US2020402046A1PendingUtilityA1

Unique transaction identifier, which may also include a time expiration value, is assigned by a first network website to an electronic instruction to collect specified distinctive identifiers from a local/mobile computing device seeking access to said first network website

64
Assignee: STREUTER GARY WILLIAMPriority: Nov 17, 2010Filed: Jan 2, 2018Published: Dec 24, 2020
Est. expiryNov 17, 2030(~4.4 yrs left)· nominal 20-yr term from priority
G06Q 20/308H04L 2463/082G06Q 20/4097G06Q 20/40145G06Q 20/40G06Q 20/409G06Q 20/02G06Q 20/1085G06Q 20/382H04L 63/0861H04L 63/083H04L 63/102
64
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

This invention discloses a system and methods for defeating a so-called man-in-the-middle (MITM) attack. An electronic instruction to collect specified distinctive identifiers from a local/mobile computing device seeking access to a first network website, is generated by said first network website and that electronic instruction is assigned a unique onetime identification token. Said electronic instruction with said unique onetime identification token is transmitted by said first network website to said local/mobile computing device. Said unique onetime identification token is also maintained in a database of unique onetime identification tokens resident on said first network website. In addition, said unique onetime identification token is sent to a secondary network website, where it is also stored in a database of unique onetime identification tokens. Said unique onetime identification token may also contain a time expiration value which defines the validity period for said unique transaction identifier.

Claims

exact text as granted — not AI-modified
1 - 7 . (canceled) 
     
     
         8 . A system for defeating a man in the middle attack against network servers whereby a first network website and a secondary network website are communicably coupled to each other and to a user's computing device, said user's computing device receives from said first network website a unique onetime identification token and an electronic instruction to collect a set of specified distinctive identifiers drawn from said user's computing device, said user's computing device sends to said secondary network server said unique onetime identification token and said set of specified distinctive identifiers, said first network website sends said unique onetime identification token to said secondary network server, and whereby said secondary network server uses said unique onetime identification token to validate said set of specified distinctive identifiers received from said user's computing device, comprising the system method steps of:
 said first network website:
 i. maintains sets of users account credentials and authorization policies, and 
 ii. receives from said user's computing device a request for access, said request for access containing said user's account credentials, and 
 iii. verifies said user's account credentials received from said user's computing device against said authorization policies for said first network website and if said user's account credentials are valid and are within said authorization policies, said first network website generates said unique onetime identification token and sends said unique onetime identification token to said user's computing device and to said secondary network server, and 
 iv. generates said electronic instruction sent to said user's computing device, said electronic instruction directs said user's computing device to collect and secure a set of said specified distinctive identifiers to be sent to said secondary network server with said unique onetime identification token, and 
 v. receives from said secondary network server an indication that said user's computing device has been validated or has not been validate, and 
 vi. if said user's computing device has not been validated by said secondary network server, said first network website notifies said user's computing device that said user's computing device is not being granted access to said first network website, and 
 vii. if said user's computing device has been validated by said secondary network server, said first network website notifies said user's computing device that said user's computing device is being granted access to said first network website; 
   said secondary network server:
 i. maintains a validation database containing sets of preregistered specified distinctive identifiers of user's computing devices, and 
 ii. receives from said first network website said onetime unique identification token and stores said onetime unique identification token in a token database, and 
 iii. receives from said user's computing device a set of specified distinctive identifiers and said unique onetime identification token, and 
 iv. performs a matching of said unique onetime identification token received from said user's computing device against those unique onetime identification tokens received from said first network website and saved in said identification token database, and if said unique onetime identification token received from said user's computing device is not matched against one of said unique onetime identification tokens in said token database, said secondary network server notifies said first network website that said user's computing device is NOT to be granted access to said first network website, and 
 v. and if said unique onetime identification token received from said user's computing device is matched against one of said unique onetime identification tokens in said token database, said secondary network server performs a matching of said set of specified distinctive identifiers received from said user's computing device against a plurality of said sets of specified distinctive identifiers residing in said validation database and if said matching is not successful, said secondary network server notifies said first network website that said user's computing device is NOT to be granted access to said first network website, and if said matching is successful, said secondary network server notifies said first network website that said user's computing device is to be granted access to said first network website; 
   said user's computing device:
 i. sends to said first network website a request for access, said request for access may include a username or email address, one or more passwords, and biometric marker information identifying said account owner, and 
 ii. receives from said first network website a unique onetime identification token and an electronic instruction directing said user's computing device to gather a set of specified distinctive identifiers, and 
 iii. selects a set of specified distinct identifiers as instructed by said first network website, secures said set of specified distinctive identifiers creating a secured set of selected distinctive identifiers and sends said secured set of selected distinctive identifier and said unique onetime identification token to said secondary network server, and 
 iv. receives from said first network website an indication that said user's computing device is granted access to said first network website or that said user's computing device is not granted access to said first network website. 
   
     
     
         9 . The system of  claim 8  whereby said unique onetime identification token sent by said first network website is sent simultaneously to both said user's computing device and said secondary network server. 
     
     
         10 . The system of  claim 8  whereby said unique onetime identification token sent by said first network website is sent at staggered times to said user's computing device and said secondary network server. 
     
     
         11 . The system of  claim 8  whereby said first network website sends a time expiration value with said unique onetime identification token sent by said first network website to said secondary network server, and said secondary network server starts a timer using said time expiration value, and if said timer expires prior to said secondary network server receiving said unique onetime identification token and said set of specified distinctive identifiers from said user's computing device, said secondary network server sends an indication to said first network website that said user's computing device is NOT to be granted access to said first network website. 
     
     
         12 . A method for defeating a man in the middle attack against network servers whereby a first network server web site assigns a unique onetime identification token to an electronic instruction to gather a set of specified distinctive identifiers that are sent by said first network website to a user's computing device seeking account access to said first network website comprising the method steps of:
 a) creation of a unique onetime identification token by said first network website, and   b) sending of said electronic instruction to gather a set of specified distinctive identifiers and said unique onetime identification token to said to said user's computing device, and   c) sending of said unique onetime identification token to a secondary network server, said secondary network server adds said unique onetime identification token to a database of authorized unique onetime identification tokens received from said first network server and maintained by said secondary network server, and   d) sending of said unique onetime identification token and said set of specified distinctive identifiers gathered and secured by said user's computing device to said secondary network server, and   e) comparing by said secondary network server of said unique onetime identification token received by said secondary network server and said unique onetime identification token received by said secondary network server from said user's computing device, and   f) if said unique onetime identification tokens are matched, said secondary network server performs a matching of a said set of specified distinctive identifiers residing in a validation database against said set of specified distinctive identifiers received from said user's computing device and if said match is made, said secondary network server notifies said first network website that said user's computing device IS validated for access and if said match is not made, said secondary network server notifies said first network website that said user's computing device is NOT validated for access.   
     
     
         13 . A method for defeating a man in the middle attack against network servers on a network whereby a first software program executing on a first network server website sends a unique onetime identification token to a secondary network server for inclusion in a database of authorized unique control identifiers, said unique onetime identification token includes a time expiration value, defining a time period during which said unique onetime identification token is considered valid for matching with an identical unique onetime identification token received by said secondary network server from a user's computing device, comprising the method steps of:
 a. said secondary network server receives said unique onetime identification token and logs said time expiration value and places said unique onetime identification token received from said first network website into its database of authorized unique onetime identification tokens;   b. said secondary network server only considers said unique onetime identification token to be valid in said database of authorized unique onetime identification tokens during a period of time defined by said time expiration value;   c. said secondary network server applies said time expiration value to said unique onetime identification token beginning when said unique onetime identification token is placed into said database of said authorized unique onetime identification tokens;   d. said unique onetime identification token is only considered valid and available for matching for the time period beginning with insertion of said unique onetime identification token into said database of authorized unique onetime identification tokens and its validity expires upon reaching said time expiration value defined as starting with its insertion into said database of authorized unique onetime identification tokens, plus the time expiration value assigned by said first network website;   e. said unique onetime identification token that has an expired time expiration value is marked as used and cannot be matched to incoming said unique onetime identification tokens received from said users computing devices.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.