Unique transaction identifier, which may also include a time expiration value, is assigned by a first network website to an electronic instruction to collect specified distinctive identifiers from a local/mobile computing device seeking access to said first network website

Abstract

This invention discloses a system and methods for defeating a so-called man-in-the-middle (MITM) attack. An electronic instruction to collect specified distinctive identifiers from a local/mobile computing device seeking access to a first network website, is generated by said first network website and that electronic instruction is assigned a unique onetime identification token. Said electronic instruction with said unique onetime identification token is transmitted by said first network website to said local/mobile computing device. Said unique onetime identification token is also maintained in a database of unique onetime identification tokens resident on said first network website. In addition, said unique onetime identification token is sent to a secondary network website, where it is also stored in a database of unique onetime identification tokens. Said unique onetime identification token may also contain a time expiration value which defines the validity period for said unique transaction identifier.

Claims

1. A method for defeating a man in the middle attack against network servers on a network whereby a first software program executing on a first network server website sends a unique onetime identification token to a secondary network server for inclusion in a database of authorized unique control identifiers, said unique onetime identification token includes a time expiration value, defining a time period during which said unique onetime identification token is considered valid for matching with an identical unique onetime identification token received by said secondary network server from a user's computing device, comprising the method steps of: a. said secondary network server receives said unique onetime identification token and logs said time expiration value from said first network server website and places said unique onetime identification token received from said first network server website into its database of authorized unique onetime identification tokens; b. said secondary network server only considers said unique onetime identification token to be valid in said database of authorized unique onetime identification tokens during a period of time defined by said time expiration value; c. said secondary network server applies said time expiration value to said unique onetime identification token beginning when said unique onetime identification token is placed into said database of said authorized unique onetime identification tokens; d. said unique onetime identification token is only considered valid and available for matching for the time period beginning with insertion of said unique onetime identification token into said database of authorized unique onetime identification tokens and its validity expires upon reaching said time expiration value defined as starting with its insertion into said database of authorized unique onetime identification tokens, plus the time expiration value assigned by said first network server website; e. said unique onetime identification token that has an expired time expiration value is marked as used and cannot be matched to incoming said unique onetime identification tokens received from said users computing devices.

2. The method of claim 1 where said unique onetime identification token and a time expiration value is sent to said secondary network server and said unique onetime identification token without said time expiration value is sent to said user's computing device, said user's computing device sends said unique onetime identification token along with a set of specified distinctive identifiers to said secondary network server.

3. The method of claim 2 where said secondary network server receives said unique onetime identification token along with a set of specified distinctive identifiers from said user's computing device and said secondary network server attempts to match said received unique onetime identification token against an identical unique onetime identification token in said database of authorized unique onetime identification tokens and if said received unique onetime identification token is not matched against any unique onetime identification token in said database of authorized unique onetime identification tokens, said secondary network server shall not attempt to match said received set of specified distinctive identifiers from said user's computing device against a database with a plurality of a sets of specified distinctive identifiers.

4. The method of claim 3 where said received unique onetime identification token is matched against a said unique onetime identification token in said database of authorized unique onetime identification tokens, said secondary network server shall attempt to match said received set of specified distinctive identifiers from said user's computing device against a database with a plurality of a set of specified distinctive identifiers and if said matching is successful, said secondary network server shall notify said first network server website that said matching of said received set of specified distinctive identifiers was successful, and if said matching is not successful, said secondary network server shall notify said first network server website that said matching of said received set of specified distinctive identifiers was not successful.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0040] FIG. 1 shows a depiction of an embodiment showing processing between local/mobile computing device, first network website, and secondary network website;

[0041] FIG. 2 shows an embodiment where the unique transaction ID is only valid for a period of time;

[0042] FIG. 3 shows the major components of local/mobile computing device;

[0043] FIG. 4 shows the major components of first network website; and

[0044] FIG. 5 shows the major components of secondary network website.

DETAILED DESCRIPTION

[0045] Now referencing FIG. 1 where 10 is a depiction of the invention illustrating local/mobile computing device 12, first network website 14, and secondary network website 16.

[0046] In this depiction, processing begins with process block 18, send signal 20, account access request, to process block 33, generate unique onetime identification token, associate with user and save in UT database. This process block generates a unique onetime identification token identifying this single transaction, associates the unique onetime identification token with the user (local/mobile computing device) and saves the information in local UT database 306 (FIG. 3). This database is resident on first network website 14. After the unique onetime identification token and the associated user is saved in local UT database 306, control falls through to processing block 25, generate electronic instruction. This process block sends signal 26, unique onetime identification token and electronic instruction, to processing block 56, generate set of specified distinctive IDs, and sends signal 102, unique onetime identification token to processing block 34, save unique onetime identification token in transaction ID database (FIG. 5). Processing block 56 receives electronic instruction which specifies which distinctive IDs to gather.

[0047] These IDs may consist of serial numbers or other IDs such as MAC addresses of hardware components/modules and/or serial numbers of software modules residing in local/mobile computing device 12. These IDs are then hashed into hexadecimal numbers that resemble random numbers. After the specified distinctive IDs have been gathered, they are appended with the unique onetime identification token and sent as signal 60, specified distinctive IDs and unique onetime identification token, to decision processing block 62, unique onetime identification token in unique transaction ID database?.

[0048] Decision processing block 62, unique onetime identification token in transaction ID database?, attempts to match the received unique onetime identification token in the unique transaction ID local database 408 (FIG. 5). If the match is not made, control falls through to determination processing block 64, NO, else control is transferred to determination processing block 66, YES.

[0049] If control fell through to determination processing block 64, NO, signal 78, access denied, unique onetime identification token, is send to processing block 48, mark unique onetime identification token not valid in UT Database. After process block 48 marks the unique onetime identification token invalid in UT database 306 (FIG. 4) after which processing block 48 sends signal 78, access denied, to processing block 80, stop session, residing in local/mobile computing device, 12. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0050] If control was transferred to determination processing block 66, YES, control will fall through to decision processing block 68, validate received set of specific distinctive IDs. Processing block 68 attempts to match the received specified distinct IDs received in signal 60, to a set of specified distinct IDs resident in local validation database 406. If the match is not made, control falls through to determination processing block 72, NO, else control is transferred to determination processing block 74, YES.

[0051] If control fell through to determination processing block 72, signal 78, access denied, unique onetime identification token, is sent to processing block 48, mark unique onetime identification token not valid in UT database, After process block 48 marks the unique onetime identification token invalid in UT database 306 (FIG. 4) after which processing block 48 sends signal 78, access denied, to processing block 80, stop session, residing in local/mobile computing device, 12. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0052] If control fell through to determination processing block 74, YES, signal 94, access granted and unique onetime identification token, is sent to decision processing block 82, unique onetime identification token in UT database?. Processing block 82 attempts to match the received unique onetime identification token to one in the local UT database.

[0053] If a match is made, control is transferred to determination processing block 88, YES. If a match is not made, control falls through to determination processing block 84, NO.

[0054] If control fell through to determination processing block 84, signal 86, access denied, is send to processing block 80, stop session, residing in local/mobile computing device 12. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0055] If control was transferred to determination processing block 88, YES, access granted, is send to processing block 92, continue session. Processing block 92 will permit the logon process in user's local/mobile computing device 12 to continue.

[0056] Now referencing FIG. 2 where 20 is a depiction of the invention illustrating local/mobile computing device 12, first network website 14, and secondary network website 16. This depiction shows the invention where the unique transaction ID is only valid for a period of time. This time period is used to prevent a man in the middle attack from succeeding dur to the additional time a MiTM attack requires to capture an original request, alter the request and to send the modified request on to the secondary network website 12. Note that in this depiction, secondary network website 16 contains a timing loop consisting of process blocks 36 through 44 which, if the time expiration value expires, the unique transaction ID is marked as invalid in the transaction ID database 408 resident in secondary network website thus preventing any validation of the set of specified distinctive IDs from being validated.

[0057] In this depiction, processing begins with process block 18, send account access request, as signal 20, account access request, to process block 33, generate unique onetime identification token, associate with user and save in UT database. This process block generates the unique onetime identification token which identifies this single transaction, associates the unique onetime identification token with the user (local/mobile computing device) and saves the information in a local database, UT database, 306, of unique onetime identification tokens and users. This database is resident on first network website 14. After the unique onetime identification token and the associated user is saved in UT database, control falls through to processing block 24, assign time expiration vale.

[0058] This processing block assigns a time expiration value to the unique onetime identification token. This time expiration value is the amount of time the unique transaction ID is valid, after which, the unique transaction ID and the time expiration value is sent as signal 102, unique onetime identification token, time expiration value to processing block 34 save unique transaction ID in transaction ID database, after which control falls through to processing block 36 start timer for unique transaction ID.

[0059] Process blocks 38 through 44 form a timing loop which determines when the time expiration value has expired. Decision processing block 38, timer expired?, determines if the timer value assigned to timer in process block 38, start timer for unique onetime identification token, has expired. After process block 38 makes the decision, control will fall through to determination processing block 40, NO. If the timer has not expired, control will be transferred to decision processing block 38, timer expired?. If the timer has expired, control will fall through to determination processing block 42, YES, after which control will fall through to process block 44, mark unique transaction ID in transaction ID database as invalid.

[0060] This process block will mark the unique onetime identification token contained in the unique transaction ID local database (408 FIG. 5) in secondary network website 16 as invalid then sends signal 78, access denied, unique transaction ID, to process block 48 in first network website 14. Process block, 48, mark unique transaction ID not valid in UT database. This process block marks the unique onetime identification token in UT database (306 FIG. 4) residing in first network website, as not valid after which control will fall through to process block 50, send access denied to user. Process block 50 sends signal 52, access denied, to process block 80, stop session, residing in local/mobile computing device 12. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0061] After process block 24, assign timer expiration value, sends signal 102, unique onetime identification token, time expiration value, control will fall through to process block 25, generate electronic instruction. This process block sends signal 26, unique onetime identification token and electronic instruction, to processing block 56, generate set of specified distinctive IDs. Processing block 56 receives electronic instruction specifying which distinctive IDs to gather. These IDs may consist of serial numbers or other IDs such as MAC addresses of hardware components/modules and/or serial numbers of software modules residing in said local/mobile computing device 12. These IDs are then each hashed into a hexadecimal number that appears to be a random number. After the specified distinctive IDs have been gathered, they are appended with the unique onetime identification token and sent as signal 60, specified distinctive IDs and unique onetime identification token to decision processing block 62, unique onetime identification token in unique transaction ID database. Decision processing block 62, unique onetime identification token in database? attempts to match the received unique onetime identification token in signal 60 to one of unique onetime identification tokens contained in the transaction ID database (408 FIG. 5) residing in secondary network website 16. If the match is made, control transfers through to determination processing block 66, YES, else control is falls through to determination processing block 64, NO.

[0062] If control fell through to determination processing block 64, NO, signal 78, access denied, unique onetime identification token, is send to processing block 48, mark unique onetime identification token not valid in UT database (306 FIG. 4). This process block marks the current unique onetime identification token contained in UT database as not valid after which control falls through to process block 50, send access denied to user. This process block sends signal 52, access denied, to process block 80, stop session, residing in local/mobile computing device 12. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0063] If control was transferred to determination processing block 66, YES, control will fall through to decision processing block 68, validate received set of specific distinctive IDs. Processing block 68 attempts to match the received specified distinct IDs received in signal 60, to a set of specified distinct IDs resident in local validation database 406. If the match is not made, control falls through to determination processing block 72, NO, else control is transferred to determination processing block 74, YES.

[0064] If control fell through to determination processing block 72, signal 78, access denied unique transaction ID, is sent to processing block 48, mark unique onetime identification token not valid in UT database (306 FIG. 4). If control fell through to determination processing block 74, YES, signal 94, access granted, unique onetime identification token, is sent to decision processing block 82, unique onetime identification token in UT database?. Processing block 82 attempts to match the received unique onetime identification token to one in the local UT database.

[0065] If a match is made, control is transferred to determination processing block 88, YES. If a match is not made, control falls through to determination processing block 84, NO.

[0066] If control fell through to determination processing block 84, NO, signal 86, access denied, is send to processing block 80, stop session, residing in local/mobile computing device 12 after which control is transferred to process block 89, mark unique onetime identification token not valid in UT database. Process block 80, denies the user's local/mobile computing device from gaining access to first network website 14.

[0067] If control was transferred to determination processing block 88, YES, access granted, is send to processing block 92, continue session after which control falls through to process block 89, mark unique onetime identification token not valid in UT database. Processing block 92 will permit the logon process in user's local/mobile computing device 12 to continue.

[0068] Now referencing FIG. 3 where 200 is a depiction of the major components of local/mobile computing device 12. Local/mobile computing device 12 is a cellular phone, tablet computer, laptop computer, or desktop computer. These types of computing devices are well known in the art. These devices generally have hardware modules such as Bluetooth chip sets, Wifi chip sets, USB hubs and ports, processors, audio chip sets, and other hardware modules. Each of these hardware modules have unique serial numbers as well as MAC addresses for any of the modules with radio interfaces or serial interfaces. Software modules executing on these devices also have serial numbers.

[0069] Local/mobile computing device receives signal 26 unique onetime identification token and an electronic instruction from first network website 14. Electronic instruction contains a coded instruction that defines which hardware and/or software identifiers are to be gathered and hashed. Unique onetime identification token is appended or joined to the hashed specified distinctive identifiers and sent, as signal 60, to secondary network website. Local/mobile computing device 12 then waits at processing block 80, stop session, and processing block 92, continue session, for either access denied signal 78 received by process block 80, stop session, or signal 90, access granted, received by processing block 92, continue session, after which local/mobile computing device will be granted access to first network website.

[0070] Now referencing FIG. 4 where 300 is a depiction of the major components of first network website 14. In this depiction, 14 is a network connected server computer. This type of computing devices is well known in the art. First network website consists of a computer processor 302, a memory storage device 304, UT database 306, and first software program 308. Memory storage device 304 may consist of a combination of random access memory and larger storage devices such as hard disk drives and/or solid state drives.

[0071] First software program 308 resides in said memory storage device 304. First software program 308 is executed by computer processor 302 and controls the logon process when local/mobile computing device 12 attempts to logon to first network website 14. When first network website 14 receives a logon account access request 20 from local/mobile computing device 12, first network website 14 generates a unique onetime identification token and saves it in UT database along with an optional time expiration value. First network website then generates an electronic instruction that, along with unique onetime identification token, is sent to local/mobile computing device 12. First network website then sends signal 102, unique onetime identification token, to secondary network website 16. Optional time expiration value may also be sent to secondary network website at the same time as an optional value in signal 102. If said first network website 14 receives an access denied signal 78 from secondary network website 16, it will mark the associated unique onetime identification token residing in UT database as not valid. If first network website 14 receives an access granted, signal 94, from secondary network website 16, first network website 14 will check to see if the associated unique transaction ID is in UT database and if it is and is marked not valid, first network website 14 will send signal 52 access denied to local/mobile computing device 12. This check ensures that a second request to said secondary website 16 by a man-in-the-middle will be denied. If said first network website 14 receives an access granted from said secondary network website 16, said first network website 14 will check to see if the associated unique onetime identification token is currently marked as valid in UT database 306 and if it is not marked invalid, first network website 14 will send signal 90 access granted to local/mobile computing device 12.

[0072] Now referencing FIG. 5 where 400 is a depiction of the major components of secondary network website 16. Secondary network website 16 consists of a computer processor 402, a memory storage device 404, validation database 406 and transaction ID database 408. Memory storage device 404 may consist of a combination of random access memory and larger storage devices such as hard disk drives and/or solid state drives. When secondary network website 16 receives signal 102 unique onetime identification token, said secondary website 16 will save unique transaction ID in transaction ID database 408. If secondary network website 16 also receives optional time expiration value with unique onetime identification token, it will start a timer with the time expiration value after unique onetime identification token has been saved in transaction ID database 408. Once the timer associated with unique onetime identification token has been started, a timing loop ranging from process block 36 to processing block 44 (FIG. 1) will monitor the timer for expiration. If the timer expires before secondary network website 16 receives signal 60 specified distinct IDs and unique onetime identification token, secondary network website 16 will mark unique onetime identification token received in signal 60, in transaction ID database 408 and will send signal 78 access denied, associated unique transaction ID, to first network website 14.

[0073] Once secondary website 16 receives signal 60 specified distinct IDs and unique onetime identification token, secondary network website 16 will first check to verify that unique onetime identification token, received in signal 102, is in transaction ID database 408 and if it is not or has been marked as invalid, secondary network website 16 will send signal 78 access denied, unique onetime identification token to first network website 14. If unique onetime identification token is found in transaction ID database, control falls through to process block 68, validate set of specified distinct IDs received in signal 60. This process block will attempt to match the set of specified distinct IDs in signal 60, specified distinct IDs, unique onetime identification token, against validation database 406. If received set of specified distinct IDs is not matched against any sets of specified distinct IDs in validation database 406, secondary network website sends signal 78, access denied, unique onetime identification token, to first network website 14. If received set of specified distinct IDs is matched against any sets of specified distinct IDs in validation database 406, secondary network website sends signal 94, access granted, unique onetime identification token, to first network website 14 after which control falls through to process block 75, mark unique onetime identification token in transaction ID database as invalid.

Unique transaction identifier, which may also include a time expiration value, is assigned by a first network website to an electronic instruction to collect specified distinctive identifiers from a local/mobile computing device seeking access to said first network website

Inventors

Cpc classification

Classification Explorer

G06Q20/409

PHYSICS

Classification Explorer

G06Q20/1085

PHYSICS

Classification Explorer

H04L63/102

ELECTRICITY

Classification Explorer

G06Q20/40145

PHYSICS

Classification Explorer

H04L63/0861

ELECTRICITY

Classification Explorer

G06Q20/40

PHYSICS

Classification Explorer

G06Q20/02

PHYSICS

Classification Explorer

G06Q20/382

PHYSICS

Classification Explorer

G06Q20/308

PHYSICS

Classification Explorer

H04L2463/082

ELECTRICITY

Classification Explorer

G06Q20/4097

PHYSICS

Classification Explorer

H04L63/083

ELECTRICITY

International classification

Classification Explorer

G06Q20/40

PHYSICS

Classification Explorer

G06Q20/02

PHYSICS

Classification Explorer

G06Q20/10

PHYSICS

Classification Explorer

G06Q20/38

PHYSICS

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description