Challenge-dynamic credential pairs for client/server request validation

US 9,608,975 B2
Filed: 03/30/2015
Issued: 03/28/2017
Est. Priority Date: 03/30/2015
Status: Expired due to Fees

First Claim

Patent Images

1. An intermediary computer system that is programmed to validate requests from a client computer to a server computer, the system comprising:

a memory;

a processor coupled to the memory;

a protocol client module that is coupled to the processor and the memory and configured to intercept a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent to the server computer when executed by the client computer;

a forward transformer module that is coupled to the processor and the memory and configured to;

generate, at the intermediary computer system, a first challenge credential to be sent to the client computer;

render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate a first dynamic credential that corresponds to the first challenge credential and to include the first dynamic credential in the one or more requests from the client computer;

modify the first set of instructions to produce a modified second set of instructions, wherein the modified second set of instructions include the first challenge credential and the one or more first dynamic-credential instructions, and which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer;

send the modified second set of instructions to the client computer.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”. In an embodiment, a computer system comprises: a memory; a processor coupled to the memory; a protocol client module that is coupled to the processor and the memory and configured to intercept a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent to the server computer when executed by the client computer; a forward transformer module that is coupled to the processor and the memory and configured to: generate, at the intermediary computer system, a first challenge credential to be sent to the client computer; render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate a first dynamic credential that corresponds to the first challenge credential and to include the first dynamic credential in the one or more requests from the client computer; modify the first set of instructions to produce a second set of instructions, wherein the second set of instructions include the first challenge credential and the one or more first dynamic-credential instructions, and which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer; send the second set of instructions to a second computer.

Citations

19 Claims

1. An intermediary computer system that is programmed to validate requests from a client computer to a server computer, the system comprising:
- a memory;
  
  a processor coupled to the memory;
  
  a protocol client module that is coupled to the processor and the memory and configured to intercept a first set of instructions that define one or more original operations, which are configured to cause one or more requests to be sent to the server computer when executed by the client computer;
  
  a forward transformer module that is coupled to the processor and the memory and configured to;
  
  generate, at the intermediary computer system, a first challenge credential to be sent to the client computer;
  
  render one or more first dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate a first dynamic credential that corresponds to the first challenge credential and to include the first dynamic credential in the one or more requests from the client computer;
  
  modify the first set of instructions to produce a modified second set of instructions, wherein the modified second set of instructions include the first challenge credential and the one or more first dynamic-credential instructions, and which when executed by the client computer, cause the first challenge credential to be included in the one or more requests sent from the client computer;
  
  send the modified second set of instructions to the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The intermediary computer system of claim 1 further comprising:
    - a protocol server module coupled to the processor and the memory and configured to receive a request for data;
      
      a credential validation module coupled to the processor and the memory and configured to perform a negative responsive action in response to determining the request does not include a dynamic credential.
  - 3. The intermediary computer system of claim 1 further comprising:
    - a protocol server module coupled to the processor and the memory and configured to receive a request for data that includes the first challenge credential and a dynamic credential;
      
      a credential validation module coupled to the processor and the memory and configured to perform a negative responsive action in response to determining the challenge credential and the dynamic credential included in the request does not correspond to the first challenge credential.
  - 4. The intermediary computer system of claim 3, wherein the credential validation module is further configured to send a configurable response that indicates the request was invalid as at least part of performing the negative responsive action.
  - 5. The intermediary computer system of claim 1 further comprising:
    - a protocol server module coupled to the processor and the memory and configured to receive a request for data that includes a challenge credential and a dynamic credential;
      
      a credential validation module coupled to the processor and the memory and configured to determine that the challenge credential is the first challenge credential and determine that the dynamic credential is the first dynamic credential and corresponds to the first challenge credential;
      
      a reverse transformer coupled to the processor and the memory and configured to forward at least a portion of the request to the server computer in response to the credential validation module determining that the first dynamic credential corresponds to the first challenge credential.
  - 6. The intermediary computer system of claim 5, wherein the credential validation module is configured to determine that the first dynamic credential corresponds to the first challenge credential by determining a value stored in the intermediary computer system and associated with the first challenge credential matches the first dynamic credential.
  - 7. The intermediary computer system of claim 5, wherein the credential validation module is configured to determine that the first dynamic credential corresponds to the first challenge credential by performing one or more transformations to the dynamic credential to produce a transformed credential and determining that the transformed credential matches the first challenge credential.
  - 8. The intermediary computer system of claim 5, wherein:
    - the protocol client module is further configured to intercept a third set of instructions, which when executed by the client computer cause one or more second requests to be sent to the server computer;
      
      the forward transformer module is further configured to;
      
      generate, at the computer, a second challenge credential to be sent to the client computer, wherein the second challenge credential is different than the first challenge credential;
      
      render one or more second dynamic-credential instructions, which when executed by the client computer, cause the client computer to generate a second dynamic credential that corresponds to the first challenge credential and to include the second dynamic credential in the one or more second requests from the client computer, wherein the second dynamic credential is different than the first dynamic credential;
      
      modify the third set of instructions to produce a fourth set of instructions, wherein the fourth set of instructions include the second challenge credential and the one or more second dynamic-credential instructions, and which when executed by the client computer, cause the second challenge credential to be included in the one or more requests sent from the client computer when executed by the client computer; and
      
      send the fourth set of instructions to the client computer.
  - 9. The intermediary computer system of claim 1, wherein the first set of instructions comprises a web page and the modified second set of instructions includes a subset of instructions that cause the first challenge credential to be stored as a first cookie associated with the web page when the modified second set of instructions are executed by the client computer;
    - wherein the subset of instructions are not the one or more first dynamic-credential instructions;
      
      wherein the one or more first dynamic-credential instructions cause the first dynamic credential to be stored as a second cookie associated with the same web page when the modified second set of instructions are executed by the client computer.
  - 10. The intermediary computer system of claim 9, wherein the subset of instructions is a single line of structured data within a header section defined in the web page, and the one or more first dynamic-credential instructions are configured to be executed after the web page is loaded by a browser being executed on the client computer.
  - 11. The intermediary computer system of claim 1, wherein the modified second set of instructions include the one or more first dynamic-credential instructions by reference.
  - 12. The intermediary computer system of claim 1 further comprising:
    - a protocol server module coupled to the processor and the memory and configured to receive a request for data that includes a challenge credential and a dynamic credential;
      
      a credential validation module coupled to the processor and the memory and configured to;
      
      determine that the challenge credential is the first challenge credential and associated with a one or more first parameters;
      
      determine that the dynamic credential is the first dynamic credential and associated with one or more second parameters;
      
      determine that the dynamic credential corresponds to the first challenge credential, the one or more first parameters are satisfied and the one or more second parameters are satisfied;
      
      a reverse transformer coupled to the processor and the memory and configured to forward at least a portion of the request to the server computer in response to the credential validation module determining that the one or more first parameters are satisfied, the one or more second parameters are satisfied, and the first dynamic credential corresponds to the first challenge credential.

13. A method for validating requests from a client computer, the method comprising:
- receiving a one or more instructions that define a first challenge credential, one or more first dynamic-credential instructions, and a first object to be displayed to a user;
  
  storing the first challenge credential;
  
  executing the one or more first dynamic-credential instructions to produce a first dynamic credential that corresponds to the first challenge credential;
  
  causing displaying the object;
  
  receiving a first input from the user indicating that the user selected the first object, and in response, sending a first request to a server computer for a first set of data, wherein the first request is based on the object and includes the first challenge credential and the first dynamic credential;
  
  receiving, from the server computer, the first set of data and one or more second dynamic-credential instructions, and in response, executing the one or more second dynamic-credential instructions to produce a second dynamic credential that corresponds to the first challenge credential, wherein the one or more second dynamic-credential instructions are different than the one or more first dynamic-credential instructions and the second dynamic credential is different than the first dynamic credential;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The method of claim 13 further comprising:
    - receiving a second input from the user, and in response, sending a second request to the server computer for a second set of data, wherein the second request comprises the first challenge credential and the second dynamic credential;
      
      receiving, from the server computer and in response to the second request that included the first challenge credential and the second dynamic credential that corresponds to the first challenge credential, the second set of data.
  - 15. The method of claim 14 further comprising:
    - receiving the second set of data comprising a second challenge credential that corresponds to the second dynamic credential;
      
      storing the second challenge credential and deleting the first challenge credential;
      
      receiving a third input from the user, and in response, sending a third request to the server computer for a third set of data, wherein the third request comprises the second challenge credential and the second dynamic credential;
      
      receiving, from the server computer and in response to the third request that included the first challenge credential and the second dynamic credential that corresponds to the first challenge credential, the third set of data.
  - 16. The method of claim 13 further comprising:
    - after a particular time, receiving a second input from the user, and in response, sending a second request to the server computer for a second set of data, wherein the second request comprises the first challenge credential and the second dynamic credential;
      
      receiving, from the server computer and in response to the second request that included the first challenge credential and the second dynamic credential that no longer corresponds to the first challenge credential, an error indicating that the request is not valid because the second dynamic credential does not correspond with the first challenge credential.
  - 17. The method of claim 13, wherein storing the first challenge credential comprises storing the first challenge credential as a browser cookie that is configured to be included in any request for data from a particular domain.
  - 18. The method of claim 13, wherein executing the one or more first dynamic-credential instructions causing storing the first dynamic credential as a browser cookie that is configured to be included in any request for data from a particular domain.
  - 19. The method of claim 13, wherein executing the one or more first dynamic-credential instructions causing generating the first dynamic credential based on a value of the first challenge credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Hidayat, Ariya, Call, Justin
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
CATTUNGAL, DEREENA T

Application Number

US14/673,669
Publication Number

US 20160294796A1
Time in Patent Office

729 Days
Field of Search

713/201, 726 4- 7
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/445   by mutual authentication, e...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

Challenge-dynamic credential pairs for client/server request validation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Challenge-dynamic credential pairs for client/server request validation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links