WO2007080588A2 - Method for authenticating a website - Google Patents

Method for authenticating a website Download PDF

Info

Publication number
WO2007080588A2
WO2007080588A2 PCT/IL2007/000042 IL2007000042W WO2007080588A2 WO 2007080588 A2 WO2007080588 A2 WO 2007080588A2 IL 2007000042 W IL2007000042 W IL 2007000042W WO 2007080588 A2 WO2007080588 A2 WO 2007080588A2
Authority
WO
WIPO (PCT)
Prior art keywords
website
user
personal
code
authenticating
Prior art date
Application number
PCT/IL2007/000042
Other languages
French (fr)
Other versions
WO2007080588A3 (en
Inventor
Eli Yaacoby
Original Assignee
Eli Yaacoby
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Eli Yaacoby filed Critical Eli Yaacoby
Publication of WO2007080588A2 publication Critical patent/WO2007080588A2/en
Publication of WO2007080588A3 publication Critical patent/WO2007080588A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • the present invention relates to the field of Internet authentication techniques. More particularly, the invention relates to a method by which a user can determine the authenticity of a website he accesses.
  • Some of the authentication techniques use two passwords together with a username, or a password together with a credit card number or an ID number or even a key which is installed in a hardware device.
  • the common factor of all the authentication techniques above is the use of input fields supplied by the user (response) on demand of the website (request) for authenticating the user. Therefore many ways have been devised by hackers and internet thieves to copy and steal these input fields, due to the fact that these input fields or passwords are the keys for authentication. Once acquiring the ineans for authentication, a hacker is able to buy or transfer moaey using the account of the user.
  • the hacker might wait for the user to enter the correct website of the bank and then open another website page on the user's computer, hiding the open bank website, requesting the password while receding the input.
  • the user is notified of a failure with the Internet connection misleading the user to believe that his password is still safe.
  • the hacker After acquiring the password and username of a user, the hacker has the confidential details of the user, and he can log into the real website of the bank and can enter the stolen username and password of the private bank account. Once in a private bank account the hacker can do essentially everything the user is entitled to in the website, such as transfer money from the account or use the personal information for other uses.
  • US publication 2004/0139152 suggests a system in which a user issues a first request at a website and in response the website issues a challenge to the user.
  • the challenge may be selected among a number of different types of challenges, and the user must file an appropriate response.
  • This publication solves some of the problems concerning the authentication of the user but does not offer a solution to the problem of authenticating the website for the user and determining that the website is truly what it claims to be.
  • a certificate is issued by a third and reliable authority assuring a receiving party that a data content which is associated with the certificate he received is authentic in the sense that it was indeed sent from the person supposedly sending it, and that it was not tampered with on the way from the authentic sending party to the receiving party.
  • the use of a certificate involves the encryption of the data package, optionally attaching to it a public key (or providing the public key to the receiving party beforehand), and enclosing also a signature.
  • the certification authority signature on a certificate allows any tampering with the content associated with the certificate to be easily detected.
  • the certification authority signature on a certificate is like a tamper-detection seal on a bottle of pills — any tampering with the content associated with the certificate is easily detected.
  • the certification authority signature on a certificate can be verified, the certificate has integrity. Otherwise, it can be concluded that the certificate and content are not authentic. Since the integrity of a certificate can be determined by verifying the certification authority signature, certificates are inherently secure and can be distributed in a completely public manner.
  • the common use of certificates cannot solve the problem as described above, i.e., enabling a user who accesses a public web site to verify the authenticity of said website before typing and submitting his confidential codes (e.g., usemame and password).
  • the present invention relates to a method for the authentication of a website to users which conrp rises the steps of: (a) Establishing an agreement between each user and a website owner where each user receives from the website owner at least a first personal client key and the website owner receives from each user at least one personal authenticating website code; (b) Conveying said personal website authenticating code of each user to a certification authority, and producing by said authority a personal certificate containing in an encrypted form said personal authenticating website code and the Domain name of said website; (c) Conveying each of said certificates back to said website, and storing the certificates in a storage; (d) Upon accessing the website, submitting by the user the first personal client key, and saving the website Domain name as accessed at the user work station for later comparison; (e) Having received said first personal client key, extracting by the website the personal certificate that corresponds to said user, and sending same to the client together with the website home page; (f) Having received the personal certificate at the user station, decrypting the certificate by means of
  • said personal authenticating website code is an image.
  • said personal authenticating website code is an alphanumeric string.
  • said personal authenticating website code is a combination of an image and an alphanumeric string.
  • said decrypting key is a public key specific to the certification authority.
  • said decrypting kej? is a public key which is given to the user beforehand.
  • said decrypting key is associated with the certificate as sent from the website.
  • the website Domain name, as accessed, which is saved at the user work station is saved within the user browser.
  • the decrypted personal authenticating website code is displayed to the user only upon finding identity in said comparison of Domain name at said user station. .
  • the decrypted personal authenticating website code is displayed to the user in the toolbar portion of his browser.
  • the decrypted personal authenticating website code that is displayed to the user in the toolbar portion of his browser can be enlarged bjr the user for better verification.
  • the decrypted personal authenticating website code is displayed to the user in the content portion of his browser.
  • said first personal client key is a usemame.
  • the user receives a second personal client key from the website, which is submitted if and only if the website is found to be authentic.
  • said second personal client key is a password.
  • said first personal client key is submitted by the user to the website within a cookie.
  • the method is embodied within a module which is an integral part of the user browser.
  • FIG. 1 is a block diagram, illustrating a first embodiment of the method of the present invention
  • FIG. 2 is a block diagram illustrating a second embodiment of the method of the present invention.
  • Figs. 3a and 3b demonstrate an access to a bank site, including a visual verification of the website authenticity, wherein the PAWC is shown in both the browser toolbar and within the body section of the page;
  • Fig. 3c shows the embodiment of Fig. 3b, in which the PAWC is enlarged for better verification.
  • Fig. 1 schematically illustrates the essence of the present invention.
  • the user establishes a confidential agreement with the relevant website, for example; a specific bank website (hereinafter, a bank web-site is assumed), where the user receives 22 at least one personal client key 20 (such as a username, and optionally a password) and the website owner (or operator) receives 23 from the user at least one personal authenticating website code 21 (hereinafter, said personal authenticating website code will also be referred to briefly as PAWC).
  • Such authenticating website code may be, for example, a specific image, preferably confidential, which is familiar to the user, a specific string of characters which is familiar to him, or any such combination of characters and an image familiar to the user.
  • the bank conveys 24 via a secured channel of any type the PAWC (which as said is specific to each user) to a certification authority, which is a third party being publicly known and accepted as reliable.
  • Third party certification authorities • are well known in art, for example, Verisign, Digicert, etc.
  • the certification authority produces a certificate by encrypting 25 the PAWC and the authentic Domain name of the bank, and ⁇ forming a certificate being a combined encrypted file 26 (the term "certificate” as used herein refers to a file which contains the PAWC and the website Domain name in an encrypted form).
  • the encrypted file 26 can generally be decrypted by means of a public key specific to the certification authority, which the various users generally have, or can obtain within their browsers, or which may be associated with the said certificate.
  • the certificate file 26 is then conveyed 27 back to the bank (as file 26a), and is stored 28 within storage 29. At this stage the system is ready for operation.
  • the user wishes to access 30 the bank website, he does so in a conventional manner using his browser. For example, in one conventional manner the user types the bank Domain name at his browser, and presses "go". When doing so, the Domain name of the bank as typed and accessed is saved 31 within the browser or at the user's station.
  • the bank Responsive to accessing 30a to the bank website, the bank returns 32 the bank homepage 33 to the user in a conventional manner. Then, the user types his username and sends 34 to the bank. Responsive to the username 34a, in step 35 the bank site retrieves 36, 36a from said storage ' 29 the encoded certificate that corresponds to the specific username 34a as typed, and sends 37a said specific certificate 37 to the user.
  • the certificate 37 (which as said carries the encoded user PAWC and the bank domain name) is decrypted 38 by the user browser in a conventional manner, using the public key of the certification authority (which as said may be within the user browser, or associated with the certificate itself.
  • a successful decryption of a certificate means that the certificate is authentic in the sense that it was sent by the entity supposedly sending it, and in the sense that its content is authentic.
  • Said decryption 38 of the certificate 37 results in two separate elements: (a) the authentic user PAWC 39 (for example, said confidential image or string specific to the user as initially agreed); and (b) the authentic bank domain name 40 as decoded.
  • the decoded PAWC 39 is displayed 43 to the user for verification whether it is indeed the authentic PAWC 21 provided to the bank during the initial agreement.
  • the bank Domain name 31 as initially saved in the browser is compared 41 with the bank domain name 40 as decoded.
  • the bank site is declared as authentic, and the user can submit his confidential password in step 45. Otherwise, the site is determined to be not authentic, and the user knows that he should not provide his confidential password.
  • the PAWC is displayed to the user in step 43 if and only if identity of domain names is found in step 41. Otherwise, the PAWC is not displayed, and the bank site is designated as faked.
  • the initial access 30a of step 30 to the web site already includes submission 34 of the username within a cookie.
  • the rest of the procedure is the same as before.
  • step 33 of the separate receiving at the user station of the homepage with the prompt for username submission is eliminated.
  • the procedures of double verification, including the bank domain name comparison and the PAWC displajr for the user verification are performed, together with the prompt for password submission in a same stage at the user station.
  • Figs. 3a-3c demonstrate a secured access to a bank site according to an embodiment of the present invention.
  • the home page 202 of Bank-1 is displayed to the user as shown in Fig. 3a, including a request 201 for him to submit his ID, which may be, for example, his user name.
  • another page 203 is provided from the Bank-1 site to the user, including a PAWC 60 (as in step 43 of Figs. 1 or 2), together with a prompt 206 for the user confidential password submission.
  • the display of PAWC 60 may be, by itself, an indication to the user that the Domain name comparison (i.e., the Bank-1 domain name as t3 ⁇ ed by the user and the Bank-1 domain name as decrypted from the certificate) have been successfully verified as being the same (otherwise, the visual display of the PAWC may not be issued, and an alert for a faked site may be displas ⁇ ed by the browser instead). Now, the user can visually verify the authenticity of PAWC 60 (i.e., whether this is indeed the PAWC that was initially given to Bank-1).
  • the request 206 for password submission is associated with an alert 207 to the user to perform the password submission if and only if the displayed PAWC is indeed the same as originally submitted bs ⁇ him to Bank-1.
  • the PAWC 60 is displayed within the browser toolbar area 61 and within the body section of the page, but this is an option, not a necessity.
  • the user may click on the PAWC image 60 of Fig. 3b, and enlarge it for a better visual verification.
  • the present invention provides a procedure which enables a user to reliably verify the authenticity of the website he accesses.
  • the invention includes two means for verification:
  • the first verification is generally a machine verification between the website Domain name as submitted to the browser, and between the website Domain name as included in the certificate;
  • the second verification is generally a visual verification of the PAWC by the user.
  • a hacker may be able to deceive the user to believe that a faked website is authentic only by succeeding in producing a faked certificate that contains in an encrypted manner: (1) the Domain name of the faked website which must be identical to a link given to the user for access (generally by the hacker, for example within an email sent to him); and (2) a PAWC known to the user which is identical to the confidential PAWC that was given to the website during an initial agreement.
  • Such a task is considered to be extremely hard for performance by a hacker: Firstly because he has to produce a faked certificate which can be opened by the certification authority public key, a task which is known in the art to be extremely hard; and, secondly because the hacker has to obtain a copy the confidential PAWC that the user has initially given to the website owner or operator. Performing by a hacker even a single of said tasks is considered extremely hard, needless to say the performance of said two tasks.
  • the present invention provides extremely secured means for a use]- to verify the authenticity of the website he accesses.
  • each domain name corresponds to an IP address. Therefore, the invention as described may be similarly carried out bs ⁇ means of comparing the IP address, the domain name, or a combination thereof.
  • the method of the present invention is preferably formed as an integral part of the user browser.

Abstract

The present invention relates to a method for the authentication of a website to users which comprises the steps of: (a) Establishing an agreement between each user and a website owner where each user receives from the website owner at least a first personal client key and the website owner receives from each user at least one personal authenticating website code; (b) Conveying said personal website authenticating code of each user to a certification authority, and producing by said authority a personal certificate containing in an encrypted form said personal authenticating website code and the IP address of said website; (c) Conveying each of said certificates back to said website, and storing the certificates in a storage; (d) Upon accessing the website, submitting by the user the first personal client key, and saving the website IP address as accessed at the user work station for later comparison; (e) Having received said first personal client key, extracting by the website the personal certificate that corresponds to said user, and sending same to the client together with the website home page; (f) Having received the personal certificate at the user station, decrypting the certificate by means of a decrypting key; (g) Comparing the website IP address as decrypted from the received certificate with the website IP address as saved at the user station, and providing identity indication to the user; (h) Verifying by the user that the personal authentication website code is indeed the one submitted by the user to the website owner at said agreement; (i) Concluding by the user that the website is indeed authentic only if both (a) said comparison of IP address indicates identity; and (b) said verification of personal authenticating website code shows identity.

Description

METHOP FOR AUTHENTICATING A1SVEBSITE
Field of the Invention
The present invention relates to the field of Internet authentication techniques. More particularly, the invention relates to a method by which a user can determine the authenticity of a website he accesses.
Background of the Invention
In the world of today many business transactions are done via the Internet, whether by shopping on-line in websites offering goods and merchandise or by paying bills through a designated website. Furthermore manj7 banks allow their customers to perform money transactions via the bank website which is claimed to be secured. AJl websites involved in. money transactions need some kind of authentication from the customer before approving the transaction as to prevent an impostor to pose as a customer. An electronic request issued from one network unit to another for authentication will be referred to hereinafter as a challenge, while the authenticating or answer to the request will be referred to hereinafter as a response. Some of the authentication techniques involve using a password known by the user and authenticated by the website, which can be used alone or together with a username. Furthermore some of the authentication techniques use two passwords together with a username, or a password together with a credit card number or an ID number or even a key which is installed in a hardware device. The common factor of all the authentication techniques above is the use of input fields supplied by the user (response) on demand of the website (request) for authenticating the user. Therefore many ways have been devised by hackers and internet thieves to copy and steal these input fields, due to the fact that these input fields or passwords are the keys for authentication. Once acquiring the ineans for authentication, a hacker is able to buy or transfer moaey using the account of the user.
One of the tricks used by computer hackers to copy passwords to bank websites, where the bank is interested in allowing its customers to utilize money transactions, involves impersonation. The computer hacker buys an internet domain name similar to a domain name of a bank, or changes the IP numbers corresponding to a certain domain name to mislead the user into a different website than the authentic website of the bank which he intends to access, where he sets a faked website similar to the real website of the bank. Once a user of the bank enters the faked site, he is led to think that he has entered the correct site of the bank. He is then requested to enter his password and personal details while the hacker system records his username and/or password inputs. Furthermore, the hacker might wait for the user to enter the correct website of the bank and then open another website page on the user's computer, hiding the open bank website, requesting the password while receding the input. At the critical moment, for example, after entering the password, the user is notified of a failure with the Internet connection misleading the user to believe that his password is still safe. After acquiring the password and username of a user, the hacker has the confidential details of the user, and he can log into the real website of the bank and can enter the stolen username and password of the private bank account. Once in a private bank account the hacker can do essentially everything the user is entitled to in the website, such as transfer money from the account or use the personal information for other uses.
US publication 2004/0139152 suggests a system in which a user issues a first request at a website and in response the website issues a challenge to the user. The challenge may be selected among a number of different types of challenges, and the user must file an appropriate response. This publication solves some of the problems concerning the authentication of the user but does not offer a solution to the problem of authenticating the website for the user and determining that the website is truly what it claims to be.
Other publications which intend to provide authentication of a public website to the user are: PCT/US04/14379, PCT/US05/03686 and US 2004- 0168083 Al.
The use of security "certificates" in the Internet communication is common. A certificate is issued by a third and reliable authority assuring a receiving party that a data content which is associated with the certificate he received is authentic in the sense that it was indeed sent from the person supposedly sending it, and that it was not tampered with on the way from the authentic sending party to the receiving party. The use of a certificate involves the encryption of the data package, optionally attaching to it a public key (or providing the public key to the receiving party beforehand), and enclosing also a signature. The certification authority signature on a certificate allows any tampering with the content associated with the certificate to be easily detected. More particularly, the certification authority signature on a certificate is like a tamper-detection seal on a bottle of pills — any tampering with the content associated with the certificate is easily detected. As long as the certification authority signature on a certificate can be verified, the certificate has integrity. Otherwise, it can be concluded that the certificate and content are not authentic. Since the integrity of a certificate can be determined by verifying the certification authority signature, certificates are inherently secure and can be distributed in a completely public manner. However, the common use of certificates cannot solve the problem as described above, i.e., enabling a user who accesses a public web site to verify the authenticity of said website before typing and submitting his confidential codes (e.g., usemame and password).
It is an object of the present invention to provide a system which is capable of authenticating a public website for the user.
It is another object of the present invention to provide a public website authentication system that is easy to use b}^ an average user.
It is still another object of the present invention to provide a public λvebsite authentication system that cannot be copied easily and automatically by a computer program.
Other objects and advantages of the invention will become apparent as the description proceeds.
Summary of the Invention
The present invention relates to a method for the authentication of a website to users which conrp rises the steps of: (a) Establishing an agreement between each user and a website owner where each user receives from the website owner at least a first personal client key and the website owner receives from each user at least one personal authenticating website code; (b) Conveying said personal website authenticating code of each user to a certification authority, and producing by said authority a personal certificate containing in an encrypted form said personal authenticating website code and the Domain name of said website; (c) Conveying each of said certificates back to said website, and storing the certificates in a storage; (d) Upon accessing the website, submitting by the user the first personal client key, and saving the website Domain name as accessed at the user work station for later comparison; (e) Having received said first personal client key, extracting by the website the personal certificate that corresponds to said user, and sending same to the client together with the website home page; (f) Having received the personal certificate at the user station, decrypting the certificate by means of a decrypting key; (g) Comparing the- website Domain name as decπφted from the received certificate with the website Domain name as saved at the user station, and providing identity indication to the user; Qx) Verifying by the user that the personal authentication website code is indeed the one submitted by the user to the website owner at said agreement; (i) Concluding by the. user that the website is indeed authentic only if both (a) said comparison of Domain name indicates identity; and (b) said verification of personal authenticating website code shows identity.
Preferably, said personal authenticating website code is an image.
Preferabfy, said personal authenticating website code is an alphanumeric string.
Preferably, said personal authenticating website code is a combination of an image and an alphanumeric string.'
Preferably, said decrypting key is a public key specific to the certification authority.
Preferably, said decrypting kej? is a public key which is given to the user beforehand. Preferably, said decrypting key is associated with the certificate as sent from the website.
Preferably, the website Domain name, as accessed, which is saved at the user work station is saved within the user browser.
Preferably, the decrypted personal authenticating website code is displayed to the user only upon finding identity in said comparison of Domain name at said user station. .
Preferably, the decrypted personal authenticating website code is displayed to the user in the toolbar portion of his browser.
Preferably, the decrypted personal authenticating website code that is displayed to the user in the toolbar portion of his browser can be enlarged bjr the user for better verification.
Preferably, the decrypted personal authenticating website code is displayed to the user in the content portion of his browser.
Preferably, said first personal client key is a usemame.
Preferably, the user receives a second personal client key from the website, which is submitted if and only if the website is found to be authentic.
Preferably, said second personal client key is a password. Preferably, upon accessing the website, said first personal client key is submitted by the user to the website within a cookie.
Preferably, the method is embodied within a module which is an integral part of the user browser.
Brief Description of the Drawings
In the drawings:
- Fig. 1 is a block diagram, illustrating a first embodiment of the method of the present invention;
- Fig. 2 is a block diagram illustrating a second embodiment of the method of the present invention;
Figs. 3a and 3b demonstrate an access to a bank site, including a visual verification of the website authenticity, wherein the PAWC is shown in both the browser toolbar and within the body section of the page; and
- Fig. 3c shows the embodiment of Fig. 3b, in which the PAWC is enlarged for better verification.
Detailed Description of Preferred Embodiments
The present invention enables a user to verify that the website he accesses is indeed authentic. Fig. 1 schematically illustrates the essence of the present invention. At a first preliminary stage 1, the user establishes a confidential agreement with the relevant website, for example; a specific bank website (hereinafter, a bank web-site is assumed), where the user receives 22 at least one personal client key 20 (such as a username, and optionally a password) and the website owner (or operator) receives 23 from the user at least one personal authenticating website code 21 (hereinafter, said personal authenticating website code will also be referred to briefly as PAWC). Such authenticating website code may be, for example, a specific image, preferably confidential, which is familiar to the user, a specific string of characters which is familiar to him, or any such combination of characters and an image familiar to the user.
Having the PAWC, at a second preliminary stage 2 the bank conveys 24 via a secured channel of any type the PAWC (which as said is specific to each user) to a certification authority, which is a third party being publicly known and accepted as reliable. Third party certification authorities are well known in art, for example, Verisign, Digicert, etc.
The certification authority produces a certificate by encrypting 25 the PAWC and the authentic Domain name of the bank, and forming a certificate being a combined encrypted file 26 (the term "certificate" as used herein refers to a file which contains the PAWC and the website Domain name in an encrypted form). The encrypted file 26 can generally be decrypted by means of a public key specific to the certification authority, which the various users generally have, or can obtain within their browsers, or which may be associated with the said certificate. The certificate file 26 is then conveyed 27 back to the bank (as file 26a), and is stored 28 within storage 29. At this stage the system is ready for operation. Later on, and during operational stage 3, when the user wishes to access 30 the bank website, he does so in a conventional manner using his browser. For example, in one conventional manner the user types the bank Domain name at his browser, and presses "go". When doing so, the Domain name of the bank as typed and accessed is saved 31 within the browser or at the user's station.
Responsive to accessing 30a to the bank website, the bank returns 32 the bank homepage 33 to the user in a conventional manner. Then, the user types his username and sends 34 to the bank. Responsive to the username 34a, in step 35 the bank site retrieves 36, 36a from said storage' 29 the encoded certificate that corresponds to the specific username 34a as typed, and sends 37a said specific certificate 37 to the user.
The certificate 37, (which as said carries the encoded user PAWC and the bank domain name) is decrypted 38 by the user browser in a conventional manner, using the public key of the certification authority (which as said may be within the user browser, or associated with the certificate itself. As previously said, a successful decryption of a certificate means that the certificate is authentic in the sense that it was sent by the entity supposedly sending it, and in the sense that its content is authentic. Said decryption 38 of the certificate 37 results in two separate elements: (a) the authentic user PAWC 39 (for example, said confidential image or string specific to the user as initially agreed); and (b) the authentic bank domain name 40 as decoded.
The decoded PAWC 39 is displayed 43 to the user for verification whether it is indeed the authentic PAWC 21 provided to the bank during the initial agreement. Simultaneously, the bank Domain name 31 as initially saved in the browser is compared 41 with the bank domain name 40 as decoded. OnIy if both the result conditions of: (a) the user verification 43 of the PAWC and (b) identity between the two, saved bank domain name 31a, and decrypted bank domain name 40 of step 41 are found to be met, the bank site is declared as authentic, and the user can submit his confidential password in step 45. Otherwise, the site is determined to be not authentic, and the user knows that he should not provide his confidential password.
In one embodiment of the invention, the PAWC is displayed to the user in step 43 if and only if identity of domain names is found in step 41. Otherwise, the PAWC is not displayed, and the bank site is designated as faked.
In still another embodiment of the invention shown in Fig. 2, the initial access 30a of step 30 to the web site already includes submission 34 of the username within a cookie. The rest of the procedure is the same as before. The difference is that step 33 of the separate receiving at the user station of the homepage with the prompt for username submission is eliminated. The procedures of double verification, including the bank domain name comparison and the PAWC displajr for the user verification are performed, together with the prompt for password submission in a same stage at the user station.
Figs. 3a-3c demonstrate a secured access to a bank site according to an embodiment of the present invention. In response to the initial access by introducing the domain name (which, as previously said, may be authentic, or faked due to misleading of the user), the home page 202 of Bank-1 is displayed to the user as shown in Fig. 3a, including a request 201 for him to submit his ID, which may be, for example, his user name. After submission of the user ID to the Bank-1 site, another page 203 is provided from the Bank-1 site to the user, including a PAWC 60 (as in step 43 of Figs. 1 or 2), together with a prompt 206 for the user confidential password submission. The display of PAWC 60 may be, by itself, an indication to the user that the Domain name comparison (i.e., the Bank-1 domain name as t3φed by the user and the Bank-1 domain name as decrypted from the certificate) have been successfully verified as being the same (otherwise, the visual display of the PAWC may not be issued, and an alert for a faked site may be displas^ed by the browser instead). Now, the user can visually verify the authenticity of PAWC 60 (i.e., whether this is indeed the PAWC that was initially given to Bank-1). The request 206 for password submission is associated with an alert 207 to the user to perform the password submission if and only if the displayed PAWC is indeed the same as originally submitted bs^ him to Bank-1. In the embodiment of Fig. 3b and 3c, the PAWC 60 is displayed within the browser toolbar area 61 and within the body section of the page, but this is an option, not a necessity. In still another option shown in Fig. 3c, the user may click on the PAWC image 60 of Fig. 3b, and enlarge it for a better visual verification.
As shown, the present invention provides a procedure which enables a user to reliably verify the authenticity of the website he accesses. The invention includes two means for verification:
(a) the first verification is generally a machine verification between the website Domain name as submitted to the browser, and between the website Domain name as included in the certificate; and
(b) the second verification is generally a visual verification of the PAWC by the user. A hacker may be able to deceive the user to believe that a faked website is authentic only by succeeding in producing a faked certificate that contains in an encrypted manner: (1) the Domain name of the faked website which must be identical to a link given to the user for access (generally by the hacker, for example within an email sent to him); and (2) a PAWC known to the user which is identical to the confidential PAWC that was given to the website during an initial agreement. Such a task is considered to be extremely hard for performance by a hacker: Firstly because he has to produce a faked certificate which can be opened by the certification authority public key, a task which is known in the art to be extremely hard; and, secondly because the hacker has to obtain a copy the confidential PAWC that the user has initially given to the website owner or operator. Performing by a hacker even a single of said tasks is considered extremely hard, needless to say the performance of said two tasks.
Therefore, the present invention provides extremely secured means for a use]- to verify the authenticity of the website he accesses.
It should be noted that the invention as described above refers to comparison of a "domain, name". As is known in the art, each domain name corresponds to an IP address. Therefore, the invention as described may be similarly carried out bs^ means of comparing the IP address, the domain name, or a combination thereof.
The method of the present invention is preferably formed as an integral part of the user browser.
While some embodiments of the invention have been de'scribed by way of illustration, it will be apparent that the invention can be carried into practice with many modifications, variations and adaptations, and with the use of numerous equivalents or alternative solutions that are within the scope of persons skilled in the art, without departing from the spirit of the invention or exceeding the scope of the claims.

Claims

1. Method for the authentication of a website to users comprising the steps of: a. Establishing an agreement between each user and a website owner where each user receives from the website owner at
least a first personal client key and the website owner receives from each user at least one personal authenticating website code; b. Conveying said personal website authenticating code of each user to a certification authority, and producing ' by said authority a personal certificate containing in an encrypted form said personal authenticating website code and the Domain name of said website; c. Conveying each of said certificates back to said website, and storing the certificates in a storage; ά. Upon accessing the website, submitting by the user the first personal client key, and saving the website Domain name as accessed at the user work station for later comparison; e. Having received said first personal client key, extracting by the website the personal certificate that corresponds to said user, and sending same to the client together with the website home page; f. Having received the personal certificate at the user station, decrypting the certificate by means of a decrypting key; g. Comparing the website Domain name as decrypted from the received certificate with the website Domain name as saved at the user station, and providing identity indication to the user; Ix Verifying by the user that the personal authentication website code is indeed the one submitted by the user to the website owner at said agreement; i. Concluding by the user that the website is indeed authentic only if both (a) said comparison of Domain name indicates identity; and (b) said verification of personal authenticating website code shows identity.
2. Method according to claim 1, wherein said personal authenticating website code is an image.
3. Method according to claim 1, wherein said personal authenticating website code is an alphanumeric string.
4. Method according to claim 1 , wherein said personal authenticating website code is a combination of an image and an alphanumeric string.
5. Method according to claim 1, wherein said decrypting key is a public key specific to the certification authority.
6. Method according to claim 1, wherein said decrypting key is a public key which is given to the user beforehand.
7. Method according to claim 1, wherein said decrypting key is associated with the certificate as sent from the website.
8. Method according to claim 1, wherein the website Domain name, as accessed, which is saved at the user work station is saved within the user browser.
9. Method according to claim 1, wherein the decrypted personal authenticating website code is displayed to the user only upon finding identify in said comparison of Domain name at said user station.
10. Method according to claim 1, wherein the decrypted personal authenticating website code is displayed to the user in the toolbar portion of his browser.
11. Method according to claim 10, wherein the decrypted personal authenticating website code that is displayed to the user in the toolbar portion of his browser can be enlarged by the user for better verification.
12. Method according to claim 1, wherein the decrypted personal authenticating website code is displayed to the user in the content portion of his browser.
13. Method according to claim 1, wherein said first personal client key is a usemame.
14. Method according to claim 1, wherein the user receives a second personal client key from the website, which is submitted if and only if the website is found to be authentic.
15. Method according to claim 1, wherein said second personal client key is a password.
16. Method according to claim. 1, wherein upon accessing the website, said first personal client key is submitted by the user to the website within a cookie.
17. Method according to claim 1, which is embodied within a module, which is an integral part of the user browser.
PCT/IL2007/000042 2006-01-12 2007-01-11 Method for authenticating a website WO2007080588A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL173128 2006-01-12
IL173128A IL173128A0 (en) 2006-01-12 2006-01-12 Method for authenticating a website

Publications (2)

Publication Number Publication Date
WO2007080588A2 true WO2007080588A2 (en) 2007-07-19
WO2007080588A3 WO2007080588A3 (en) 2009-04-16

Family

ID=38256710

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/000042 WO2007080588A2 (en) 2006-01-12 2007-01-11 Method for authenticating a website

Country Status (2)

Country Link
IL (1) IL173128A0 (en)
WO (1) WO2007080588A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11689370B2 (en) 2019-06-04 2023-06-27 The Toronto-Dominion Bank Dynamic management and implementation of consent and permissioning protocols using container-based applications

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106453207B (en) * 2015-08-07 2021-01-29 北京奇虎科技有限公司 Advertisement material data website verification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023059A1 (en) * 2000-01-14 2002-02-21 Bari Jonathan H. Method and system for secure registration, storage, management and linkage of personal authentication credentials data over a network
US20050166262A1 (en) * 2001-10-12 2005-07-28 Beattie Douglas D. Methods and systems for automated authentication, processing and issuance of digital certificates
WO2006056990A2 (en) * 2004-11-25 2006-06-01 The Wow Effect Ltd. Method for authenticating a website
US20060200855A1 (en) * 2005-03-07 2006-09-07 Willis Taun E Electronic verification systems
US20070067620A1 (en) * 2005-09-06 2007-03-22 Ironkey, Inc. Systems and methods for third-party authentication

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020023059A1 (en) * 2000-01-14 2002-02-21 Bari Jonathan H. Method and system for secure registration, storage, management and linkage of personal authentication credentials data over a network
US20050166262A1 (en) * 2001-10-12 2005-07-28 Beattie Douglas D. Methods and systems for automated authentication, processing and issuance of digital certificates
WO2006056990A2 (en) * 2004-11-25 2006-06-01 The Wow Effect Ltd. Method for authenticating a website
US20060200855A1 (en) * 2005-03-07 2006-09-07 Willis Taun E Electronic verification systems
US20070067620A1 (en) * 2005-09-06 2007-03-22 Ironkey, Inc. Systems and methods for third-party authentication

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11689370B2 (en) 2019-06-04 2023-06-27 The Toronto-Dominion Bank Dynamic management and implementation of consent and permissioning protocols using container-based applications

Also Published As

Publication number Publication date
WO2007080588A3 (en) 2009-04-16
IL173128A0 (en) 2006-06-11

Similar Documents

Publication Publication Date Title
US8079082B2 (en) Verification of software application authenticity
US10586229B2 (en) Anytime validation tokens
US8661520B2 (en) Systems and methods for identification and authentication of a user
US7548890B2 (en) Systems and methods for identification and authentication of a user
US20090293111A1 (en) Third party system for biometric authentication
US20040254890A1 (en) System method and apparatus for preventing fraudulent transactions
US9847874B2 (en) Intermediary organization account asset protection via an encoded physical mechanism
US20080028475A1 (en) Method For Authenticating A Website
WO2001082036A2 (en) Method and system for signing and authenticating electronic documents
WO2012071498A2 (en) Securing sensitive information with a trusted proxy frame
JP2000222362A (en) Method and device for realizing multiple security check point
JP2002517036A (en) Method and system for transaction security in a computer system
WO2008127431A2 (en) Systems and methods for identification and authentication of a user
US20120221862A1 (en) Multifactor Authentication System and Methodology
KR20000047650A (en) Method and apparatus for enhancing remote user access security for computer networks
US20180167202A1 (en) Account asset protection via an encoded physical mechanism
JP4845660B2 (en) Login processing apparatus, login processing system, program, and recording medium
JP2000029841A (en) Impersonation prevention method/device
WO2007080588A2 (en) Method for authenticating a website
KR20130048532A (en) Next generation financial system
AU2015200701B2 (en) Anytime validation for verification tokens
EP1547298B1 (en) Systems and methods for secure authentication of electronic transactions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07700734

Country of ref document: EP

Kind code of ref document: A2