Algorithm hardening in background context and external from the browser to prevent malicious intervention with the browser

US 9,979,717 B2
Filed: 09/25/2015
Issued: 05/22/2018
Est. Priority Date: 09/25/2015
Status: Active Grant

First Claim

Patent Images

1. A system for managing user credentials, comprising:

one or more hardware processors;

memory coupled to the one or more hardware processors on which are stored instructions, comprising instructions that when executed cause at least some of the one or more hardware processors to;

perform user authentication to a web site in a non-rendered application, establishing an authenticated session with the web site, wherein the non-rendered application establishes the authenticated session by logging into the web site with credentials;

generate a session configuration data about the established authenticated session by the non-rendered application;

send the session configuration data to a rendering application; and

use the session configuration data by transferring the established session from the non-rendered application to the rendering application to continue the authenticated session for continued access to the web site for the authenticated session.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for hardening the entry of user credentials in web sites is described. A headless web browser authenticates the user to a target web site with credentials previously stored in a secure database, and generates a session cookie. The headless browser provides the session cookie to the user'"'"'s web browser, allowing the user to continue the session established by the headless browser.

3 Citations

View as Search Results

25 Claims

1. A system for managing user credentials, comprising:
- one or more hardware processors;
  
  memory coupled to the one or more hardware processors on which are stored instructions, comprising instructions that when executed cause at least some of the one or more hardware processors to;
  
  perform user authentication to a web site in a non-rendered application, establishing an authenticated session with the web site, wherein the non-rendered application establishes the authenticated session by logging into the web site with credentials;
  
  generate a session configuration data about the established authenticated session by the non-rendered application;
  
  send the session configuration data to a rendering application; and
  
  use the session configuration data by transferring the established session from the non-rendered application to the rendering application to continue the authenticated session for continued access to the web site for the authenticated session.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the rendering application is a web browser and the non-rendered application is a headless browser.
  - 3. The system of claim 1, wherein the session configuration data is a session cookie.
  - 4. The system of claim 1, wherein instructions that when executed cause at least some of the one or more hardware processors to perform user authentication to the web site in a non-rendered application comprise instructions that when executed cause at least some of the one or more hardware processors to:
    - detect user authentication prompts by a web site in a rendering application.
  - 5. The system of claim 1, wherein instructions that when executed cause at least some of the one or more hardware processors to perform user authentication to the web site in a non-rendered application comprise instructions that when executed cause at least some of the one or more hardware processors to:
    - request a master key;
      
      access a credentials database to obtain credentials for the web site;
      
      decrypt the credentials with the master key by the non-rendered application; and
      
      inject the credentials by the non-rendered application into an authentication form for the web site.
  - 6. The system of claim 1, wherein the instructions further comprise instructions that when executed cause at least some of the one or more hardware processors to:
    - receive a request to reset credentials for a web site;
      
      transmit current credentials for the web site to a server configured to cause a reset of credentials for the web site; and
      
      receive new credentials for the web site from the server.
  - 7. The system of claim 6, wherein the new credentials received from the server are encrypted and wherein the instructions further comprise instructions that when executed cause at least some of the one or more hardware processors to:
    - decrypt the new credentials; and
      
      re-encrypt the new credentials with a master key unknown to the server; and
      
      store the encrypted new credentials in a credentials database.

8. A non-transitory machine readable storage medium, on which are stored instructions for managing user credentials, comprising instructions that when executed by a hardware processor, cause a machine to:
- obtain credentials by an extension background module from a credentials database;
  
  decrypt the credentials and pass the decrypted credentials to a non-rendered application;
  
  establish by the non-rendered application an authenticated session for a user at a web site by logging into the web site using the decrypted credentials; and
  
  pass session configuration data about the established authenticated session from the non-rendered application to a browser, the session configuration data sufficient to allow the browser to continue the authenticated session using the session configuration data for continued access to the web site for the authenticated session.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The machine readable medium of claim 8, wherein the session configuration data about the authenticated session comprises a session cookie generated by the non-rendered application.
  - 10. The machine readable medium of claim 8, wherein the non-rendered application is a headless browser.
  - 11. The machine readable medium of claim 8, wherein the credentials database stores encrypted credentials.
  - 12. The machine readable medium of claim 8, wherein the instructions that when executed cause the machine to decrypt the credentials comprises instructions that when executed cause the machine to:
    - request a master key from the user by the extension background module; and
      
      decrypt the credentials by the extension background module using the master key.
  - 13. The machine readable medium of claim 8, wherein the instructions that when executed cause the machine to establish by the non-rendered application an authenticated session for the user at the web site by loading into the web site using the decrypted credentials comprise instructions that when executed cause the machine to:
    - inject by the extension background module a content script for the web site into a web page received from the web site, the content script configured to provide the credentials to the web site.
  - 14. The machine readable medium of claim 8 wherein the extension background module executes in a secure enclave.
  - 15. The machine readable medium of claim 8, wherein the instructions further comprise instructions that when executed cause the machine to:
    - identify a web site for which credentials are to be reset;
      
      obtain current credentials for the user for the web site;
      
      send the current credentials to a server configured to reset the credentials for the user at the web site; and
      
      receive new credentials for the user for the web site.
  - 16. The machine readable medium of claim 15, wherein the new credentials are received from a headless browser instantiated to reset the credentials for the user at the web site.
  - 17. The machine readable medium of claim 15, wherein the instructions further comprise instructions that when executed cause the machine to:
    - replace the current credentials with the new credentials in the credentials database.

18. A method for securely managing credentials, comprising:
- obtaining credentials for a user for a web site from a credentials database by an extension background module;
  
  establishing an authenticated session for the user by using the obtained credentials to login to the web site by a non-rendered application;
  
  providing session configuration data about the established authenticated session from the non-rendered application to a rendered application; and
  
  continuing the established authenticated session with the web site in the rendered application using the session configuration data for continued access to the web site for the authenticated session.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The method of claim 18, wherein the non-rendered application is a headless browser.
  - 20. The method of claim 18, further comprising:
    - identifying credentials for a web site to be reset;
      
      sending the credentials to a server configured to reset the credentials on behalf of the user;
      
      receiving new credentials for the web site; and
      
      replacing the credentials for the web site to be reset with the new credentials in the credentials database.
  - 21. The method of claim 18, where one or more of the extension background module and the non-rendered application execute in a secure enclave.
  - 22. The method of claim 18, wherein the session configuration data is a session cookie.
  - 23. The method of claim 18, wherein the non-rendered application is a headless browser.
  - 24. The method of claim 18, where obtaining credentials comprises:
    - obtaining a master key;
      
      obtaining credentials from the credentials database; and
      
      decrypting the credentials obtained from the credentials database using the master key.
  - 25. The method of claim 18, wherein establishing an authenticated session comprises:
    - injecting a content script into a web form by the non-rendered application that injects the credentials into an authentication form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Whiteside, Greg, Beaulieu, Olivier, Rene, Mathieu
Primary Examiner(s)
Chai, Longbit

Application Number

US14/865,140
Publication Number

US 20170093839A1
Time in Patent Office

970 Days
Field of Search

713168
US Class Current
CPC Class Codes

G06F 16/957   Browsing optimisation, e.g....

H04L 63/06   for supporting key manageme...

H04L 63/083   using passwords cryptograph...

H04L 63/1466   Active attacks involving in...

H04L 67/02   based on web technology, e....

H04L 67/146   Markers for unambiguous ide...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

H04L 9/32   including means for verifyi...

Algorithm hardening in background context and external from the browser to prevent malicious intervention with the browser

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Algorithm hardening in background context and external from the browser to prevent malicious intervention with the browser

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links