Systems and methods for trusted path secure communication
First Claim
1. A computer-implemented method for secure exchange of information on a network between a user device and a server, the method comprising the steps of:
- (a) generating by a data-collection module on the user device a secured object comprising;
(i) an information object comprising;
(A) a type header specifying at least one type, and (B) information of the at least one type specified in the type header, wherein;
the data-collection module collects from the user device, device information that;
(C) corresponds to the at least one type, (D) is used for authentication of the user device by the server, and (E) is to be transmitted to the server in the information object;
(ii) a header object comprising an anti-replay header or an anti-tamper header, wherein said anti-replay header enables a recipient to determine (A) if a message was previously-received and (B) if the message is received outside a permissible pre-determined time window;
(iii) an integrity object comprising a digital signature of at least part of the information object; and
(b) transmitting, via a client app associated with the data-collection module, the secured object to the server.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for establishing a trusted path for secure communication between client devices and server devices, such as between an account holder and a financial institution, can provide the core security attributes of confidentiality (of the parties), integrity (of the information), anti-replay (protection against replay fraud) and/or anti-tampering (protection against unauthorized changes to information being exchanged and/or modules that generate and communicate such information). A messaging layer implementation in favor of a transport layer implementation can provide a trusted path. This infrastructure features secure cryptographic key storage, and implementation of a trusted path built using the cryptographic infrastructure. The trusted path protects against unauthorized information disclosure, modification, or replays. These services can effectively protect against Man-in-the-Middle, Man-in-the-Application, and other attacks.
145 Citations
32 Claims
-
1. A computer-implemented method for secure exchange of information on a network between a user device and a server, the method comprising the steps of:
-
(a) generating by a data-collection module on the user device a secured object comprising; (i) an information object comprising;
(A) a type header specifying at least one type, and (B) information of the at least one type specified in the type header, wherein;the data-collection module collects from the user device, device information that;
(C) corresponds to the at least one type, (D) is used for authentication of the user device by the server, and (E) is to be transmitted to the server in the information object;(ii) a header object comprising an anti-replay header or an anti-tamper header, wherein said anti-replay header enables a recipient to determine (A) if a message was previously-received and (B) if the message is received outside a permissible pre-determined time window; (iii) an integrity object comprising a digital signature of at least part of the information object; and (b) transmitting, via a client app associated with the data-collection module, the secured object to the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented method for secure communication on a network between a user device and a first server, the method comprising the steps of:
-
(a) receiving by a client app installed on a user device, through an information transmission received by said user device, a secured object comprising; (i) an information object comprising a configuration file for configuring the user device to collect selected specific types of device authentication information by a data-collection module on the user device, said device authentication information used for authentication of the user device by said first server, wherein said specific types are selected by said first server or a second server from a larger set of available types of device authentication information; (ii) a header object comprising an anti-replay header or an anti-tamper header, and (iii) an integrity object comprising a digital signature associated with the information object; (b) validating by the data-collection module the information object based on the signature; (c) performing by the data-collection module;
(i) an anti-replay check, or (ii) an anti-tamper check; and(d) configuring the data-collection module to collect device authentication information according to the configuration file. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification