Authentication of a server by a client to prevent fraudulent user interfaces

US 8,776,199 B2
Filed: 01/13/2010
Issued: 07/08/2014
Est. Priority Date: 02/05/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display and a user interface selection device, the method comprising:

delivering a plurality of data to the client for rendering on the client display;

selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device;

associating the selected two pieces of data with an authentication token as the shared secret;

delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root;

maintaining, by the server, an association between the authentication token and the configuration data;

receiving, at the server, a request from the client for content via the user interface selection device, the request comprising the configuration data associated with the authentication token;

obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request;

storing, at the server, the authentication token in a file conforming to a predetermined data size;

modifying the requested content to include the obtained authentication token; and

delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Protecting a user against web spoofing in which the user confirms the authenticity of a web page prior to submitting sensitive information such as user credentials (e.g., a login name and password) via the web page. The web page provides the user with an identifiable piece of information representing a shared secret between the user and the server. The user confirms the correctness of the shared secret to ensure the legitimacy of the web page prior to disclosing any sensitive information via the web page.

74 Citations

View as Search Results

17 Claims

1. A method of authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display and a user interface selection device, the method comprising:
- delivering a plurality of data to the client for rendering on the client display;
  
  selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device;
  
  associating the selected two pieces of data with an authentication token as the shared secret;
  
  delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root;
  
  maintaining, by the server, an association between the authentication token and the configuration data;
  
  receiving, at the server, a request from the client for content via the user interface selection device, the request comprising the configuration data associated with the authentication token;
  
  obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request;
  
  storing, at the server, the authentication token in a file conforming to a predetermined data size;
  
  modifying the requested content to include the obtained authentication token; and
  
  delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising receiving a credential from the client via the delivered content.
  - 3. The method of claim 2, wherein the received credential comprises one or more of the following:
    - a login name, a password, and an electronic mail address.
  - 4. The method of claim 1, wherein the content comprises a login interface or a web form or both.
  - 5. The method of claim 1, wherein obtaining the authentication token comprises indexing into a database storing the authentication token via the received configuration data.
  - 6. The method of claim 1, wherein the configuration data comprises a filename identifying the authentication token.
  - 7. The method of claim 1, wherein delivering the requested content comprises delivering the requested content as a hypertext markup language (HTML) document to the client with the obtained authentication token as the shared secret only if the document is unframed by the client.
  - 8. The method of claim 1, wherein the at least two pieces of data comprise two images, and wherein delivering the requested content comprises delivering a web page with the requested content to the client, the web page including the authentication token having the two images as the shared secret.
  - 9. The method of claim 1, further comprising padding the file to the predetermined data size prior to delivering the requested content to the client with the authentication token as the shared secret.
  - 10. The method of claim 1, further comprising compressing the file to the predetermined data size prior to delivering the requested content to the client with the authentication token as the shared secret.
  - 11. The method of claim 1, further comprising receiving a credential from the client, the credential being submitted by the user accessing the client from the user interface via the user interface selection device.
  - 12. The method of claim 1, further comprising:
    - receiving an execution signal from the client via the user interface selection device, the received execution signal comprising a notification from the client of the selected authentication token; and
      
      delivering, to the client for storage, the configuration data identifying the selected authentication token, wherein delivering comprises delivering the user interface to the client for display on the client display.
  - 13. The method of claim 1, wherein the plurality of tokens includes at least one of an image, a sound, a text, a color, and a combination thereof.

14. One or more tangible computer-readable storage media not including propagating signals having computer-executable instructions stored thereon for authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display, the instructions comprising instructions for:
- delivering a plurality of data to the client for rendering on the client display;
  
  selecting, in response to a user accessing the client, at least two pieces of data from the delivered plurality of data via the user interface selection device;
  
  associating the selected two pieces of data with an authentication token as the shared secret;
  
  delivering, by the server, configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root before a request is made to the server for content;
  
  maintaining, by the server, an association between the authentication token and the configuration data;
  
  receiving, at the server via the data communication network, the request from the client for content, the request comprising the configuration data associated with the authentication token;
  
  obtaining, from a memory area accessible to the server, the authentication token associated with the received configuration data in response to the received request;
  
  storing, at the server, the authentication token in a file conforming to a predetermined data size;
  
  modifying the requested content to include the obtained authentication token; and
  
  delivering the requested content to the client with the file as the shared secret, wherein the client authenticates the server with the authentication token.
- View Dependent Claims (15)
- - 15. The tangible computer-readable storage media of claim 14, further comprising instructions for:
    - receiving, at the server, a request from the client to establish the shared secret;
      
      provisioning the authentication token as the shared secret to the client in response to the received request; and
      
      delivering, to the client for storage, the configuration data identifying the provisioned authentication token.

16. A system for authentication between a client and a server including a shared secret, said client and server being coupled to a data communication network, said client including a computer system having a client display, the system comprising:
- a database accessible to the server, said database storing a record having a first field storing configuration data and a second field identifying an authentication token associated with the configuration data stored in the first field; and
  
  a processor associated with the server, said processor executing computer-executable instructions to perform;
  
  delivering a plurality of tokens to the client for rendering on the client display, wherein a user selects an authentication token from the delivered plurality of tokens;
  
  delivering, by the server, the configuration data to the client by writing a cookie that contains a user identifier and an encrypted random number to a subdirectory off the web root, wherein the cookie is sent in response to a request to the subdirectory off the web root;
  
  maintaining, by the server on the database, an association between the authentication token and the configuration data;
  
  receiving, at the server, a request from the client for content, the request comprising the configuration data;
  
  obtaining, from the database, the authentication token associated with the received configuration data in response to the received request;
  
  storing, at the server, the authentication token in a file conforming to a predetermined data size, said file being padded to the predetermined data size;
  
  modifying the requested content to include the obtained authentication token;
  
  delivering the requested content to the client with the file as the shared secret, the requested content including a field for receiving a credential from the client after the client authenticates the server with the authentication token.
- View Dependent Claims (17)
- - 17. The system of claim 16, said obtained authentication token comprises two images, and said record storing a user identifier in the first field and a filename for each of the two images in the second field.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Paya, Ismail Cem, Chow, Trevin, Peterson, Christopher N.
Primary Examiner(s)
Davis, Zachary A

Application Number

US12/686,495
Publication Number

US 20100115594A1
Time in Patent Office

1,637 Days
Field of Search

726 2- 5, 726/7, 726/8, 726 26- 30, 726/10, 713/169, 713/168
US Class Current

726/7
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0869   for achieving mutual authen...

H04L 63/1483   service impersonation, e.g....

H04L 9/0844   with user authentication or...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04N 21/2265   Server identification by a ...

H04N 21/25816   involving client authentica...

H04N 21/25875   involving end-user authenti...

Authentication of a server by a client to prevent fraudulent user interfaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

74 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of a server by a client to prevent fraudulent user interfaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links