Protocol to Prevent Replay Attacks on Secured Wireless Transactions
Abstract
A method and system for preventing replay attacks on secure data transactions. A replay attack occurs when an unauthorized user intercepts a secure data transaction between a device and a central system and uses the intercepted data to gain access to the central system. One method for preventing such replay attacks is the use of a unique session identification number that is generated for each secure data transaction request. A replay attack is defeated using intercepted data since the unique session identification number is valid only for a completed session and may not be reused. When a device is connected to a server using either wireless or land-line connection, the device requests a session identification number from the server. The server generates and signals to the device a unique session identification number which the device then transmits back to the server along with a request for a secure data transaction. Upon verification of the correct unique session identification number, the server implements the requested data transaction. Termination of the requested transaction by the device signals the termination of the current secure data transaction. A new unique session identification number must be requested and issued in like fashion for any additional secure data transactions. The method and system offer the advantage of use with multiple available servers, in contrast to present methods which require that a device to communicate with a given server. Further, the present method offers reduced operation time since there is a single coupling/uncoupling for each data transaction.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method for preventing replay attacks on secure data transactions, said method comprising the steps of:
a) establishing a communicative coupling with an authorized device; b) receiving a signal from said device requesting a session identification number; c) generating said session identification number and communicating said session identification number to said device; d) receiving a signal from said device, wherein said signal comprises a request for said secure data transaction and includes said session identification number, and e) coupling said device communicatively to implement said secure data transaction provided said request is authorized based on said session identification number.
2 . The method as recited in claim 1 wherein said step e) comprises the step of:
e1) ensuring that only one said coupling is authorized for each given said session identification number.
3 . The method as recited in claim 1 wherein said method is implemented using a server computer system communicatively coupled to said device via the World Wide Web.
4 . The method as recited in claim 1 wherein said device is a palmtop computer system.
5 . The method as recited in claim 1 wherein said step e) comprises the step of:
e1) encrypting data using certicom.
6 . The method as recited in claim 1 wherein termination of said communicative coupling by said device indicates termination of said request.
7 . The method as recited in claim 1 wherein said method is implemented using a server computer system communicatively coupled to said device via Mobitex based network.
8 . The method as recited in claim 1 wherein said method is implemented using a server computer system communicatively coupled to said device via TCP/IP based network.
9 . In a portable device, a method for preventing replay attacks on secure data transactions, said method comprising the steps of:
a) sending a signal to a central device requesting a session identification number; b) receiving in response a session identification number; c) sending a signal to said central device requesting a secure data transaction, said signal including said session identification number, and d) implementing an operating mode wherein said portable device is communicatively coupled for said secure data transaction, based on a positive confirmation of said session identification number.
10 . The method as recited in claim 9 wherein said step d) comprises the step of:
d1) ensuring that only one said coupling is authorized for each given said session identification number.
11 . The method as recited in claim 9 wherein said portable device is a palmtop computer system.
12 . The method as recited in claim 9 wherein said central device is a server computer system communicatively coupled to said portable device via the World Wide Web.
13 . The method as recited in claim 9 wherein said step d) comprises the step of:
d2) encrypting data using certicom.
14 . The method as recited in claim 9 wherein termination of said communicative coupling by said portable device indicates termination of said request.
15 . The method as recited in claim 9 wherein said method is implemented using a server computer system communicatively coupled to said portable device via Mobitex based network.
16 . The method as recited in claim 9 wherein said method is implemented using a server computer system communicatively coupled to said portable device via TCP/IP based network.
17 . A system for preventing replay attacks on secure data transactions, said system comprising:
a central device having a database comprising registration information for a device, said device communicatively coupled to said central device; wherein upon use of said device, said device is operable to send to said central device a signal requesting a unique session identification number for a single secure data transaction, and wherein said central device in response is operable to signal to said device said unique session identification number, and wherein said single secure data transaction is enabled by said central device upon receiving a signal from said device requesting a said secure data transaction, provided said request includes said unique session identification number.
18 . The system of claim 17 wherein said device is a palmtop computer system.
19 . The system of claim 17 wherein said central device is a server computer system communicatively coupled to said device via the World Wide Web.
20 . The system of claim 17 wherein said unique session identification number is distinct for each said secure data transaction request.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.