Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Method for authenticating a remote computer to an end-user

IP.com Disclosure Number: IPCOM000198942D
Publication Date: 2010-Aug-18
Document File: 2 page(s) / 40K

Publishing Venue

The IP.com Prior Art Database

Abstract

Mechanism to allow user authentication against a server while simulaneously authenticating the server to the end user

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Method for authenticating a remote computer to an end-user

In many applications an end-user is required to authenticate with a remote computer and just trust that the computer they are interacting with is the machine that they think they are interacting with. An example of this can be seen in the phishing attacks that target online banking customers. The users believe that they are interacting with the bank and freely give-up their personal information. Banking is

just one illustration of this point

                    , there are countless applications where the end-user simply trusts the remote computer. For computer-computer authentication, keys and certificates can be used but these are complex for the end-user, especially users that have very little IT experience.

    Current methods of user authentication require the user to supply all of their login details to the remote computer before they can determine the authenticity of the remote computer (i.e. by being granted access). It is only when this operation

works

    (or fails) can the user be satisfied that the site is genuine. This is often too late as their details may have already be copied.

    Our invention solves this problem by allowing a remote computer to authenticate with a user (and vice-versa) so that both parties can be certain of each other's identities before any personal information is divulged.

    The invention simply requires an item of shared knowledge between both parties, for example a 6-digit number. This piece of knowledge could be any length and mixture of characters. When an end-user wishes to initiate communication with a remote computer the computer will request their ID and a selection of random digits from the secret passcode. The computer then returns another random selection of digits from the passcode. If the computer returns the numbers expected by the user, the user may then complete the rest of the logon process and provide more personal information.

    At no point is the entire shared secret divulged by either party or by the sum of the communication thus eavesdropping the communication would not benefit an attacker.

    Although this is the most simple implementation it has the drawback that given a limited amount of information about the user (public ID and a small segment of the shared secret) an attacker could potentially obtain further information about the shared secret. Although this would require the attacker to 'get lucky'

when

attacking the site and be asked by the server for the same segment of the shared secret that the attacker knew, it is possible. A possible circumvention w...