Resource Locator (URL) identifier over the second TCP connection, receiving a second response over the first TCP connection comprising the URL identifier and an authenticity identifier corresponding to a second private key associated with a second certificate distinct from the server certificate; and
  
  validating the second response,said method performed by a computing system that comprises one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the authenticity identifier comprises a cryptographic hash of the second response, the authenticity identifier being signed with the second private key.
  - 3. The method of claim 1, wherein validating the second response includes validating the requested URL identifier in the second response against a URL associated with an authentication process.
  - 4. The method of claim 1, wherein the second response further comprises the token, and wherein validating the second response includes validating the token in the second response against a stored token.
  - 5. The method of claim 1, wherein the second response further comprises the server certificate as transmitted over the second TCP connection, and wherein validating the second response includes validating the server certificate in the second response against a stored server certificate.
  - 6. The method of claim 1, wherein validating the second response includes validating the second certificate against the authenticity identifier.
  - 7. The method of claim 1, wherein the second response comprises a response packet.

8. A method for authenticating an identity to a server comprising one or more computing devices, the method comprising:
- transmitting a request for a Uniform Resource Locator (URL) identifier;
  
  receiving from the sever over a first TCP connection, a token including a unique session identifier, said token signed with a private key associated with a server certificate;
  
  initiating a secure data transfer link to the server over a second TCP connection in response to receiving the token, the second TCP connection being distinct from the first TCP connection;
  
  receiving the server certificate and the URL identifier over the second TCP connection;
  
  in response to receiving the server certificate and the URL identifier over the second TCP connection, transmitting a response over the first TCP connection comprising the URL identifier and an authenticity identifier corresponding to a second private key associated with a second certificate distinct from the server certificate.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the authenticity identifier comprises a cryptographic hash of the response, the authenticity identifier being signed with the second private key.
  - 10. The method of claim 8, wherein:
    - the second certificate is issued from a certificate server associated with an authorized certification authority; and
      
      the second certificate is linked to an organization associated with the server.
  - 11. The method of claim 10, wherein prior to issuing the second certificate, the method further comprises validating the identity with a challenge-response sequence.
  - 12. The method of claim 11, wherein the challenge-response sequence comprises a response that is transmitted to a predetermined telephone device associated with the identity.
  - 13. The method of claim 11, wherein the challenge-response sequence comprises a response that is transmitted to a predetermined e-mail address associated with the identity.

14. A system for authenticating an identity, the system comprising:
- a computing system comprising one or more computing devices, said computing system programmed via executable instructions to at least;
  
  generate a unique session identifier;
  
  transmit a token to a second computing system over a first TCP connection, the token including the unique session identifier, said token signed with a private key associated with a server certificate;
  
  establish a secure data transfer link over a second TCP connection at least partly in response to a request from the second computing system, wherein establishing the secure data transfer link comprises transmitting to the second computing system the server certificate and a Uniform Resource Locator (URL) identifier as specified by the second computer;
  
  receive from the second computing system a response over the first TCP connection, the response comprising the URL identifier and an authenticity identifier corresponding to a second private key associated with a second certificate distinct from the server certificate; and
  
  validate the response.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein the authenticity identifier comprises a cryptographic hash of the response, the authenticity identifier being signed with the second private key.
  - 16. The system of claim 14, wherein validating the response further includes validating the URL identifier in the response against a URL associated with the one or more computing devices.
  - 17. The system of claim 14, wherein the response further comprises the token, and wherein validating the response further includes validating the token in the response against a token stored by the one or more computing devices.
  - 18. The system of claim 14, wherein the response further comprises the server certificate as transmitted to the second computing system, and wherein validating the response further includes validating the server certificate in the response against a copy of the server certificate stored in the one or more computing devices.
  - 19. The system of claim 14, wherein the response further comprises the second certificate, and wherein validating the response further comprises validating the second certificate against the authenticity identifier.

20. Non-transitory computer storage that comprises executable instructions that direct a computing system to at least:
- receive a request for a Uniform Resource Locator (URL) identifier at a server;
  
  transmit over a first TCP connection, a token including a unique session identifier generated by a server, said token signed with a private key associated with a server certificate;
  
  receive a first response to transmitting the token comprising a request to initiate a secure data transfer link over a second TCP connection, the second TCP connection being distinct from the first TCP connection;
  
  initiate the secure data transfer link over the second TCP connection in response to the request for a secure data transfer link;
  
  transmit the server certificate and the Uniform Resource Locator (URL) identifier over the second TCP connection;
  
  receive a second response over the first TCP connection, the second response comprising the URL identifier and an authenticity identifier corresponding to a second private key associated with a second certificate distinct from the server certificate; and
  
  validate the second response.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The non-transitory computer storage of claim 20, wherein the authenticity identifier includes a cryptographic hash of the second response, the authenticity identifier being signed with the second private key.
  - 22. The non-transitory computer storage of claim 20, wherein the second response further comprises the token, and wherein validating the second response further includes validating the token in the second response against a token stored by the server.
  - 23. The non-transitory computer storage of claim 20, wherein the second response further comprises the server certificate as transmitted over the second TCP connection, and wherein validating the second response further includes validating the server certificate in the second response against a copy of the server certificate stored at the server.
  - 24. The non-transitory computer storage of claim 20, wherein the second response further comprises the second certificate and a signature associated with the second private key, and wherein validating the second response further includes validating the second certificate against the signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureAuth Incorporated
Original Assignee
SecureAuth Incorporated
Inventors
Lund, Craig J., Grajek, Garret F., Moore, Stephen, Lambiase, Mark V.
Primary Examiner(s)
Le, David

Application Number

US14/228,165
Publication Number

US 20140215213A1
Time in Patent Office

726 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/166   at the transport layer

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/3263   involving certificates, e.g...

H04L 9/3273   for mutual authentication n...

Facilitating secure online transactions

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating secure online transactions

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links