Patent Application
20090007243
The present invention relates to the field of Internet security, secure login, and secure eCommerce. More particularly, the invention relates to a method for preventing exploitation of a stolen password.
A computer executing a browser, referred to hereinafter as a Web Client or client, is essentially a hyper text reader communicating with a Web Server via a specific data transfer protocol such as a Hyper Text Transfer Protocol (HTTP). Any hyper text file on the web is uniquely identified by its Universal Resource Locator (URL). Many of the hyper text files are currently structured using the Hyper Text Mark-up Language (HTML) which may also be used for calling hyper text data objects. The hyper text data object may be in the form of any information medium including a text, an image, a voice, a moving picture or an executable computer program. When a client requests a hyper text file, using the file's URL, the file is displayed on the client's browser, where the display is commonly known as a web page. The client can return data to the server and call a Common Gateway Interface (CGI) program on the server computer to perform a specific task.
In online Internet browsing, many web sites require users to authenticate themselves using a username and a password. The password serves as the secure factor of this authentication scheme. Compromise of the password and the corresponding user name allows an attacker to log in virtually from anywhere in the world. It is therefore a prime target of an attacker to thief, i.e. copy, a user's password. Many techniques were developed by attackers to achieve this goal. Among those techniques are: phishing, man-in-the-middle techniques, key-logging, cross site scripting attacks, attaching to the browser's events, and so forth.
One of the ways to maliciously copy a password is “phishing” where an attempt to fraudulently acquire usernames and passwords is done by masquerading as a trustworthy entity to an unsuspecting user. Phishing is typically carried out using email or an instant message, and often directs users to a fraudulant website requesting the user to submit his user name and password. Until today attempts to deal with the growing number of reported phishing incidents came short of being effective.
Another way to maliciously copy a password is “Cross Site Scripting”. This attack exploits a vulnerability of the targeted web site, which allows the attacker to craft a malicious link (in the target web site) and entice the user to click it. Once the user clicks this link, the attacker's Javascript/VBscript code runs at the user's browser in the context of the web site. This malicious code can eavesdrop to the password, once the user enters it in the web site, and then send the password to the attacker.
Another way to maliciously copy a password is by implementing in the client a “Malicious browser plug-in”. The malicious browser plug-in (e.g. BHO technology in Microsoft Internet Explorer) waits for the user to log in, and then forwards the password to the attacker's server, where it is collected by the attacker and used to browse the web site with the same privileges as the logged in user.
As of today some methods exist for combating password theft:
Additional tokens (hardware or software): these solutions add a “second authentication factor” in the form of the token—which is a piece of hardware/software that generates a one-time (or limited time) token value, of cryptographic strength. Without this unpredictable value, it is impossible to login. Yet it is possible to easily bypass this additional authentication factor with a simple phishing attack that now works online. The attack proceeds as following: an attacker creates a phishing website mimicking the real web site. The attacker lures victims to visit the site, pretending it to be the real website. The victims compromise both the password and the token, and those are used immediately by the phishing website to login to the real website.
Password managers/vaults: password managers rid users from the need to remember passwords and type them. They associate passwords with the sites and pages in which they were originally typed, and when the same page is loaded again in the browser, they automatically fill in the password. Password managers/vaults are typically useless against browser malware which intercepts the password after it was inserted by the password manager/vault but before it was sent by the browser to the site.
Desktop recognition solutions: these solutions tie the authentication process (e.g. submission of username and password) to the desktop, e.g. by sending a desktop-specific cookie. However, these solutions are defeated by malware that steals both the password and the cookie.
PwdHash (http://crypto.stanford.edu/PwdHash/): this solution replaces the plain password typed by the user at the browser, by a one-way hash of the password and the domain name to which the password is submitted. This does not hide the password from an attacker on the machine itself (e.g. key-logger). Even if the user keystrokes are encrypted, the browser has to receive the hashed password and send it to the website. At the point where the browser receives the bashed password, it can be intercepted by malware. With this hashed password, an attacker can log in to the site from any desktop.
It is an object of the present invention to provide a method for rendering password theft ineffective.
It is another object of the present invention to provide a method for preventing an unauthorized user from falsely identifying to a secure web site using a stolen password.
It is still another object of the present invention to provide a method for rendering ineffective the password theft made by Phishing or Malicious browser plug-ins.
Other objects and advantages of the invention will become apparent as the description proceeds.
The present invention relates to a method for rendering a login theft ineffective comprising the steps of: (a) detecting a submission of a first login request from the user's client to a Web site; (b) redirecting said first login request to the traffic processor for copying at least one of the user supplied login fields; (c) forwarding said first login request from said traffic processor to said site; (d) requesting replacements of at least one of said user supplied login fields from said site, and (e) replacing said at least one of user supplied login fields with at least one new corresponding login field(s) in said site.
Preferably, the method further comprises the steps of: (a) detecting a second login request intended for the Web site; (b) redirecting said second request to the traffic processor by the redirector; (c) replacing the user supplied login field(s) with the new corresponding login field(s); and (d) forwarding the modified second login request to said site.
Preferably, the user supplied login fields and new corresponding login fields are stored in a table.
Preferably, the forwarding of the request(s) by the traffic processor and the receiving of response(s) from the site is done using a secure path.
Preferably, the user is notified before the user supplied login fields are replaced with new corresponding login fields.
Preferably, permission is requested from the user prior to replacing the user supplied login fields with new corresponding login fields.
In an embodiment, the new corresponding login fields are produced by applying a deterministic function to the original login fields.
In an embodiment, the new corresponding login fields are produced by applying a non-algorithmic function.
Preferably, the user may obtain the new corresponding login fields.
The invention further relates to a method for rendering a login theft ineffective comprising the steps of: (a) detecting a submission of a first login request from a client to a Server; (b) redirecting said first login request to the traffic processor for copying at least one of the user supplied login fields; (c) forwarding said first login request from said traffic processor to said Server; (d) requesting replacements of at least one of said user supplied login fields from said Server; and (e) replacing said at least one of user supplied login fields with at least one new corresponding login field(s) in said Server.
In the drawings:
The term login, or login fields, is referred hereinafter to any one or a combination of user authentication fields such as: username, password, user ID, authentication, authenticating code, user defined input, identifying field, etc.
In an embodiment of the invention the user is notified before the login is changed, and in another embodiment, permission is also requested from the user prior to changing the login.
In one of the embodiments the user may connect to a number of protected sites in which the method of the invention is applied to each of the sites individually. In an embodiment, the table of the Password Manager may be used to store a number of original logins and their corresponding new logins.
In one of the embodiments, the new login fields are realized either by applying a deterministic function to the original login fields (in some cases together with other parameters such as a machine-specific secret key), or by generating an effective login in possibly a non-algorithmic manner, e.g. by obtaining a random string, and keeping a table that maps the original login to the corresponding new login. The password manager may need to apply additional logic in order to ascertain that the new login meets the password criteria of the protected site for which it is generated. This may include length limit, character set limits, minimum requirements for entropy (non-word, uppercase/lowercase/non-alphanumeric combinations), different from the user name and different from previous N passwords.
Since many web sites encourage and even force users to periodically change their login fields, the method of the invention may be used in this process as well. When a change login form for a protected site is displayed at the browser, the user types his original login with a new user defined login, and submits the request. The browser prepares the HTTP request for changing the login. The Redirector detects that this request is for a protected site and routes the request to the Traffic Processor. The Traffic Processor detects that this request is a change login request and it extracts the original login fields from the login request. Since the corresponding login fields for this site can only be found by the Password Manager, the Traffic Processor fetches the corresponding login fields from the Password Manager and replaces the original login fields in the request with the corresponding login fields. At this point the Traffic Processor may also request new corresponding login fields, from the Password Manager, corresponding to the new user defined login fields supplied by the user. The new corresponding login fields, supplied by the Password Manager, are thus sent in the request with the old corresponding login fields. The request then proceeds to the protected site (possibly using the Secure Path), and the response is forwarded back to the browser.
In another embodiment, the method of the invention may be used for changing password periodically without requiring the user's intervention. The changing of the password may be done in regular intervals predefined by the user or in response to a request from the web site. In this embodiment the TP obtains from the Password Manager the new corresponding login fields and replaces them in the Server of the web site with the original login fields, by invoking the “change password” server function.
In one of the embodiments it may be desirable for the user to obtain the “veiled”, i.e. concealed, corresponding login fields, especially if the user wants to log in from a different computer. This can be achieved in several fashions: (1) by providing the user with the login fields from the Password Manager. The user may ask to be provided with the login fields. Naturally this should be implemented securely to avoid malicious software from obtaining the login fields. (2) When the user indicates that he wants to unveil the login fields (again, such indication must be provided in a secure manner to avoid being fooled by malicious software), the user is redirected to the change login page of the website, in which the user chooses new login fields. In this mode, the new login fields are not replaced by the system of the invention. (3) When the user indicates that he wishes to unveil the login fields (again, such indication must be provided in a secure manner to avoid being fooled by malicious software), the user is presented with a “change login” interface, e.g. a dialog box, produced by the system, in which the user chooses the new login. The system then invokes the site's “change login” function with the old corresponding login and changes the login fields to the new user defined login.
In an example, the invention may be used in any client Server relationship, where the client and the server are communicating over the Internet or any other type of network. For instance, in the RLOGIN protocol (RFC 1258—http://tools.ietf.org/html/rfc1258), the first request contains the username and password, where the Redirector intercepts this data and forwards it to the Traffic Processor. The latter forwards the request to the server, and receives the positive response, meaning that the login established. The Traffic Processor then sends a “change password” request to the server, in UNIX, this is achieved via the password command followed by the old password and the new password, in Windows this is achieved likewise using the NET USER command. The new password specified is obtained from the Password Manager. The Traffic Processor returns the control to the RLOGIN client only after the password has been changed. Later, when a new RLOGIN session is established, the Redirector intercepts the first login request, and changes the password to the one provided by the Password Manager, so the actual login is carried out using the password from the Password Manager. The user continues normally without being affected by the password changing activity which is transparent to him.
While some embodiments of the invention have been described by way of illustration, it will be apparent that the invention can be carried into practice with many modifications, variations and adaptations, and with the use of numerous equivalents or alternative solutions that are within the scope of persons skilled in the art, without departing from the spirit of the invention or exceeding the scope of the claims.
