Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-02-12
2001-03-27
Beausoliel, Jr., Robert W. (Department: 2785)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C380S029000
Reexamination Certificate
active
06209102
ABSTRACT:
BACKGROUND OF THE INVENTION
In a computer environment, access to a transaction (e.g., obtaining secret data kept on a computer, ordering a good or service via the computer, or accessing funds at an automatic teller machine (ATM) or point of sale (POS)) is usually protected by a personal identification number (PIN), a password, or other access code. When the user wishes to conduct the transaction, he types in his access code, and is allowed access (e.g., via an access control module) if the entered value correctly matches a stored value. A typical piece of data that is protected in such way is a user's private key, which can constitute a user's identity over the Internet or some other system that uses public key cryptography for user identification. If the attacker can get access to this private key, he can impersonate the user, read information intended to be private to the user, and conduct still other electronic transactions in the user's name.
An attacker might physically gain access to the user's computer physically, or do so electronically by loading a virus onto the user's computer. In either case, the attacker can then install a program that collects, and saves to a file, all the keystrokes that the user types on his keyboard. This file can be retrieved later, either via physical access to the machine or over a network, allowing the attacker to deduce the access code by examining the user's keystrokes. Besides keyboard entry, the access code could also be inputted by selecting, via a mouse, digits or letters (more generally, characters) from a predetermined pattern of user-selectable fields (e.g., a visual representation of a telephone, typewriter, or calculator keypad) displayed on a graphical user interface (GUI). In this scenario, the attacker could obtain information about the access code by capturing the locations (e.g., x- and y- coordinates) of mouse clicks and using them to deduce the characters indicated—since the locations of all possible characters on the interface occur in a known and fixed pattern (e.g., on a telephone-style keypad: Row 1=1, 2, 3; Row 2=4, 5, 6; Row 3=7, 8, 9; and Row 4=*, 0, #).
Even where the locations of all the alphanumeric characters are not known, an attacker could still deduce the access code when an initial state of the character fields is known. For example, consider simulating and displaying an in-line combination lock having an initial state of 0-0-0. The user then uses mouse clicks to turn the wheels (tumblers, rings, etc.) of the lock to input his access code. When the digits of the proper combination are all aligned in their proper positions, the lock “opens” (i.e., grants the user access to the desired transaction). An attacker knowing the initial state and the history of the mouse clicks could determine the access code by using the history as an offset from the initial state.
All of the foregoing shows that there is a need for protecting a user's PIN, password, or other access code, from disclosure to an attacker who, directly or indirectly, obtains the sequence of characters inputted by a user to gain access to a transaction.
REFERENCES:
patent: 5276314 (1994-01-01), Martino et al.
patent: 5428349 (1995-06-01), Baker
patent: 5682475 (1997-10-01), Johnson et al.
patent: 5821933 (1998-10-01), Keller et al.
patent: 5919091 (1999-07-01), Bell et al.
patent: 6016504 (2000-01-01), Arnold et al.
Arcot Systems, Inc.
Beausoliel, Jr. Robert W.
Beyers Robert B.
Skadden, Arps et al.
Yang Joseph
LandOfFree
Method and apparatus for secure entry of access codes in a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for secure entry of access codes in a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for secure entry of access codes in a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2463484