System and method for anti-phishing authentication

US 9,661,021 B2
Filed: 05/18/2016
Issued: 05/23/2017
Est. Priority Date: 09/19/2005
Status: Active Grant

First Claim

Patent Images

1. A method for providing security against phishing attacks during client access of a server, the method comprising:

providing from the server, upon initiation of a client-server session by the client, an encrypted commitment;

receiving at the server, a dynamic credential from the client, in response to receipt of the encrypted commitment;

validating the dynamic credential at the server;

upon successful validation, transmitting from the server, a commitment key to the client, the commitment key enabling the client to authenticate the server, wherein the client is prohibited from transmitting a static credential until the client authenticates the server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing security against phishing attacks. The method can include receiving a login ID from a client, and providing an encrypted commitment to the client. The method can also include receiving a one-time password (OTP) from the client, and validating the OTP. The method can also include sending a commitment key, to be authenticated by the client, receiving a static password from the client and authenticating the client. Embodiments of the invention are directed to a system for providing security against phishing attacks. The system can include one or more servers configured to receive a login ID from a client, and provide an encrypted commitment to the client. The processors can be configured to receive a one-time password (OTP) from the client, validate the OTP, send a commitment key, to be authenticated by the client, receive a static password from the client and authenticate the client.

652 Citations

20 Claims

1. A method for providing security against phishing attacks during client access of a server, the method comprising:
- providing from the server, upon initiation of a client-server session by the client, an encrypted commitment;
  
  receiving at the server, a dynamic credential from the client, in response to receipt of the encrypted commitment;
  
  validating the dynamic credential at the server;
  
  upon successful validation, transmitting from the server, a commitment key to the client, the commitment key enabling the client to authenticate the server, wherein the client is prohibited from transmitting a static credential until the client authenticates the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising receiving, from the client, a login ID to initiate the client-server session.
  - 3. The method of claim 2, wherein the login ID is a time-based one time use password accessible to both the server and the client.
  - 4. The method of claim 1, further comprising receiving, at the server the static credential upon authentication of the server by the client and authenticating the client at the server.
  - 5. The method of claim 1, wherein if validation of the dynamic credential is unsuccessful, the server terminates the client-server session.
  - 6. The method of claim 1, wherein client-side code stores the received encrypted commitment and the commitment key.
  - 7. The method of claim 1, wherein the client lacks the ability to check validity of the commitment information until the server receives the dynamic credential.
  - 8. The method of claim 1, further comprising embedding a name of the server into an algorithm for generating the dynamic credential.
  - 9. The method of claim 8, further comprising providing from the server an email to the client containing the dynamic credential prior to initiation of the client-server session.
  - 10. The method of claim 9, further comprising validating the server at the client utilizing the embedded server name.

11. A system for providing security against phishing attacks during client access of a server, the system comprising:
- a server including a processor programmed and configured to perform the steps of;
  
  providing from the server, upon initiation of a client-server session over a network by the client, an encrypted commitment;
  
  receiving at the server, a dynamic credential from the client, in response to receipt of the encrypted commitment;
  
  validating the dynamic credential at the server;
  
  upon successful validation, transmitting from the server, a commitment key to the client, the commitment key enabling the client to authenticate the server, wherein the client is prohibited from transmitting a static credential until the client authenticates the server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, further comprising receiving,from the client, a login ID to initiate the client-server session.
  - 13. The system of claim 12, wherein the login ID is a time-based one time use password accessible to both the server and the client.
  - 14. The system of claim 11, further comprising receiving, at the server the static credential upon authentication of the server by the client and authenticating the client at the server.
  - 15. The system of claim 11, wherein if validation of the dynamic credential is unsuccessful, the server terminates the client-server session.
  - 16. The system of claim 11, wherein client-side code stores the received encrypted commitment and the commitment key.
  - 17. The system of claim 11, wherein the client lacks the ability to check validity of the commitment information until the server receives the dynamic credential.
  - 18. The system of claim 11, further comprising embedding a name of the server into an algorithm for generating the dynamic credential.
  - 19. The system of claim 18, further comprising providing from the server an email to the client containing the dynamic credential prior to initiation of the client-server session.
  - 20. The system of claim 19, further comprising validating the server at the client utilizing the embedded server name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Original Assignee
JP Morgan Chase Bank, N.A. (JP Morgan Chase & Co)
Inventors
Benson, Glenn S.
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US15/157,515
Publication Number

US 20160261630A1
Time in Patent Office

370 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

H04L 9/3228   One-time or temporary data,...

System and method for anti-phishing authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

652 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for anti-phishing authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

652 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links