417 results about "Man-in-the-middle attack" patented technology

Embodiments of the present invention relate to an online transaction method enacted between a first party and a second party, for example a customer and a bank respectively. The method of the embodiment includes the steps of the first party transmitting a transaction request comprising transaction details and the second party receiving the transaction request and generating, for the first party, an authentication request, comprising transaction details and challenge data. In order to increase the security of the overall transaction, the authentication request is adapted so that it is difficult for an automated process to use or modify information therein to generate a replacement authentication request. Such a method finds application in reducing the potential for a man-in-the-middle attack, wherein an intermediate, subversive process can behave as a legitimate second party in order to steal money from the first party.

A page list comprising a list of transitions between network resources is established. Subsequently, a transition is detected between a first network resource and a second network resource. An expected security level associated with the transition is identified based on the page list. Responsive to the detected security level being determined to be lower than the expected security level, a remedial action is performed.

To authenticate a user having an associated asymmetric crypto-key having a private/public key pair (D,E) based on a one-time-password, the user partially signs a symmetric session key with the first portion D1 of the private key D. The authenticating entity receives the partially signed symmetric session key via the network and completes the signature with the second private key portion D2 to recover the symmetric session key. The user also encrypts a one-time-password with the symmetric session key. The authenticating entity also receives the encrypted one-time-password via the network, and decrypts the received encrypted one-time-password with the recovered symmetric session key to authenticate the user.

The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Problem The combination of a tendency towards permissivity when verifying certificate authenticity and the use of in-band client authentication opens up an opportunity for attackers to mount man-in-the-middle attacks on SSL connections.

Solution The invention exposes any discrepancy between the intended recipient of the client credential and the actual recipient of the client credential by cryptographically including parameters that are uniquely linked to the channel (i.e., the communication session, as characterized by the parameters of the protocols that are being used), preferably the channel end points, in the calculation of the client credential. This links the process that provides the secure channel (e.g., the SSL protocol session) to the process that provides the authentication credential (e.g., the OTP token operation), thus exposing any attack that would break up the client-server channel. This is achieved without the requirement for an additional encrypted tunnel and allowing the continued use of existing components such as existing browsers.

A secure communications and location authorization system using a power line or a potion thereof as a side-channel that mitigates man-in-the-middle attacks on communications networks and devices connected to those networks. The system includes a power grid server associated with a substation, or curb-side distribution structure such as a transformer, an electric meter associated with a structure having electric service and able to communicate with the power grid server, a human authorization detector input device connected to the electric meter and the power grid server. The human authorization detector is able to receive an input from a user physically located at the structure and capable of communicating with the power grid server via the electric meter. The user's physical input into the device causing a request to be sent to the power grid server that then generates a location certificate for the user. Without the location certificate, access to the communications network and devices connected to those networks can be denied.

The security of network connections on a computing device is protected by detecting and preventing compromise of the network connections, including man-in-the-middle (MITM) attacks. Active probing and other methods are used to detect the attacks. Responses to detection include one or more of displaying a warning to a user of the computing device, providing an option to disconnect the network connection, blocking the network connection, switching to a different network connection, applying a policy, and sending anomaly information to a security server.

Encrypted communications between servers and client devices over an unsecured channel, such as the Internet, without using a public key infrastructure are disclosed. Messages to a client device are encrypted using an encryption key of an authorized individual, regardless of the identity of the user of the client device. Encryption is performed by a system that does not expose encryption keys to the client device or the server, thereby preventing man-in-the-middle attacks against the encryption key. Secure communications are combined with a two-factor protocol for authenticating the identity of an individual. An individual authenticates by generating a cipher using a light-weight certificate that has a shared secret but no other information identifying the individual. Separately, a server generates the same cipher using the shared secret, thereby authenticating the individual's identity to a relying party.

The invention discloses an access control method for a wireless local area network. The method comprises the following steps of: A, arranging a user identity token USB-KEY for storing an identity identifier and a private key on a mobile terminal and performing the operation of an IBE algorithm; B, performing identity authentication on the mobile terminal to be subjected to network entry by adopting the identity-based encryption technology, namely IBE technology, and if the authentication is not passed, not allowing users to access the network; and C, determining the resource access permissionof the mobile terminal, and controlling the network access action of the mobile terminal according to the resource access permission. The method introduces the authentication control of specific application resources accessed by the users, adapts to the development tendency of taking application as the center in the wireless local area network, and simultaneously, improves the safety of the access control scheme of the wireless local area network and avoids man-in-the-middle attack and the attack of denial of service. The invention also discloses a system for the access control of the wireless local area network correspondingly.

A system, peripheral device, and method for authenticating an encryption key before transmitting encrypted messages containing sensitive information are provided. Authentication of a client device during the coordination of data transfer among multiple computer devices is possible by providing a peripheral device that does not have a direct connection to a network, but rather, any message to be transmitted over the network must be relayed through a client device. Any sensitive information to be transferred to a remote device is inserted into a message, then the message is encrypted in the peripheral device. This prevents any process running on the client device from fooling the client device into communicating confidential information to a third party rather than the desired remote computer, because the client device never sees the sensitive information in an unencrypted form; only the peripheral device has access to the sensitive information in an unencrypted form.

The invention discloses a short-message-based authentication method, a short-message-based authentication system and a short-message-based authentication device, which relate to the technical field of network security. The authentication system comprises a server, a client and a mobile phone. The authentication device which is the server comprises a transmitting and receiving module, a storage module, a counting module, a judgment module, a generation module, an authentication module, a control module and a calculation module. In the short-message authentication method, the server generates an authentication code, records authentication code generation time, and transmits the generated authentication code to the mobile phone of a user in an out-of-band way; the user inputs the authentication code into the client; and the client transmits the authentication code to the server for authentication, so man-in-the-middle attacks can be prevented to a certain extent; moreover, the authentication code generated by the server has timeliness and may become invalid upon expiration.

A method for establishing a link key between correspondents in a public key cryptographic scheme, one of the correspondents being an authenticating device and the other being an authenticated device. The method also provides a means for mutual authentication of the devices. The authenticating device may be a personalized device, such as a mobile phone, and the authenticated device may be a headset. The method for establishing the link key includes the step of introducing the first correspondent and the second correspondent within a predetermined distance, establishing a key agreement and implementing challenge-response routine for authentication. Advantageously, man-in-the middle attacks are minimized.

The invention provides a model and a method for user authentication based on a trusted center in a quantum key distribution network, specifically, a user authentication model based on the trusted center is provided and an implementation method is described in detail, in order to realize the communication security between any two users in the network and prevent a man-in-the-middle attack. Based on the model, the invention further provides a method for user authentication, which comprises the following steps that: 1, any user requesting for communication in the network sends a connection request to the trusted center; 2, the trusted center sends a pre-shared key to the two communication parties respectively; 3, the two communication parties set up a quantum channel and are authenticated; and 4, the two parties are authenticated regularly or irregularly in the subsequent communication process. According to the invention, by fully considering the development status of the current quantum key distribution network and by combining with the actual requirement, a quantum communication channel can be set up securely between any two nodes in the network, so that the communication security between users can be realized.

Methods and systems for securing remotely-operable devices are provided. A remotely-operable device can receive a command related to a component of the remotely-operable device operating in an environment. The remotely-operable device can include a reality-rules database (RRDB) that is configured to store a plurality of reality rules with each reality rule relating to a constraint on the remotely-operable device. The remotely-operable device can determine a reasonableness value for the command based on a constraint, where the constraint is determined based on a constraint related to at least one reality rule of the plurality of reality rules stored in the RRDB. The remotely-operable device can encode the reasonableness value for the command in a feedback message. The remotely-operable device can send the encoded feedback message from the remotely-operable device.

An identification system which is not prone to man-in-the-middle attacks and which is capable of intra-body communication includes at least one wearable electronic key (1). The electronic key includes an intra-body communication interface (IBCI) and a storage device (DB) in which user identification data (ID) are stored, and an authentication server (AS) for verification of a user's fingerprint. At least one reader (2) has an intra-body communication interface (IBCI) and a fingerprint reader.

By introducing a hierarchical encryption scheme and the use of asymmetric cryptography, the critical information in message exchanges is concealed from unauthorized entities. This helps greatly in preventing man-in-the-middle attacks faced by inter-working. In addition, access control is conducted by introducing a network structure having a rule interpreter that is capable of mapping general rules to WLAN specific commands. It obviates the needs for mobile user's home network to understand information about every WLAN it is inter-worked with. A common interface independent of WLAN technologies could be used by the home network for all the WLANs. The above conception provides a solution to the problems of the protection of user identification information and access control in the inter-working of WLAN.

Verification of privacy of Web Real-Time Communications (WebRTC) media channels via corresponding WebRTC data channels, and related methods, systems, and computer-readable media are disclosed. In this regard, in one embodiment, a method for verifying privacy of a WebRTC media channel comprises establishing the WebRTC media channel between first and second WebRTC clients using a keying material. The method further comprises establishing a corresponding WebRTC data channel between the first and second WebRTC clients using the keying material, and negotiating, in the WebRTC data channel, a cryptographic key exchange. The method also comprises generating a first and a second Short Authentication String (SAS) based on the cryptographic key exchange in the WebRTC data channel. The method further comprises displaying the first SAS and the second SAS, such that a mismatch between the first SAS and the second SAS indicates an existence of a man-in-the-middle (MitM) attacker.

A method for detecting and blocking a Man-in-the-Middle phishing attack carried out on a client connection which has been fraudulently routed through an anonymous proxy server. An agent downloaded to the client device opens a client direct connection to the security host protecting against the attack and sends a client direct connection ID to the security host for validation. By comparing IP addresses correlated via the validated client direct connection ID, the security host determines whether the original connection is direct (secure) or indirect (attack via phishing proxy). The detection and blocking can be performed by the service provider's server or by a third-party validation server handling all security without additional requirements on the service provider server. In addition to detecting and blocking such attacks, methods for client direct connection ID, as well as automatic transparent and seamless attack circumvention and preemptive circumvention are disclosed.

The invention discloses a work method of an authentication pushing system and equipment, and belongs to the field of information security. The method comprises the following steps that an application interface receives user information and sends the user information to an application server, the application server sends the user information and an application identifier to an authentication server, the authentication server generates authentication pushing requests according to a generated challenge value, token information, the user information and the application name corresponding to the application identifier, and sends the authentication pushing requests to a mobile terminal token, the mobile terminal token generates login information according to the authentication pushing requests, when the user select the login confirm, a first response value is generated according to the challenge value and is sent to the authentication server, the authentication server generates a second response value according to the challenge value, and when the first response value and the second response value are identical, an authentication success result is returned to the application server. When the technical scheme is adopted, the data transmission speed of the traditional authentication is accelerated, the user does not need to take part in the password input, the man-in-the-middle attack is avoided, and the authentication security is improved.

One safety authentication method uses for ultra wideband identify system. The identification process bases on Hash operation and adds stochastic number mask and secret key renew method. The reader of card and electric label both has same secret key pair K1, K2. K1 and stochastic number R carry out the Hash operation about electric label, while K2 and the only identifier C carry out the Hash operation to authenticate the reader. It offers the safety attestation method to effectively realize the safeguard of several safety and privacy problem and satisfy the low cost and consume for the electric label CMOS chip. This can prevent the leak of place privacy, the stolen of label information, fabricating label and attacking by intermediary. And it is significance to realize low cost for electric label.

The invention discloses a privacy leaking detecting method and system for android application network communication. The method comprises the following steps: crawling android application to be detected, and building an application set to be detected; building a main-in-the-middle attack server; initializing each tester environment; arranging a multi-tester distributive running scheduling system; analyzing APK files of the application to be detected; installing the application program corresponding to the APK file, and driving the application program to run; analyzing a log file created by the Burp Suite, and acquiring the application set with SSL man-in-the-middle attack; analyzing a network data pack file created in the running process of the collected application program; recognizing the privacy leaking type of the network data pack file according to the application set with the SSL man-in-the-middle attack. The method is flexible to use, and automatic in the whole process; the android system and the android application program structure are not modified; the privacy leaking behavior of the android application in the network communication process can be safely and accurately detected.