System and method for anti-phishing authentication

US 9,374,366 B1
Filed: 10/10/2013
Issued: 06/21/2016
Est. Priority Date: 09/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a processor of a server, a user identification code from a client requesting a connection with the server;

sending, by the processor of the server, commitment information to the client, the commitment information including hidden information without meaning to the client at the time of transmission, wherein the commitment information demonstrates that the server can determine a value of a dynamic credential before the server receives the dynamic credential from the client;

receiving, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;

sending, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and

authenticating the client by the server, with the dynamic credential and the static credential, wherein the static credential is received from the client in response to authentication of the server by the client using the commitment information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing security against phishing attacks. The method can include receiving a login ID from a client, and providing an encrypted commitment to the client. The method can also include receiving a one-time password (OTP) from the client, and validating the OTP. The method can also include sending a commitment key, to be authenticated by the client, receiving a static password from the client and authenticating the client. Embodiments of the invention are directed to a system for providing security against phishing attacks. The system can include one or more servers configured to receive a login ID from a client, and provide an encrypted commitment to the client. The processors can be configured to receive a one-time password (OTP) from the client, validate the OTP, send a commitment key, to be authenticated by the client, receive a static password from the client and authenticate the client.

Citations

15 Claims

1. A method comprising:
- receiving, at a processor of a server, a user identification code from a client requesting a connection with the server;
  
  sending, by the processor of the server, commitment information to the client, the commitment information including hidden information without meaning to the client at the time of transmission, wherein the commitment information demonstrates that the server can determine a value of a dynamic credential before the server receives the dynamic credential from the client;
  
  receiving, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  sending, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and
  
  authenticating the client by the server, with the dynamic credential and the static credential, wherein the static credential is received from the client in response to authentication of the server by the client using the commitment information.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein the client does not have the ability to check the validity of the commitment information until after the server receives the dynamic credential.

3. A method comprising:
- receiving, at a processor of a server, a user identification code from a client requesting a connection with the server;
  
  providing, by the processor of the server, commitment information that demonstrates that the server can determine a value of a dynamic credential before the client sends the dynamic credential to the server, the commitment information including hidden information without meaning to the client at the time of transmission;
  
  receiving, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  sending, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and
  
  receiving, by the processor, the static credential, after the client has authenticated the server using the commitment information.
- View Dependent Claims (4, 5)
- - 4. The method of claim 3, wherein the dynamic credential comprises a one-time password (OTP).
  - 5. The method of claim 4, wherein the OTP is derived from a name of the server.

6. A system comprising:
- a memory comprising instructions; and
  
  a processor operatively coupled to the memory, the processor to execute the instructions to perform operations comprising;
  
  receiving, at the processor of a server, a user identification code from a client requesting a connection with the server;
  
  sending, by the processor of the server, commitment information to the client, the commitment information including hidden information without meaning to the client at the time of transmission, wherein the commitment information demonstrates that the server can determine a value of a dynamic credential before the server receives the dynamic credential from the client;
  
  receiving, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  sending, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and
  
  authenticating the client by the server, with the dynamic credential and the static credential, wherein the static credential is received from the client in response to authentication of the server by the client using the commitment information.
- View Dependent Claims (7)
- - 7. The system of claim 6, wherein the client does not have the ability to check the validity of the commitment information until after the server receives the dynamic credential.

8. A system comprising:
- a memory comprising instructions; and
  
  a processor operatively coupled to the memory, the processor to execute the instructions to perform operations comprising;
  
  receiving, at the processor of a server, a user identification code from a client requesting a connection with the server;
  
  providing, by the processor of the server, commitment information that demonstrates that the server can determine a value of a dynamic credential before the client sends the dynamic credential to the server, the commitment information including hidden information without meaning to the client at the time of transmission;
  
  receiving, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  sending, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and
  
  receiving, by the processor, the static credential, after the client has authenticated the server using the commitment information.
- View Dependent Claims (9, 10)
- - 9. The system of claim 8, wherein the dynamic credential comprises a one-time password (OTP).
  - 10. The system of claim 9, wherein the OTP is derived from a name of the server.

11. A non-transitory computer readable storage medium including instructions that, when executed by a processor of a server, cause the processor to:
- receive, at the processor of the server, a user identification code from a client requesting a connection with the server;
  
  send, by the processor of the server, commitment information to the client, wherein the commitment information demonstrates that the server can determine a value of a dynamic credential before the server receives the dynamic credential from the client, the commitment information including hidden information without meaning to the client at the time of transmission;
  
  receive, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  send, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server;
  
  authenticate the client by the server, with the dynamic credential and the static credential, wherein the static credential is received from the client in response to authentication of the server by the client using the commitment information.
- View Dependent Claims (12)
- - 12. The non-transitory computer readable storage medium of claim 11, wherein the client does not have the ability to check the validity of the commitment information until after the server receives the dynamic credential.

13. A non-transitory computer readable storage medium including instructions that, when executed by a processor of a server, cause the processor to:
- receive, at the processor of the server, a user identification code from a client requesting a connection with the server;
  
  provide commitment information that demonstrates that the server can determine a value of a dynamic credential before the client sends the dynamic credential to the server, the commitment information including hidden information without meaning to the client at the time of transmission;
  
  receive, at the processor of the server, the dynamic credential from the client and validating the dynamic credential upon successful comparison to a calculated value;
  
  send, from the server, upon the successful comparison, a commitment key to the client, the commitment key enabling the client to utilize the commitment information to authenticate the server; and
  
  receive the static credential, after the client has authenticated the server using the commitment information.
- View Dependent Claims (14, 15)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the dynamic credential comprises a one-time password (OTP).
  - 15. The non-transitory computer readable storage medium of claim 14, wherein the OTP is derived from a name of the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Benson, Glenn S.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/051,079
Time in Patent Office

985 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

H04L 9/3228   One-time or temporary data,...

System and method for anti-phishing authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for anti-phishing authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links