System and method for website authentication using a shared secret

US 8,060,916 B2
Filed: 11/06/2006
Issued: 11/15/2011
Est. Priority Date: 11/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a web site to a user, including:

receiving at a third party authentication server a request from a user computer, the request based upon a URL contained in a page sent from a web server to the user computer, where the URL points to the authentication server and includes a digital signature created using a cryptographic key of the web server;

receiving a user identifier from the user computer;

authenticating the web server by verifying that the digital signature is the digital signature created using the cryptographic key of the web server;

if the web server is successfully authenticated, then sending a copy of an authentication device to the user computer, the authentication device being a shared secret between the user and the authentication server.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A web site can be authenticated by a third party authentication service. A user designates an authentication device that is a shared secret between the user and the authentication service. A web site page includes a URL that points to the authentication service. The URL includes a digital signature by the web site. When the user receives the page, the user'"'"'s browser issues a request to the authentication service, which attempts to authenticate the digital signature. If the authentication is successful, it sends the authentication device to the user computer.

140 Citations

16 Claims

1. A method for authenticating a web site to a user, including:
- receiving at a third party authentication server a request from a user computer, the request based upon a URL contained in a page sent from a web server to the user computer, where the URL points to the authentication server and includes a digital signature created using a cryptographic key of the web server;
  
  receiving a user identifier from the user computer;
  
  authenticating the web server by verifying that the digital signature is the digital signature created using the cryptographic key of the web server;
  
  if the web server is successfully authenticated, then sending a copy of an authentication device to the user computer, the authentication device being a shared secret between the user and the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the digital signature included in the URL is made using a symmetric cryptographic key that is a shared secret between the authentication server and the web server.
  - 3. The method of claim 1, wherein the digital signature included in the URL is made using a private cryptographic key at the web server.
  - 4. The method of claim 1, wherein receiving a user identifier from the user computer includes sending a request from the authentication server to the user computer for an artifact stored at the user computer and receiving the artifact from the user computer at the authentication server, where the artifact includes a user identifier.
  - 5. The method of claim 1, further including receiving at the authentication server from the user a designation of the authentication device, where the designation includes a combination of at least two from the group of:
    - a text string, an audio segment, a video segment, an animation segment, a graphic and a distortion template selection.
  - 6. The method of claim 1, wherein the authentication device includes components from the group of a text string, an audio segment, a video segment, and animation segment, a graphic segment and a distortion template, and wherein the authentication device includes a digital signature hidden in at least one of said components.

7. A system for authenticating a web site to a user, including:
- a processor;
  
  a memory coupled to said processor, said memory storing instructions adapted to be executed by said processor to receive a URL from a user computer, where the URL includes a digital signature created using a cryptographic key at a web server, authenticate the web server by verifying that the digital signature is the digital signature created using the cryptographic key of the web server, and if the web server is authenticated, send to the user computer an authentication device based upon a user identifier received from the user computer, the authentication device being a shared secret between the user and the authentication server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the digital signature is made using a symmetric cryptographic key at the web server, said memory storing a copy of the symmetric cryptographic key and said instructions adapted to be executed by said processor to authenticate the digital signature using the symmetric cryptographic key.
  - 9. The system of claim 7, wherein the digital signature is made using a private cryptographic key at the web server, said memory storing a copy of the public key corresponding to the private key and said instructions adapted to be executed by said processor to authenticate the digital signature using the public key.
  - 10. The system of claim 7, further including a database storing a record that correlates a user identifier with an authentication device designated by the user.
  - 11. The system of claim 10, wherein the authentication device includes a combination of at least two from the group of:
    - a text string, all audio segment, a video segment, an animation segment, a graphic and a distortion template selection.
  - 12. The system of claim 7, wherein the authentication device includes components from the group of a text string, an audio segment, a video segment, and animation segment, a graphic segment and a distortion template, and wherein said instructions are further adapted to be executed by said processor to hide a digital signature in at least one of said components of the authentication device.

13. A non-transitory computer-readable medium storing instructions adapted to be executed by a processor to perform steps including:
- receiving at a third party authentication server a request from a user computer, the request based upon a URL contained in a page sent from a web server to the user computer, where the URL points to the authentication server and includes a digital signature created using a cryptographic key of the web server;
  
  receiving a user identifier from the user computer;
  
  authenticating the web server by verifying that the digital signature is the digital signature created using the cryptographic key of the web server;
  
  if the web server is successfully authenticated, then sending a copy of an authentication device to the user computer, the authentication device being a shared secret between the user and the authentication server.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-readable medium of claim 13, wherein said instructions are further adapted to be executed by the processor to send a request from the authentication server to the user computer for a artifact stored at the user computer and receive the artifact from the user computer at the authentication server, where the artifact includes a user identifier.
  - 15. The computer-readable medium of claim 13, wherein said instructions are further adapted to be executed by the processor to receive at the authentication server from the user a designation of the authentication device, where the designation includes a combination of at least two from the group of:
    - a text string, an audio segment, a video segment, an animation segment, a graphic and a distortion template selection.
  - 16. The computer-readable medium of claim 13, wherein the authentication device includes components from the group of a text string, an audio segment, a video segment, and animation segment, a graphic segment and a distortion template, and wherein said instructions are further adapted to be executed by the processor to hide a digital signature in at least one of said components of the authentication device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symantec Corporation (NortonLifeLock Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Burstein, Jeffrey, Bajaj, Siddharth, Bradescu, Roxana Alina, Popp, Nicolas, M'Raihi, David
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/593,036
Publication Number

US 20080109657A1
Time in Patent Office

1,835 Days
Field of Search

713/167, 713169-170, 713/175, 713/183, 726 27- 30, 726 2- 6, 726/8, 726/12, 726 20- 21, 726 16- 18
US Class Current

726/3
CPC Class Codes

G06F 21/645   using a third party

G06F 2221/2119   Authenticating web pages, e...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

H04L 63/1483   service impersonation, e.g....

H04L 63/168   above the transport layer

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

System and method for website authentication using a shared secret

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

140 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for website authentication using a shared secret

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others