Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Messaging authenticity verification system

IP.com Disclosure Number: IPCOM000202702D
Publication Date: 2010-Dec-23
Document File: 2 page(s) / 42K

Publishing Venue

The IP.com Prior Art Database

Abstract

SMS and email are inherently insecure transmissions for one main reason, namely, trust. A user only knows who the sender of the SMS or email claims to be, rather than who he/she actually is. This is a problem for any kind of secure communication. The solution herein describes a new method to help securely determine who the sender is.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Messaging authenticity verification system

SMS and email are inherently insecure transmissions for one main reason, namely, trust.

A user only knows who the sender of the SMS or email claims to be, rather than who he/she actually is. This is a problem for any kind of secure communication.

    A typical solution is encrypting the communications channel and exchanging certificates so that messages can be signed and validated at the other end -- the main drawback comprises the exchange of the certificates - how can certificates be exchanged in a secure manner without already having certificates?

    Consider the example of a bank sending an alert -- the bank may send a message claiming that some unusual activity has occurred on a user's account, requesting the user to telephone the bank to discuss the issue. When a user telephones the bank, the bank typically asks security questions before talking to the user about their account. With the current system, any third party could send the alert by using a sender address matching that of a bank -- a user then proceeds to give the third party their personal details which may later be used to commit fraud.

    The solution herein solves the problem of authenticating the sender of a message without having to encrypt the contents or exchange certificates. It allows the consumer to trust that a message comes from the person it claims to have come from.

    The solution creates a hash from the communication a user has received and checks the hash with an independent service provider to verify that the hash matches the hash of the last communication sent to the user. If the hashes do not match, there is a chance that a third party is phishing.

    The configuration information to enable this can be supplied using an official document from the entity with which a user will communicate. For example, a bank could print the service endpoint information which a user would use on the user's bank statement. A user can add the configuration...