Home
List your patent
My account
Help
Support us
Encryption by Keys Generated form Secret Info (Infringed)
[Category : - SOFTWARES]
[Viewed 3038 times]
Descripton:
This IP was developed by an independent solo inventor who is an active researcher in the field of Information Security for the past 12 years with self funded resources. It pertains to Information Security, more specifically encryption.
The portfolio consists of the following assets:
- 3 Issued US Patents (7522723, 8023647, 8831214)
- 1 Issued Canadian Patent (CA 2657743)
The IP relates to Information security and in particular, it is related to password security that we are concerned very much about in our daily professional and personal life.
Importance:
This IP relates to an advanced encryption technique titled “Password Self Encryption Method and System and Encryption by Keys Generated from Personal Secret Information”. It has a lot of significance to passwords that we use several times in our daily professional and personal life. It solves a couple of today’s burning problems related to password security on the Internet and further offers a handful of advantages in fortifying password security.
The two burning problems mentioned above are key-spoofing and key compromise attacks that have no pure technical solution till today. The only way that the internet portals, websites and online businesses can defend the key spoofing attack is through proper user education. However, providing user education and awareness for thousands of users or customers is quite impractical, costly and time consuming. Similarly, private key compromise attacks are very detrimental for online business. If the private key of a server is compromised, all passwords can be trivially decrypted by man-in-the-middle hackers.
Password Self Encryption (PSE) is an advanced, more secure, patented encryption technique developed for encrypting passwords in which a password is encrypted by itself, unlike by a key that is in no way related to the password. In detail, it is a cryptographic system and method that survives spoofing and factoring attacks on encryption keys used to encrypt passwords or any other predefined personal secret information. One or more embodiments of this invention also enable implementation of digital certificates for customers without issuing large unmemorable numeric keys for achieving non-repudiation. PSE protects every password under a separate security shield, meaning even if the private corresponding to a particular password is compromised, it will not affect the security of remaining passwords. Further, dependency on certifying authorities for confirming authenticity of encryption keys is eliminated. Another great advantage is that RSA encryption can be continued for encrypting passwords of existing users of a web application even after the cryptosystem is broken in future by any trivial factorization technique for large numbers.
Password Self Encryption offers the following important features and multiple benefits over present-day password encryption methods:
1. Defeats Spoofing attacks on public keys
2. Defeats factoring attacks on encryption keys should future developments in processing technology make them a real threat
3. Protects every password under a separate shield as opposed to protecting all passwords under a common shield as it is practiced today.
4. Eliminates dependency on certifying authorities for keys
5. Enables implementation of digital signatures without private keys for users
6. Provides two-way communication security
7. Is compatible with virtually all other hardware and software security techniques and products, including every known login application currently existing on the internet
8. Is user transparent and easy to implement, requiring no additional servers, domains, databases or administrators
For more details and description of various aspects of this IP, please refer to the FAQs at the end of this document. Also, refer to the Research paper published in the CSC (Computer Security Conference) 2008 proceedings and the PPT presentation rendered in the conference for technical details of the IP.
Relevance:
Information Security companies may utilize this IP to enhance their product portfolio, there by increasing their revenues. E-commerce merchants may enhance the security of their online purchase transactions, thereby protecting credit card information of their customers. Internet browser companies may implement this new encryption technique at the browser level and improve the security rating of their browser. The IP will be very useful to financial institutions, banks and brokerage companies in augmenting the security for their customers’ online transactions. Email and chat application providers may boost the security of their user login credential. Social Networking sites may fortify the security of the accounts of their million of users. Further, the IP will greatly strengthen the security of payment gateways. Similarly, online auctioneers, domain registrars, web hosting companies, government organizations, health care providers, and insurance companies, and in general, any website or portal that provides a login web page for its users will require this IP to protect their customers and users presently from man-in-the middle attacks and key spoofing attacks, and also factoring attacks in future.
In particular, this IP is of great relevance to the following companies:
Information Security and other IT companies such as the following:
Verisign
Microsoft
EMC
Symantec
Cylink/safenet
Trend Micro
Pointsec
Checkpoint
Hitachi data systems
RIMM
Micron
IBM
HP
Broadvision
Oracle
Alcatel/lucent
Intel
AOL
Rovi Corp
Verizon
Thomson Reuters
Email and chat facility providers such as Gmail, Hotmail, Yahoo
Financial institutions, banks and brokerage companies such as Bank of America, Wachovia, Chase Manhattan, JP Morgan
Internet Browser providers such as Microsoft, Google, Mozilla/Firefox, Netscape, Safari, Opera
E-commerce merchants such as Amazon
Online auction companies such as Ebay
Healthcare and insurance companies
Domain Registrars and Webhosting companies such as Godaddy, Moniker
Payment Gateways such as Paypal, Google Pay
Government organizations for whom online security is a concern
Social Networking sites such as Facebook, Twitter, MySpace, Orkut, LinkedIn
Any website or internet portal that provides a user login screen
Frequently Asked Questions about the Patented Technology:
1. What is a public key spoofing attack?
When a password is encrypted on any login page, the public key is passed from its server to the client. During its passage on the Internet, one can intercept it in the middle and replace it with a fraudulent public key. Unaware of the incident, a user encrypts his password with the fraudulent public key and delivers the password cipher to the server. The attacker in the middle again intercepts the cipher and decrypts it with his fraudulent private key which matches with the fraudulent public key.
2. How does Password Self Encryption defeat spoofing attacks ?
The Password Self Encryption technique uses a function of password itself as the RSA public key exponent “e” along with a key modulus “n” that is selected before computing the private key exponent. When a user authenticates himself to a server through a login page, the server passes only the key modulus “n” whereas the public key exponent “e” is derived in the login page on the user machine from the password entered by the user. Therefore, an attacker in the middle can at the most spoof only the key modulus. When the attacker intercepts the password cipher in return, he will be unable to decrypt it unless he cracks the password, which is necessary to compute the private key exactly matching the public key exponent, thereby defeating the spoofing attack. For more technical details see the Patent specification.
3. But are spoofing attacks really that big a problem? Phishing attacks, a form of spoofing attacks, have been well publicized and are generally well known and avoided by almost all businesses and most consumers. So just how big a threat do institutions other than consumer-facing businesses consider spoofing to be?
Phishing (website spoofing) is not a serious threat for institutions and their contractors because most of them are sufficiently aware of phishing emails. However, key spoofing attacks are still a big threat even for institutions and their contractors because these attacks are non-transparent and not explicitly visible to users. Key spoofing attacks occur in the background without the user’s knowledge.
Four years ago, hardly anyone knew of man-in-the-middle (spoofing) attacks. However, later when a research group launched an attack and demonstrated how it works, it was a surprise even to many domain experts. Now the industry knows about it and is seriously concerned. Key spoofing attacks are becoming a new terminology as people understand the attack and its financial implications. Password Self Encryption should become the standard technology to totally defeat them.
4. What is a factoring attack?
Although not currently a threat, factoring attacks could conceivably break RSA public key encryption in the future should more powerful processing methods be developed (i.e., more powerful processors, parallel processing, quantum computers). The RSA public key consists of two numbers “e” and “n.” “e” is known the as the key exponent, and “n” as the key modulus. If one can factorize “n” into two primes, he can trivially compute the private key “d” and thereby decrypt any password that the public key encrypts.
5. How does Password Self Encryption defeat factoring attacks?
Once an attacker factorizes the RSA key modulus “n” into its primes “p” and “q,” he can find the Euler Totient function “ø” and thereby trivially compute the private key “d” from the knowledge of the public key exponent “e” such that: ed = kø+1. Fortunately, the Password Self Encryption technique uses a function of the password itself as the public key exponent, which is programmatically derived in the login page on the user machine once a user enters his password. Since the public key exponent is not passed from server to the client, the attacker lacks the knowledge of it and thereby fails to compute the private key to satisfy the equation ed= kø+1 even though he has knowledge of “ø.”
6. What is meant by “protecting every password under a separate shield” ?
Today every web site or portal holds a single public and private key pair. All passwords are encrypted by the same public key and decrypted by the same private key, that is, all passwords are protected under a single security shield. Unfortunately, if the private key is compromised or cracked, all passwords can be trivially decrypted from their ciphers.
On the other hand, Password Self Encryption uses a separate public and private key pair for each password. Even if the key of a particular password is compromised or cracked, it makes no difference for the remaining passwords, meaning every password is individually protected under its own security shield, a feature very useful for banks and financial institutions with several thousand passwords.
7. How can this technique eliminate dependency on certifying authorities?
Certifying authorities certify the public key of a web server or website so that the password owner can identify the key as really belonging to the same server or website on which he is trying to login. This is a very essential requirement for online logins because in conventional RSA or ECC encryption, public key is randomly selected and its identity cannot be established without a reliable 3rd party certification.
Since Password Self Encryption uses a function of the password itself as the public key exponent, there is no need to certify one’s own password as belonging to one’s self. However, since the key modulus n is not generated in the login page on the user machine and it is passed from server to the user machine, a wrong server may impersonate the actual server with a fraudulent n value, if it is not certified. But fortunately a password encrypted with a fraudulent n value cannot be decrypted successfully without cracking the password, thereby eliminating the need for key certification.
8. How can this technique enable digital signatures without private keys for users?
Today, every user needs to have his own private key to digitally sign his messages. A digital signature ascertains to the message recipient that the message was really sent by the user himself who is believed to have sent it. Digital signatures are necessary and very useful in online transactions and communication, especially for banks and financial institutions. However, implementing digital signatures for millions of customers involves a lot of cost and maintenance overhead. Also, every user needs to carry his private key in an electronic medium, which is difficult from a practical standpoint.
The Password Self Encryption technique enables the password to be used as a private key as it is a shared secret between its owner and the server. Passwords are memorized at the time of login and need not be carried in any electronic medium, which is a significant advantage for today’s online businesses. A user digitally signs his message with his password and the key modulus that corresponds to the password. On the other side, the server verifies his signature with the private key exponent that corresponds to that particular password. Others cannot mimic the digital signature and impersonate the user unless the password is cracked.
9. How is it possible to achieve two-way communication security through Password Self Encryption?
Public key encryption actually provides only one-way security. That is, only messages passing from client to the server are secured. Messages delivered from server to the client are not secured, because messages encrypted by the server’s private key can be decrypted by anyone as no confidentiality of the public key is maintained.
However, since Password Self Encryption uses the password as the public key on the client side, messages from the server to the client can be encrypted with the private key and decrypted on the client side by the password, which is still confidential and not disclosed to the pubic, thereby ensuring two-way communication security.
10. Today, passwords are encrypted with on-the-fly encryption keys wherein the key is changed for every login. In what way Password Self Encryption is better than this technique?
On-the-fly dynamic public keys are not immune to spoofing attacks. They are as vulnerable as static public keys. This is because when a man-in-the middle intercepts and replaces a public key with a fraudulent public key, an on-the-fly key does not provide any extra defense mechanism. It takes the same effort for the attacker to intercept the public key and decrypt the password cipher.
11. How secure is Password Self Encryption?
Mathematically, Password Self Encryption is built upon and is as secure as the present day RSA encryption methods. Further, it defeats spoofing attacks and factoring attacks on public keys, which is not possible with the conventional password encryption by a common public key for all passwords.
12. Encryption keys should be at least 128 bits long as per industry standard. However, a password is a small data chunk roughly 50 bits long falling much shorter than 128 bits. How then can Password Self Encryption be as strong as conventional password encryption?
As discussed earlier, the RSA public key consists of two numbers, “e” and “n.” The actual strength of an RSA key against factoring attacks lies in the key modulus “n,” not in the public key exponent “e.” The larger the key modulus “n,” the longer it takes to factorize it. Even in the Password Self Encryption method, “n” is chosen to be 128 bits or more depending upon the user’s choice. Only the public key exponent “e” is chosen to be a function of the password. The public key exponent can even be a number as small as 3. Hence, the size of password doesn’t really matter to the strength of the encryption.
13. Is Password Self Encryption a Snake Oil product? Every day researchers propose many new encryption algorithms, and it takes several years for the industry to prove and realize their strength and stability. Initially, though every new encryption algorithm seems strong and unbreakable, new attack types become identified and come into the public knowledge in the course of time, which could break the algorithm and leave it useless. How can the Password Self Encryption technique be trusted and implemented with user confidence?
The Password Self Encryption technique does not use any new, unproven public key encryption algorithm. At the core of it lies the popular, deeply researched and well-proven RSA encryption algorithm. The only difference is the RSA algorithm is customized to encrypt a password by a function of itself. RSA encryption is more than 20 years old and it has withstood various kinds of attacks since its invention. Therefore, Password Self Encryption remains strong enough and keeps defeating attacks as long as RSA is safe. Moreover, Password Self Encryption will keep passwords safe even in the event the RSA algorithm is broken at some point in the future, even though that is not a realistic threat at this time. Even if the RSA algorithm is broken in the future by any trivial factoring techniques, passwords cannot be trivially decrypted. After successfully factoring the RSA key modulus in to its primes, an attacker needs to know the password to crack the password, which is a paradoxical situation for the attacker.
14. How can the Password Self Encryption technique defeat a chosen plain text attack or specifically a chosen password attack in this case?
A password used as a public key exponent is not a concern for the strength of its encryption. Because, as already discussed, the strength of a key lies only in its modulus, not in its exponent. However, a chosen plain text attack becomes a concern if the text of encryption is small in length compared to the key modulus. In this particular case, since the text of encryption is password, the attack may be specifically termed a chosen password attack. This can be defeated through the same conventional tactic of random padding that the RSA method uses to overcome chosen plain text attacks. Random padding randomly appends bits to a password until it reaches the size of key modulus. The cipher of a randomly padded password requires an attacker to make as many encryptions as required by a text the size of key modulus, thereby completely exploiting the key strength.
15. What if two or more users happen to select the same password? What happens then?
The number of web application users is ever increasing due to the growing dependency of people on the Internet for communication, consequently resulting into increasing password duplications among users. However, this is not an issue for implementing Password Self Encryption. While the same password entered by two different users results in the same public key exponent, the private key exponent and modulus are naturally chosen to be different, as discussed earlier.
16. What about SSL, which works with the HTTPS protocol?
SSL is not capable of defeating spoofing (man-in-the-middle attacks) on keys. It only defeats attacks from within the protocol (defeating them only if someone catches the cipher and tries to decrypt it). This is a proven fact and widely discussed on the net.
17. How compatible and/or complementary is Password Self Encryption with other security technologies and techniques, including password management systems?
Using Password Self Encryption with existing conventional public key encryption technologies such as RSA and ECC offers significant security improvement to web authentication. It also works well with all known popular password security and management software, such as single sign-on software packages and techniques. Password Self Encryption also works well on top of secure hardware-based one-way data transfer systems that are growing in favor with the government and military.
18. How about alphanumeric tokens that defeat automatic login attacks? This technique is characterized by a user who is logging into or registering on a website having to re-enter some case-sensitive alphanumeric sequence generated in response to his log-on attempt. Although these sequences are usually graphically altered to make machine reading difficult, the literature says that hackers continue to develop ever more sophisticated (mostly neural net) hacking software to successfully read and re-enter such sequences. Thus the industry is quite concerned that this security technique will be compromised shortly, if it hasn't been already. How does Password Self Encryption help here?
Password Self Encryption defeats this kind of machine login attack. As already said, the password that one enters in a login page is not submitted as is. It is encrypted first on the logger's machine and only the cipher is submitted to the server. Yet this is not a big deal for automatic machine login hackers. They also do the same thing. Instead of submitting guessed plain passwords, they submit password ciphers resulting after encryption by the server's public key. As a server's public key is publicly revealed and certified, hackers know it trivially and use it to encrypt the guessed passwords whose ciphers are submitted to the server to try unauthorized access. If a guessed password happens to be an actual password, decryption will result in the same plain password and allows access to the web application.
However, in case of Password Self Encryption, remember that the public key is not a single fixed key for all users. The public key is different for different users. The public key modulus pertaining to that particular user is brought from server to the user machine while the exponent is derived (calculated) on the user machine itself from the entered plain password by the user. All this process happens in two steps in reality, although it appears as a single step in Password Self Encryption. When one enters his user id and password and clicks the submit button, only the user id is submitted to the server while still retaining the password in the login page. The server retrieves the public key modulus of that particular user and returns it to the user’s machine on which the plain password is already entered, and the cipher after encryption is then submitted to the server along with the user id again. This is achieved through AJAX techniques using DHTML and JavaScripts functions as clearly mentioned in the patent specification. So Password Self Encryption defeats automatic machine login attacks since the attacker is not in a position to compute ciphers of all guessed passwords as the key modulii are different for all passwords and not readily available in the attacker’s program (software) in order to compute their ciphers. Thus Password Self Encryption defeats automatic machine logins without the help of any graphic alphanumeric sequences.
19. Where is Password Self Encryption useful and what are its applications?
Virtually everywhere. The more valuable or critical the data being transmitted, the more value Password Self Encryption provides. Wherever a login page is present on the Internet, from a small website storing a few hundred passwords to huge portals storing millions of passwords such as major banks, brokerages, general financial institutions, healthcare, insurance, government, defense and many other commercial and institutional sites, and of course consumer sites such as Hotmail, Gmail, Yahoo, YouTube, Facebook, Ebay, Amazon etc. Further, Password Self Encryption is highly recommended for hosting providers and domain registrars who need strong user authentication in order to control access to their user accounts.
20. What would be the market potential of this new technology?
The market potential is tremendous since there are millions of websites and portals on the Internet using login pages for user authentication. Since the technology is patented in USA, Canada and Australia many licensing opportunities would arise, particularly from these countries. Revenues can be generated even from other countries through product sales, consulting services and project execution.
Likely user industries/market segments include banks, financial institutions, e-commerce merchants, email providers, social networking portals, hosting providers, domain registrars, and in general, any website that has a login page for authentication. Password Self Encryption promises to become a de facto standard like https in the future for web application authentications, which could earn significant revenues for the technology.
21. Can infringement (that is, unauthorized use of the patent) be detected if Password Self Encryption algorithms are embedded in, say, a financial institution's password and login software? If so, how easily?
Detecting infringement is so easy and straightforward that it does not require any access to the infringer’s web server or back end systems. Infringement can be detected just by looking at the source code of the login page, which is publicly accessible. Suppose you want to verify if a financial institution is infringing the technology, you only need to access its login web page in your browser, open the source code through view/source option in your browser menu bar, and check to see if the code uses any function of the password and applies it as the public key exponent. This client-side coding should be done in a scripting language like JavaScript, VB Script, PHP etc. Whatever the scripting language that is used, it will be very easy to detect the password-to-exponent conversion function, because the mathematical code syntax is mostly language independent and looks more or less the same in all languages. Fortunately, detection of infringement does not involve any cost, such as legal procedures seeking a court order to access the infringement suspect’s web server and its application code.
22. How is Password Self Encryption superior to Extended Validated (EV) certificates?
While Extended Validated (EV) certificates defeat spoofing attacks on Key Certificates, working at a farther level, Password Self Encryption defeats spoofing attacks on the key itself, working at the core level, which is a more robust and practical solution from the implementation view point.
Implementing EV Certificates is not a straight forward technical job. It requires new client software to be generated. Further, it requires CAs to personally verify the physical existence of the company / firm/ individual at the address mentioned. EV Certificates can be achieved by relying on the Government. Unfortunately it is not practically feasible as there are millions of e-commerce businesses using keys, spread all over the world. How far the local governments of the non-US states can afford to meets this and would be interested to do this? Even if it is possible theoretically, the cost of an EV Certified Key compared to a few dollars of the conventional keys available today would not be affordable.
Financial informationLooking for outright sale
[ Home
| List a patent
| Manage your account
| F.A.Q.|Terms of use
| Contact us]
Copyright PatentAuction.com 2004-2017
Page created at 2024-11-25 18:42:49, Patent Auction Time.