Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF
1 like16,041 views
The document describes a patent application for a computer-implemented method and products aimed at preventing attacks on authorization systems. The method involves controlling user access and establishing a dual channel verification, reducing the time of exposure for operations and using a secondary server for verification. The invention addresses security weaknesses in authentication and authorization processes to enhance overall security against various attacks.
![US 2014/0380431A1
COMPUTER IMPLEMENTED METHOD TO
PREVENT ATTACKS AGAINST
AUTHORIZATION SYSTEMS AND
COMPUTER PROGRAMS PRODUCTS
THEREOF
FIELD OF THE ART
[0001] The present invention is directed, in general, to
authentication and authorization systems, and more particu
larly to a computer implemented method and computer pro
gram products to prevent attacks against authorization sys
tems in which the access to different resources and actions
de?ned for a user are controlled.
BACKGROUND OF THE INVENTION
[0002] In recent years, web fraud detection market has
increased considerably, so innovation in authentication and
authorization processes has become of great importance.
[0003] The increasing complexity ofapplications has ledto
the adoption of many security techniques increasingly
sophisticated. One ofthe classi?cations that can be proposed
for the study ofthese security techniques allows distinguish
ing between authentication solutions and authorization solu
tions. The authentication techniques are designed to verify a
person is the one who claims to be. In order to add more
reliability in verifying that actually a person corresponds to
the identity that is being checked, many alternative authenti
cation schemes can be taken or the number offactors to build
this authentication can be extended.
[0004] There are many solutions designed to strengthen the
authentication processes and, by extension, to fortify the
authorization processes. Once users have been securely iden
ti?ed, there are authorization schemes that allow ?exibility
and robustness in assigning permissions to users to ensure
secure access to system resources. However, there are threats
which cannot yet be thwarted by adopting any ofthe existing
schemes for the authentication/authorization, orthis adoption
is too expensive to afford it. These threats directly affect the
way the access to speci?c resources is performed. A method
to address these threats involves the designing of brand new
security mechanisms. These mechanisms must guarantee that
once the identity of a user has been veri?ed and the level of
authorization to a resource for this user has been checked, the
actions taken by the user of that resource are not intercepted
and modi?ed by any attacker.
[0005] In any authorization model different techniques that
facilitate access to various system resources are included. The
user role information, the access control data provided when
the user is authenticated, are examples ofinformationthat can
be used to determine whom to give access to what resources
and how this access has to be guaranteed. Ultimately, deter
mining what should be accessed by the users, will be speci?ed
for each application. For this reason, sometimes it will be
dif?cult to provide a general authorization scheme. It will be
necessary to de?ne an application-speci?c logic to determine
what users can access and how they would perform these
accesses. From this idea, there are many solutions that pro
pose secure and ?exible schemes for the implementation of
the authorization. In all these solutions, the security must be
guaranteed by the correct selection of the authentication
mechanism and a correct implementation of the selected
authorization scheme.
[0006] Some ofthe solutions provide ?exibility by de?ning
their own SDK to encourage the use of their schemes for
authentication/authorization. Today, most of the SDK are
based on concepts introduced by OAuth and do not suppose a
Dec. 25, 2014
risk by themselves. This applies to Microsoft Live Connect,
Facebook PHP SDK and Windows 8 SDK Authentication
Broker. Ifthey exist, the threats should come from a de?cient
use of these SDK. In fact, regardless of threats derived by a
poor implementation of the scheme chosen, most of the
threats that can be de?ned on an authorization system coin
cide with the threats de?ned for authentication systems. This
coincidence has to do with the misuse ofthe credentials used
to manage permissions granting access to resources [2], [5].
[0007] In [2] four different levels are de?ned in terms ofthe
consequences of authentication and authorization errors and
misuse of credentials. Level 1 is the lowest level (the most
insecure) and level 4 is the highest.
[0008] Level liAn attacker can perform repeated logon
trials by guessing possible values ofthe token authenti
cator. An attacker is also able to replay previously cap
tured messages (between a legitimate user and a veri?er)
to authenticate as that user to the veri?er. NIST recom
mends the usage of a single or multi-factor authentica
tion with no identity proofin order to provide protection
against these online guessing and replay attacks.
[0009] Level ZiAn attacker can listen passively to the
authentication protocol to capture information which
can be used in a subsequent active attack to masquerade
as the user. NIST recommends the usage of single or
multi-factor authenticationto provide protection against
these eavesdropping attacks and all the attacks from the
level 1.
[0010] Level 3*The attacker positions himself or her
self in between the user and veri?er so that he or she can
intercept and alter the content ofthe authentication pro
tocol messages. The attacker typically impersonates the
veri?er to the user and simultaneously impersonates the
user to the veri?er. Conducting an active exchange with
both parties simultaneously may allow the attacker to
use authentication messages sent by one legitimate party
to successfully authenticate to the other. NIST recom
mends the usage of a multi-factor authentication and
wide use of OTP. It also suggests a token used for
authentication to be unlocked by the user using a pass
word or biometrics. Adopting these solutions provides
protection against veri?er impersonation attacks, MitM
attacks and the attacks from level 2.
[0011] Level 4iAn attacker is able to insert himself or
herself between a user and a veri?er subsequent to a
successful authentication exchange between the latter
two parties. The attacker is able to pose as a user to the
veri?er, or vice versa, to control session data exchange.
On the other hand, the attacker may compromise or
otherwise exploit authentication tokens and may inter
cept all input or output communications from the device
(Man-in-the-device (MitD) attacks or Man-in-the
Browser (MitB) attacks). The attacker can do this infect
ing the system with malware. NIST suggests the usage
ofMulti-factor authentication with FIPS-l40-2 certi?ed
tamper-resistant hardware (hardware tokens) [4] to get
protection against these session hijacking attacks and
the attacks from the level 3.
[0012] For the ?rst three levels, attacks and existing solu
tions are both focused on the way of verifying the user’s
identity. At level 4, NIST proposes the use ofsolutions against
session hijacking and others attacks over authentication pro
cesses. This session hijacking involves an attacker takes
advantage ofthe legitimate exchange ofcredentials that a user](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-5-320.jpg)
![US 2014/0380431A1
makes to comply with the authentication process. Once this
validation is accomplished, the attacker then intervenes in the
communication that takes place. This type of attack can be
implemented in two ways: actively acting, hijacking the con
nection and leaving out ofit to the legitimate user, or, remain
ing hidden and modifying the content of communication
transparently to the user. Whatever the implementation ofthis
attack, it is important to observe that this is an attack aimed at
breaking the authorization system, leaving intact, thoughuse
less, the authentication system. Although there are alterna
tives to proactively protect systems from this threat, there is
no adequate solution to mitigate the effects ofthe attack once
the device from which the resource access is requested, is
committed.
[0013] NIST suggests employing FIPS-140-2 certi?ed
tamper-resistant hardware (hardware tokens) [4] . Using these
devices provides the users the ability to generate a single use
password (one time password, OTP) to prove their identity to
each transaction. In addition, there are hardware implemen
tations ofthese tokens that can generate other OTPs coded to
contain information on how to complete a speci?c transac
tion.
[0014] Different criteria can be de?ned to establish com
parison between authentication/authorization schemes. In [1]
the authors suggest the need to de?ne three criteria in order to
perform an effective comparison. These aspects are: security,
usability and complexity on implementation (deployability).
This paper presents an intensive study to instrument the com
parison through the de?nition of metrics. Following table
summarizes the metrics de?ned for each criterion.
Usability Memory-Effortless
Scalable-for—Users
Nothing—to—Carry
Physical—Effortless
Infrequent—Errors
Easy—recovery—from—Loss
Accessible
Negligible—Cost—per—User
Server—Compatible
Browser-Compatible
Mature
Non—Proprietary
Resilient—to—Physical—Observation
Resilient-to—Targeted—Impersonation
Resilient—to—Throttled-Guessing
Resilient—to-Unthrottled—Guessing
Resilient—to—Internal—Observation
Resilient—to—Leaks—from—Other—Veri?ers
Resilient—to—Phishing
Resilient—to—Theft
No—Trusted—third—Party
Requiring—Explicit—Consent
Unlikable
Deployability
Security
[0015] In the case of security criterion, the proposed metric
set summarizes all the aspects that are usually estimated in
de?ning a threat model. In the de?nition ofthese models it is
necessary to adopt a number ofdecisions. Andthese decisions
de?ne the working scenario. For example in the case of
OAuth 2.0 [5] the adopted assumptions are as follows:
[0016] The attacker has full access to the network
between the client and authorization servers and the
client and the resource server, respectively. The attacker
may eavesdrop on any communications between those
Dec. 25, 2014
parties. He is not assumed to have access to communi
cation between the authorization server and resource
server.
[0017] An attacker has unlimited resources to organize
an attack.
[0018] Two of the three parties involved in the OAuth
protocol may collude to mount an attack against the third
party. For example, the client and authorization server
may be under control of an attacker and collude to trick
a user to gain access to resources.
[0019] Attending to the metrics introduced above, is pos
sible to determine that solutions corresponding to the higher
security level (level 4) have poor performance in deployabil
ity and usability. Once the assessment of a system allows to
determine in which level has to be deployed its authentication
system, it is needed to evaluate ifthe users are authenticated
safely and correctly. Although there are some tools that aid in
this task [3], [6], deploys in the level 4 are dif?cult to evaluate
correctly. In terms ofusability, the use oftampering resistant
hardware tokens goes against the adoption ofthese solutions
by users, and it has been proved that this situation leads to a
misuse ofthe credential systems. These tokens are expensive.
They are independent devices that the user has to custody and
that can be employed with one service provider only. If the
users have to deal with more than one service provider that
has adopted these tampering resistant hardware tokens, they
have to take into custody as many tokens as service providers
they have.
[0020] Furthermore, in terms of authorization, in [7] the
authors explain that, aside from some security issues of each
SDK, developers who choose to integrate with one of them
make assumptions that can lead to security problems. This is
because SDKs are often not well documented and the security
exploits nearly always stem from attackers who ?nd ways to
violate these assumptions system implementers relied upon.
[0021] Along with these dif?culties, other problems must
be considered to understand the constant increase in fraud
arising from the theft of digital identities. For instance, it is
not possible to measure a homogeneous security level in all
users’ digital accounts. It is needed a solution that can equal
ize the security level of all digital accounts that a user owns.
This solution should extend this security not only to the
authentication processes but also to the resource authoriza
tion processes and all procedures related to such accounts.
[0022] Therefore, a different approach is needed to
improve the overall security in the authentication/authoriza
tion systems, whatever is the scheme or schemes adopted,
minimizing the impact on the usability and deployability of
these systems.
REFERENCES
[0023] [1] Bonneau, 1., Herley, C., van Oorschot, P. C., &
Stajano, F. (2012, May). The questto replacepasswords:
A framework for comparative evaluation ofweb authen
tication schemes. In Security and Privacy (SP), 2012
IEEE Symposium on (pp. 553-567). IEEE.
[0024] [2] Burr, W. E., Dodson, D. F., & Polk, W. T.
(2006). Electronic authentication guideline. NIST Spe
cial Publication, 800, 63.
[0025] [3] Dalton, M., Kozyrakis, C., and Zeldovich, N.,
Nemesis: Preventing Authentication & Access Control
Vulnerabilities in Web Application, In Proceedings of
the 18th conference on USENIX security symposium,
(pp. 267-282) USENIX Association.](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-6-320.jpg)
![US 2014/0380431A1
[0026] [4] Evans, D., Bond, P., Bement, A., Security
Requirements for Cryptographic Modules, FIPS PUB
140-2 -FEDERAL INFORMATION PROCESSING
STANDARDS PUBLICATION. Online Resource:
http://csrc.nist.gov/publications/?ps/?ps140-2/
?ps1402.pdf
[0027] [5] McGloin M. & Hunt P. (2013, January) OAuth
2.0 Threat Model and Security Considerations. ISSN:
2070-1721. Online resource: http://tools.ietf.org/pdf/
rfc681 9.pdf.
[0028] [6] Sun, F., Xu, L., & SU, Z. (2011,August) Static
detection ofAccess control vulnerability in web appli
cations. In Proceedings ofthe 20th USENIX conference
on Security (pp. 11-11). USENIX.
[0029] [7] Wang, R., Zhou, Y., Chen, S., Qadeer, S.,
Evans, D., & Gurevich, Y. (2013). Explicating SDKs:
Uncovering Assumptions Underlying Secure Authenti
cation and Authorization (Vol. 37). Microsoft Research
Technical Report MSR-TR-2013.
DESCRIPTION OF THE INVENTION
[0030] To achieve the above, the invention provides a solu
tion to prevent several attacks related with authentication and
authorization processes. This solution consists in a solution
that is designed to limit the time in which an attacker is able
to develop an attack. Therefore, this solution supposes a limit
on the resources available to an attacker to organize and
attack. First, the invention seeks to reduce the risk ofan attack
directed to an authentication/authorization process by tem
porarily blocking the operation execution mechanism.
Thereby decreasing the period of exposure of these systems
and, therefore, decreasing the chances ofsuccess ofattack on
the system. In addition, a ?rst server or service provider can
force the use ofa second authentication phase (using an OTP
infrastructure) for service providers who do not provide this
option in their account management processes or even let the
user activate it.
[0031] According to a ?rst aspect there is provided a com
puter implemented method to prevent attacks against autho
rization systems, comprising: receiving at least one ?rst
server a request in the name of a user to be logged into a
service of said ?rst server; and authorizing said request, said
?rst server, by verifying user identi?cation information of
said user.
[0032] On contrary of the known proposals, and in a char
acteristic manner, in order said request to be authorized the
method further comprises:
[0033] sending, by said ?rst server to a second server in
connection with a user computing device with a dedicated
program, a request about a status associated to said user;
[0034] initializing a credential exchange between said ?rst
and second server in order to provide mutual authentication;
[0035] verifying said associated status that has been previ
ously set as valid or as invalid by said user and stored in a
memory of said second server;
[0036] sending, said second server, said associated status to
said ?rst server; and
[0037] using said ?rst server said received associated status
for:
[0038] authorizing said request for said service in the
name of said user if said associated status is set as valid,
or
[0039] rejecting said request for said service ifsaid asso
ciated status is set as invalid,
Dec. 25, 2014
wherein in case said request to be logged into a service ofsaid
?rst serverbeing authorized, and a request is done inthe name
of said user to perform an operation in said ?rst server using
at least a part of the resources of said ?rst server, the method
comprises following steps:
[0040] performing, an operation status veri?cation associ
atedto said user comprising a status request to said ?rst server
to determine what entry in a scheme corresponds with said
operation;
[0041] receiving, said second server from said ?rst server
said request about an operation status associated to said user
concerning said entry;
[0042] initializing a credential exchange between said ?rst
and second server;
[0043] evaluating, said second server a scheme entry status
from a root to said entry;
[0044] sending, said second server an evaluation result to
said ?rst server;
[0045] making a decision, said ?rst server, by at least using
said received result for allowing or blocking said request in
the name of said user to perform said operation.
[0046] The status request associated to the user comprises
the sending of a security token, said security token being
generated during a previous pairing user accounts process.
This token links the user with the ?rst server without disclo
sure of any personal information of the user to the second
server information. Then, the token is securely stored in a
memory of the ?rst server and in a memory of the second
server once the user has con?gured the pairing ofthe ?rst and
second servers’ identi?cations.
[0047] The credentials exchange to secure mutual authen
tication between the ?rst server and the second server, is
performed, preferably, via a standard authentication proce
dure based on certi?cates’ exchange de?ning, as a result, a
secured channel. The exchange is performed to verify that
both ?rst server and second server are who they claim to be.
[0048] The second server may notify the user in case said
request to be logged into a service of the ?rst server is
rejected. For instance, by the sending of a Short Message
Service (SMS), ofan email, ofor a message by a smartphone
messenger application, orjust by the highlighting or pushing
in said dedicated program of said user computing device.
[0049] Optionally, the step of evaluating the scheme entry
status performed by the second server may further include a
second factor authentication comprising, ifsaid scheme entry
status is set as valid:
[0050] sending, said second server an OTP to the ?rst server
within the result of the operation status request;
[0051] requesting, the ?rst server to the user, an OTP that
the user is going to use as temporal second factor;
[0052] sending, the second server the same OTP sent to the
?rst server to the user through said another user dedicated
program;
[0053] recovering, theuser, saidrequestedtemporal second
factor OTP through said dedicated program, introducing it
into said another user dedicated program and further sending
it via said another user dedicated program to the ?rst server;
and
[0054] checking, the ?rst server, if the received OTP from
the second server and the received temporal second factor
OTP from said another user dedicated program matches in
order to allowing or blocking said request in the name of said
user to perform said operation.](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-7-320.jpg)
![US 2014/0380431A1
[0055] The associated status is set as valid (unlocked) or as
invalid (locked) a certain period oftime and can be modi?able
by the user whenever the latter want it. For instance, the user
can plan a locking/unlocking policy to automate the manage
ment of their accounts held with different servers using dif
ferent criteria: time, geo-localization (different policies for
home, work, etc.). Another possibility for modifying said
associated status can be by delegating the control said user
has of their accounts to other users. This can be done by
considering two different options. In the ?rst one, a parental
control mechanism is used so the children’s (original)
accounts access control is delegated to the parent control
mechanism. In the second one, a single account allows mul
tiple locks. In this latter case, the unlock action will require
that multiple users unlock their locks concurrently. In both
cases, the delegation is performed securely maintaining the
privacy of every user unchanged.
[0056] The request to be logged into a service and/or the
request to perform an operation may be recorded in order to
provide statistics. In this way, the user can obtain system
usage statistics that re?ect activity ofthe system and track the
attempts of impersonation. These statistics inform about
when someone had attempted to access to a service with
user’s usemame.
[0057] The subject matter described herein can be imple
mented in software in combination with hardware and/or
?rmware, or a suitable combination ofthem. For example, the
subject matter described herein can be implemented in soft
ware executed by a processor.
[0058] According to another aspect there is provided a
computer program comprising computer program code
means adapted to perform the steps according to the method
of claim 1 when said program is run on a computer, a digital
signal processor, a ?eld-programmable gate array, an appli
cation-speci?c integrated circuit, a micro-processor, a micro
controller, or any other form of programmable hardware.
[0059] Embodiments ofthe invention also embrace a com
puter program product including program code means
adapted to perform a second factor authentication according
to the method of claim 6.
[0060] The present invention allows the user to plan a lock
ing/unlocking policy to automate the management of
accounts held with different servers using different criteria:
time, geo-localization (different policies for home, work,
etc.); delegate the control of their accounts to other said
second server users; enable monitoring systems that allow
users to be warned of identity theft attempts or untrue user’s
impersonation in operation execution requests, providing a
course of action to take action to control the digital identity;
establish a second factor for authentication for veri?ers that
are not providing it; establish an account to be blocked or
unblocked and change it with immediate effect by the use of
a switch control; ?x a schedule to Valid/Invalid (Block/Un
block) an account or said operation automatically based on
time and date settings. Once a check-status request is received
the second server responds based on the current state of the
scheduler; improve the security level of an account or said
operation by con?guring a second factor authentication inte
grated with second server; control different actions associ
ated with an account, authorizing or banning the execution of
them in a compatible manner with the authorization scheme
established.
[0061] Furthermore, the invention allows homogenizing
the security level for all the different accounts a user has. It
Dec. 25, 2014
allows offering a security level comparable with level 4
de?ned by NIST. And this is done for different accounts that
can be now controlled with only one device and regardless of
the authentication/authorization scheme de?ned for every
service provider.
[0062] The invention does not propose any new authenti
cation/authorization scheme. Indeed, the intention is to
complement the existent schemes with an extra security layer.
Although this may limit its usability and deployability, the
invention design is orientedto minimize the impact overthese
criteria. As it is stated before, the authentication scheme
choice determinates the security risk that is assumed for an
authorization system. What is proposed here is to reduce the
risk taken with the choice ofany authentication/authorization
mechanism reducing the time in which this system is acces
sible to be broken.
[0063] Assuming that there is a relationship between the
success and failure of an attack on the auth system with the
time in which this system is accessible (exposure time) as
conditional probability (p(SuccessfulAttack|exposed)) is
possible determining that the relative risk (RR) satis?es the
following expression:
p(SuccessfulAltac/< | exposed) Eq. 1
_ p(SuccessfulAltac/< | unexposed)
[0064] In this expression it is assumed that the probability
ofsuccess ofan attack is directly related to the exposure time.
That is, the continuous exposure ofa computer system, in this
case the authentication system, increases the likelihood of
success of an attack in contrast with a scenario in which the
exposure is limited. In the same way one can evaluate the
following expression:
p(SuccessfulAttac/<| exposed) Eq. 2
p(FailedAllac/<| exposed)
m
p(FailedAtlac/< | unexposed)
[0065] Indicating that there is a greater probability for a
successful attack ifexists a continued systems exposure. It is
also possible to estimate the portion of all successful attacks
that could have been avoided ifthe exposure had been avoided
(Attributable Risk Percent (ARP)). This is calculated with
expression 3.
ARP:
RR
[0066] This expression allows assessing the investment
required to enable a solution designed to reduce the time that
is accessible authentication process. The professional expe
rience and technical knowledge of the documented attack
techniques to break authentication/authorization systems
con?rm the assumption made earlier (RR>l). Therefore, it
can be asserted that ARP>l once the Account-locker is
adopted.
[0067] This reduction in the exposure time allows mitigat
ing the effects of most of the threats related with the authen
tication phase before a user can access to some privileged](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-8-320.jpg)
![US 2014/0380431Al
resources. This invention also permits reducing the exposure
ofparticular actions that can be taken after the login process
has been accomplished. Therefore, this exposure reduction
supposes the limitation in the time in what the action can be
executed and the establishment ofa channel that allow to send
critical information to assure the integrity of this action
execution.
[0068] The invention encompasses the solutions for the
threats de?ned by NIST. But, in this case, these solutions are
provided to users through a dedicated program designed to be
executed in a mobile device, which facilitates the interaction
with a second server. In addition, this second server brings
privacy in the communications relative to the control of the
user’s accounts and incorporates all the control information
that the users have set about the actions the service providers
have offered them.
BRIEF DESCRIPTION OF THE DRAWINGS
[0069] The previous and other advantages and features will
be more deeply understood from the following detailed
description of embodiments, with reference to the attached,
which must be considered in an illustrative and non-limiting
manner, in which:
[0070] FIG. 1 is an illustration of the present invention
general architecture.
[0071] FIG. 2 is a ?ow diagram illustrating an account
pairing sequence with authorization.
[0072] FIG. 3 is a ?ow diagram illustrating how a status of
a user account can be checked for authentication.
[0073] FIG. 4 shows the ?ow diagram that summarizes the
way the process introduced in FIG. 3 can be extended to its
generalization, adopting the authentication process as other
operation from the directory proposed by ?rst server.
DETAILED DESCRIPTION OF SEVERAL
EMBODIMENTS
[0074] In reference to FIG. 1 it is showed the general archi
tecture of the present invention. Concerning FIG. 1, a user
computing device 100 such as a mobile phone, a smartphone,
a tablet-PC or a PDA among any other, is used by said user in
order to login into a dedicated program 102 in communica
tion with a second server 200 and to manage the status for
every ?rst server 300 with which a user wants to request a
service.
[0075] With this new proposal said user 100 can unblock
said operation de?ned for a particular account created with
said ?rst server 300. As stated below, this action can enhance
the control de?ned for this account by decision of the ?rst
server 300. In this decision, the ?rst server 300 can choose to
incorporate a new control of security beyond the block/un
block default option or the second factor of authentication.
This control of security consists ofto provide a communica
tion channel from the user 100 to the ?rst server 300, through
the second server 200. The ?rst server 300 can con?gure the
system to ask the user 100 for a particular information related
to said operation to be performed. This information can be
used by the second server 200 to verify ifthe user 100 is who
actually is demanding said operation and to con?rm if the
operation that has arrived to the ?rst server 300 is exactly as
the one the user 100 had ordered.
[0076] Assuming that the ?rst server 300 could want to
verify the integrity of the operation, it can be selected what
parameters are critical to ensure the operation integrity. Inthis
Dec. 25, 2014
case, it is important that the requested information corre
sponds univocally with the operation critical parameter in
order to identify it correctly.
[0077] In this architecture, the user 100, besides having an
account in the second server 200, can have multiple accounts
with different service providers. One ofthese service provid
ers is the ?rst server 300. Once the user 100 completes the
login process with these accounts he or she will have access to
multiple operations speci?c to each service providers. The
second server 200 eases how a ?rst server 300 can integrate
this control within the logic of its applications.
[0078] When a ?rst server 300 decides to integrate its ser
vices, it will provide the ability to link their accounts with the
accounts that the user 100 has in the second server 200. When
the said user 100 decides to establish this link, she or he starts
a pairing process that ensures complete privacy to the user
100. Once the pairing process is completed, the user 100 can
access the con?guration ofthe control ofthe account with the
?rst server 300 from a dedicated program 102 (i.e. a mobile
application).
[0079] Every time the settings associated with an account
are changed on said mobile application, this modi?cation is
immediately propagated to the second server 200 to change
the status ofthe account that can be accessedby the ?rst server
300.
[0080] Second server core implements the main function of
the second server 200: lock or unlock said user account with
the ?rst server 300 and the operations provided by ?rst server
300. In order to do that, the second server 200 accepts and
processes the check-status requests sent from the ?rst server
300. This second server 200 also manages all data about the
links with said ?rst server 300 de?ned by the user 100 and the
requests for the pairing ofnew locks. The key is the user 100
is never asked for any private information. Once the user 100
creates his account with second server 200, he can establish
locks with different service providers, like said ?rst server
300. To activate these locks the second server 200, according
to an embodiment, generates a token. A unique token and the
de?nition of secured channels are needed to complete the
pairing process between the user 100 and the ?rst server 300.
As result of this pairing process, the cryptographic token is
sent from the second server 200 to the ?rst server 300 who has
to store this information with their user’ s personal data. Later,
this cryptographic token will be used to request the corre
sponding lock status. The user 100 can modify the status of
their locks, by the activation or con?guration ofthe different
options that second server 200 provides.
[0081] In case the user 100 has set up a lock with a second
factor for authentication over an account or a particular
action, the second server 200 will incorporate all the needed
logic for the generation and communication of the OTP.
When the second server 200 receives a request from the ?rst
server 300 asking for the user account status, a second factor
ofauthentication is triggered. An OTP is generated and sent to
the user 100. The same OTP is sent to the ?rst server 300
along with the account status. Ifthe status is ON and the user
100 has activated the second factor, the ?rst server 300 should
prompt the user to introduce the OTP to proceed with the
operation.
[0082] Now, if the user 100 has set up a lock over a said
operation with an integrity factor to verify that the operation
parameters have not been modi?ed, said second server 200
incorporates the needed logic to get the critical information
from the user 100 and from the ?rst server 300 and to check if](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-9-320.jpg)
![US 2014/0380431Al
both are equal. The second server 200 sends the result of the
checking as the account status to the ?rst server 300. In case
of mismatching, the ?rst server 300 can conclude that an
intruder can be intercepting the information from the user
100. The ?rst server 300 can then build mechanisms to elude
the fraud and to raise security alerts.
[0083] In reference to FIG. 2 it is illustrated a pairing pro
cess of the user 100 account of the second server 200 with
different accounts for different ?rst servers 300. In FIG. 2,
once a user 100, using for instance the dedicated program 101
such as a browser, has completedthe login process (A-B) with
a ?rst server 300 (in this particular case a Bank online, a social
network, a credit card providers, etc.), the user 100 decides to
perform said accounts’ pairing process. The user 100 requests
the pairing to the ?rst server 300 (C) using the browser 101.
As response, the ?rst server 300 asks for a pairing token (D).
The user 100 then uses the dedicated program 102 (D') to get
this pairing token from the second server 200, after a previous
login process. The second server 200 generates a token (for
instance as an OTP) (E) and sends it to the user’s dedicated
program 102 (F). This token can be used for several pairing
processes meanwhile it is valid. The user get the token (OTP)
from the dedicated program 102 and introduces it in the web
page displayed in the browser 101 by the ?rst server 300
(G-G'). The ?rst server 300 then sends the received token to
the second server 200, after a previous credentials exchange
(H). If the ?rst server 300 identity is validated, the second
server 200 stores the link between the user 100 and the ?rst
server 300 and generates a new token that identi?es this link.
This token (accountID) is sent to the ?rst server 300 (I) and
there it is stored for future communications (I). At last, a
pairing acknowledges is sent to the user’s browser 101 (K).
[0084] In reference now to FIG. 3 it is illustrated how a
status of a user account can be checked for authentication. In
FIG. 3, a user 100, using for example a browser 101, requests
to be logged in a service (A) of a ?rst server 300 so once user
existence has been validated (B) by said ?rst server 300, the
latter demands to the second server 200 the user account
status (C). Then the second server 200 initializes the creden
tials exchange before the result of the account status infor
mation is sent (D). With the result status, the ?rst server 300
makes the decision of allowing or blocking the user access
(E).
[0085] In an embodiment, ifthe account status is unlocked
or valid but the second factor of authentication is on, within
the answer ofthe status request, the second server 200 sends
an OTP to the ?rst server 300 that has to employ to complete
the authentication. The ?rst server 300 then requests to the
user 100 the OTP that is going to be a temporal second factor
(P). Then the second server 200 sends the same OTP to the to
the user’s dedicated program 102 (G). The user 100 recovers
the OTP from the dedicated program 102 and introduces it in
the browser 101 (H) and sends it to the ?rst server 300 (I). The
?rst server 300 can check ifthe OTP sent through the browser
101 matches with the one received with the account status (I).
Depending on ofthe results ofthis veri?cation, the ?rst server
performs the authentication process (K) and communicates
the result to the user via 101.
[0086] When a ?rst server 300 sends a Status Request, the
second server 200 understands that someone, with the proper
service identi?cation information (i.e. ID and password), is
trying to access to the service. If the account status is set as
blocked, or if this request has come in a moment that is not
included in the interval de?ned by the user 100, the second
Dec. 25, 2014
server 200 registers this event as a fake attempt. The second
server 200 could send, according to an embodiment, an alert
of this event to the user if said user has con?gured it so (for
instance by sending a Short Message Service (SMS), an
email, a message by a smartphone messenger application, by
a highlighting or pushing in said dedicated program 102 of
said user computing device 100, etc.) or just update the sta
tistics for a later revision. Then the second server 200 returns
the status associated with the account as locked.
[0087] With the aim ofimproving the security ofany autho
rization system, the use of the said second server 200 is
proposed as a new layer that gives the users the chance of
control the access to the resources and procedures associated
with their accounts de?ned with any ?rst servers. These
resources and procedures are seen as operations which
depend on the main actions de?ned for an account (i.e. login
process). This dependency is established like a hierarchy
where the changes in the root entries are propagated to their
children.
[0088] In this embodiment, in reference to FIG. 4 it is
showed the operation status veri?cation process. This opera
tion is proposed by the ?rst server 300 attached to the account
management. The user 100, using for example a browser 101,
requests, according to an embodiment, to execute an opera
tion related with an account (A) of a ?rst server 300. This
operation can be to be logged in a particular service or to
execute some other action related with the services provided
by ?rst server (e.g. Internet payment with a credit card). So
once user existence has been validated (B) by said ?rst server
300, the latter makes the correspondence of the operation
requested with the scheme entry in the hierarchy de?ned by
this user’s account (D) and demands to the second server 200
this entry status (E).
[0089] Then the second server 200 initializes the creden
tials exchange before evaluating the scheme entry status from
the root to the entry (F). The status of the user’s account is
retrieved and if it is unlocked the same evaluation is per
formed with every step founded until reach the scheme entry.
The scheme entry status information is sent (G) and, with this
information, the ?rst server 300 makes the decision ofallow
ing or blocking the user access to the operation.
[0090] The second factor ofauthentication can be activated
if the scheme entry status is valid or unlocked in order to
strengthen the process. The second server 200 sends an OTP
to the ?rst server 300 within the answer ofthe status request.
This ?rst server 300 employs it to complete the authentica
tion. The ?rst server 300 requests to the user 100 the OTP that
is going to be a temporal second factor (H). The second server
200 sends the same OTP to the to the user’s dedicated pro
gram 102 (I). The user 100 recovers the OTP from the dedi
cated program 102 and introduce it in the browser 101 (J) and
sends it to the ?rst server 300 (K). The ?rst servers can check
ifthe OTP sent through the browser 101 matches with the one
received with the account status (L). The ?rst server 300
denies operation execution if the OTPs don’t ?t.
[0091] The scope ofthe present invention is de?ned in the
following set of claims.
1. A computer implemented method to prevent attacks
against authorization systems, comprising:
receiving at least a ?rst server (300) a request in the name
of a user (100) to be logged into a service of said ?rst
server (300); and
authorizing said request, said ?rst server (300), by verify
ing user identi?cation information of said user (100),](https://image.slidesharecdn.com/us20140380431-171114074947/85/Us20140380431-Patent-COMPUTER-IMPLEMENTED-METHOD-TO-PREVENT-ATTACKS-AGAINST-AUTHORIZATION-SYSTEMS-AND-COMPUTER-PROGRAMS-PRODUCTS-THEREOF-10-320.jpg)
More Related Content
![DirtyTooth: It´s only Rock'n Roll but I like it [Slides]](https://cdn.slidesharecdn.com/ss_thumbnails/dirtytoothslides-170309122009-thumbnail.jpg?width=560&fit=bounds)
Similar to Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF (20)
Us20140380431 Patent: COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF
- 1. (19) United States ALONSO CEBRIAN et al. US 20140380431A1 (12) Patent Application Publication (10) Pub. No.: US 2014/0380431 A1 (43) Pub. Date: Dec. 25, 2014 (54) COMPUTER IMPLEMENTED METHOD TO (71) (72) (73) (21) (22) PREVENT ATTACKS AGAINST AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF Applicant: TELEFONICA DIGITAL ESPANA, S.L.U., Madrid (ES) Inventors: Jose Maria ALONSO CEBRIAN, Madrid (ES); David BARROSO BERRUETA, Madrid (ES); Jose Maria PALAZON ROMERO, Madrid (ES); Antonio GUZMAN SACRISTAN, Madrid (ES) Assignee: S.L.U., Madrid (ES) Appl. No.: 14/312,269 Filed: Jun. 23, 2014 TELEFONICA DIGITAL ESPANA, 8. User Validation .. check whens match K. Aathemication (30) Foreign Application Priority Data Jun. 24, 2013 (EP) ................................ .. 133823963 Publication Classi?cation (51) Int. Cl. H04L 29/06 (2006.01) (52) US. Cl. CPC ...... .. H04L 63/0869 (2013.01); H04L 63/0838 (2013.01) USPC ............................................................ .. 726/4 (57) ABSTRACT A computer implemented method and computer program products to prevent attacks against authorization systems The computer implemented method comprising controlling the access to different resources and actions de?ned for a user by a ?rst server, reducing the exposure time at Which such operations are available and establishing a dual channel veri ?cation through the use of a second server. The computer programs implement the method.
- 2. Patent Application Publication Dec. 25, 2014 Sheet 1 0f 3 US 2014/0380431 A1 Figure 1 E‘ Gamma temgorary taken . Save ammm?? for Future request Figure 2
- 3. Patent Application Publication Dec. 25, 2014 Sheet 2 0f 3 US 2014/0380431 A1 8. User Vaimation .. check when mam: K. Authexxticatiw Figure 3
- 4. Patent Application Publication Dec. 25, 2014 Sheet 3 0f 3 US 2014/0380431 A1 8. Check user‘s cmientials Maluh apamtion with schema emry a F. Evahzake scheme siakua (mm the mm In the entry L. Check 2nd faster tokens match M. Operatim exec?tlon evaluatien Figure 4
- 5. US 2014/0380431A1 COMPUTER IMPLEMENTED METHOD TO PREVENT ATTACKS AGAINST AUTHORIZATION SYSTEMS AND COMPUTER PROGRAMS PRODUCTS THEREOF FIELD OF THE ART [0001] The present invention is directed, in general, to authentication and authorization systems, and more particu larly to a computer implemented method and computer pro gram products to prevent attacks against authorization sys tems in which the access to different resources and actions de?ned for a user are controlled. BACKGROUND OF THE INVENTION [0002] In recent years, web fraud detection market has increased considerably, so innovation in authentication and authorization processes has become of great importance. [0003] The increasing complexity ofapplications has ledto the adoption of many security techniques increasingly sophisticated. One ofthe classi?cations that can be proposed for the study ofthese security techniques allows distinguish ing between authentication solutions and authorization solu tions. The authentication techniques are designed to verify a person is the one who claims to be. In order to add more reliability in verifying that actually a person corresponds to the identity that is being checked, many alternative authenti cation schemes can be taken or the number offactors to build this authentication can be extended. [0004] There are many solutions designed to strengthen the authentication processes and, by extension, to fortify the authorization processes. Once users have been securely iden ti?ed, there are authorization schemes that allow ?exibility and robustness in assigning permissions to users to ensure secure access to system resources. However, there are threats which cannot yet be thwarted by adopting any ofthe existing schemes for the authentication/authorization, orthis adoption is too expensive to afford it. These threats directly affect the way the access to speci?c resources is performed. A method to address these threats involves the designing of brand new security mechanisms. These mechanisms must guarantee that once the identity of a user has been veri?ed and the level of authorization to a resource for this user has been checked, the actions taken by the user of that resource are not intercepted and modi?ed by any attacker. [0005] In any authorization model different techniques that facilitate access to various system resources are included. The user role information, the access control data provided when the user is authenticated, are examples ofinformationthat can be used to determine whom to give access to what resources and how this access has to be guaranteed. Ultimately, deter mining what should be accessed by the users, will be speci?ed for each application. For this reason, sometimes it will be dif?cult to provide a general authorization scheme. It will be necessary to de?ne an application-speci?c logic to determine what users can access and how they would perform these accesses. From this idea, there are many solutions that pro pose secure and ?exible schemes for the implementation of the authorization. In all these solutions, the security must be guaranteed by the correct selection of the authentication mechanism and a correct implementation of the selected authorization scheme. [0006] Some ofthe solutions provide ?exibility by de?ning their own SDK to encourage the use of their schemes for authentication/authorization. Today, most of the SDK are based on concepts introduced by OAuth and do not suppose a Dec. 25, 2014 risk by themselves. This applies to Microsoft Live Connect, Facebook PHP SDK and Windows 8 SDK Authentication Broker. Ifthey exist, the threats should come from a de?cient use of these SDK. In fact, regardless of threats derived by a poor implementation of the scheme chosen, most of the threats that can be de?ned on an authorization system coin cide with the threats de?ned for authentication systems. This coincidence has to do with the misuse ofthe credentials used to manage permissions granting access to resources [2], [5]. [0007] In [2] four different levels are de?ned in terms ofthe consequences of authentication and authorization errors and misuse of credentials. Level 1 is the lowest level (the most insecure) and level 4 is the highest. [0008] Level liAn attacker can perform repeated logon trials by guessing possible values ofthe token authenti cator. An attacker is also able to replay previously cap tured messages (between a legitimate user and a veri?er) to authenticate as that user to the veri?er. NIST recom mends the usage of a single or multi-factor authentica tion with no identity proofin order to provide protection against these online guessing and replay attacks. [0009] Level ZiAn attacker can listen passively to the authentication protocol to capture information which can be used in a subsequent active attack to masquerade as the user. NIST recommends the usage of single or multi-factor authenticationto provide protection against these eavesdropping attacks and all the attacks from the level 1. [0010] Level 3*The attacker positions himself or her self in between the user and veri?er so that he or she can intercept and alter the content ofthe authentication pro tocol messages. The attacker typically impersonates the veri?er to the user and simultaneously impersonates the user to the veri?er. Conducting an active exchange with both parties simultaneously may allow the attacker to use authentication messages sent by one legitimate party to successfully authenticate to the other. NIST recom mends the usage of a multi-factor authentication and wide use of OTP. It also suggests a token used for authentication to be unlocked by the user using a pass word or biometrics. Adopting these solutions provides protection against veri?er impersonation attacks, MitM attacks and the attacks from level 2. [0011] Level 4iAn attacker is able to insert himself or herself between a user and a veri?er subsequent to a successful authentication exchange between the latter two parties. The attacker is able to pose as a user to the veri?er, or vice versa, to control session data exchange. On the other hand, the attacker may compromise or otherwise exploit authentication tokens and may inter cept all input or output communications from the device (Man-in-the-device (MitD) attacks or Man-in-the Browser (MitB) attacks). The attacker can do this infect ing the system with malware. NIST suggests the usage ofMulti-factor authentication with FIPS-l40-2 certi?ed tamper-resistant hardware (hardware tokens) [4] to get protection against these session hijacking attacks and the attacks from the level 3. [0012] For the ?rst three levels, attacks and existing solu tions are both focused on the way of verifying the user’s identity. At level 4, NIST proposes the use ofsolutions against session hijacking and others attacks over authentication pro cesses. This session hijacking involves an attacker takes advantage ofthe legitimate exchange ofcredentials that a user
- 6. US 2014/0380431A1 makes to comply with the authentication process. Once this validation is accomplished, the attacker then intervenes in the communication that takes place. This type of attack can be implemented in two ways: actively acting, hijacking the con nection and leaving out ofit to the legitimate user, or, remain ing hidden and modifying the content of communication transparently to the user. Whatever the implementation ofthis attack, it is important to observe that this is an attack aimed at breaking the authorization system, leaving intact, thoughuse less, the authentication system. Although there are alterna tives to proactively protect systems from this threat, there is no adequate solution to mitigate the effects ofthe attack once the device from which the resource access is requested, is committed. [0013] NIST suggests employing FIPS-140-2 certi?ed tamper-resistant hardware (hardware tokens) [4] . Using these devices provides the users the ability to generate a single use password (one time password, OTP) to prove their identity to each transaction. In addition, there are hardware implemen tations ofthese tokens that can generate other OTPs coded to contain information on how to complete a speci?c transac tion. [0014] Different criteria can be de?ned to establish com parison between authentication/authorization schemes. In [1] the authors suggest the need to de?ne three criteria in order to perform an effective comparison. These aspects are: security, usability and complexity on implementation (deployability). This paper presents an intensive study to instrument the com parison through the de?nition of metrics. Following table summarizes the metrics de?ned for each criterion. Usability Memory-Effortless Scalable-for—Users Nothing—to—Carry Physical—Effortless Infrequent—Errors Easy—recovery—from—Loss Accessible Negligible—Cost—per—User Server—Compatible Browser-Compatible Mature Non—Proprietary Resilient—to—Physical—Observation Resilient-to—Targeted—Impersonation Resilient—to—Throttled-Guessing Resilient—to-Unthrottled—Guessing Resilient—to—Internal—Observation Resilient—to—Leaks—from—Other—Veri?ers Resilient—to—Phishing Resilient—to—Theft No—Trusted—third—Party Requiring—Explicit—Consent Unlikable Deployability Security [0015] In the case of security criterion, the proposed metric set summarizes all the aspects that are usually estimated in de?ning a threat model. In the de?nition ofthese models it is necessary to adopt a number ofdecisions. Andthese decisions de?ne the working scenario. For example in the case of OAuth 2.0 [5] the adopted assumptions are as follows: [0016] The attacker has full access to the network between the client and authorization servers and the client and the resource server, respectively. The attacker may eavesdrop on any communications between those Dec. 25, 2014 parties. He is not assumed to have access to communi cation between the authorization server and resource server. [0017] An attacker has unlimited resources to organize an attack. [0018] Two of the three parties involved in the OAuth protocol may collude to mount an attack against the third party. For example, the client and authorization server may be under control of an attacker and collude to trick a user to gain access to resources. [0019] Attending to the metrics introduced above, is pos sible to determine that solutions corresponding to the higher security level (level 4) have poor performance in deployabil ity and usability. Once the assessment of a system allows to determine in which level has to be deployed its authentication system, it is needed to evaluate ifthe users are authenticated safely and correctly. Although there are some tools that aid in this task [3], [6], deploys in the level 4 are dif?cult to evaluate correctly. In terms ofusability, the use oftampering resistant hardware tokens goes against the adoption ofthese solutions by users, and it has been proved that this situation leads to a misuse ofthe credential systems. These tokens are expensive. They are independent devices that the user has to custody and that can be employed with one service provider only. If the users have to deal with more than one service provider that has adopted these tampering resistant hardware tokens, they have to take into custody as many tokens as service providers they have. [0020] Furthermore, in terms of authorization, in [7] the authors explain that, aside from some security issues of each SDK, developers who choose to integrate with one of them make assumptions that can lead to security problems. This is because SDKs are often not well documented and the security exploits nearly always stem from attackers who ?nd ways to violate these assumptions system implementers relied upon. [0021] Along with these dif?culties, other problems must be considered to understand the constant increase in fraud arising from the theft of digital identities. For instance, it is not possible to measure a homogeneous security level in all users’ digital accounts. It is needed a solution that can equal ize the security level of all digital accounts that a user owns. This solution should extend this security not only to the authentication processes but also to the resource authoriza tion processes and all procedures related to such accounts. [0022] Therefore, a different approach is needed to improve the overall security in the authentication/authoriza tion systems, whatever is the scheme or schemes adopted, minimizing the impact on the usability and deployability of these systems. REFERENCES [0023] [1] Bonneau, 1., Herley, C., van Oorschot, P. C., & Stajano, F. (2012, May). The questto replacepasswords: A framework for comparative evaluation ofweb authen tication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 553-567). IEEE. [0024] [2] Burr, W. E., Dodson, D. F., & Polk, W. T. (2006). Electronic authentication guideline. NIST Spe cial Publication, 800, 63. [0025] [3] Dalton, M., Kozyrakis, C., and Zeldovich, N., Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Application, In Proceedings of the 18th conference on USENIX security symposium, (pp. 267-282) USENIX Association.
- 7. US 2014/0380431A1 [0026] [4] Evans, D., Bond, P., Bement, A., Security Requirements for Cryptographic Modules, FIPS PUB 140-2 -FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION. Online Resource: http://csrc.nist.gov/publications/?ps/?ps140-2/ ?ps1402.pdf [0027] [5] McGloin M. & Hunt P. (2013, January) OAuth 2.0 Threat Model and Security Considerations. ISSN: 2070-1721. Online resource: http://tools.ietf.org/pdf/ rfc681 9.pdf. [0028] [6] Sun, F., Xu, L., & SU, Z. (2011,August) Static detection ofAccess control vulnerability in web appli cations. In Proceedings ofthe 20th USENIX conference on Security (pp. 11-11). USENIX. [0029] [7] Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., & Gurevich, Y. (2013). Explicating SDKs: Uncovering Assumptions Underlying Secure Authenti cation and Authorization (Vol. 37). Microsoft Research Technical Report MSR-TR-2013. DESCRIPTION OF THE INVENTION [0030] To achieve the above, the invention provides a solu tion to prevent several attacks related with authentication and authorization processes. This solution consists in a solution that is designed to limit the time in which an attacker is able to develop an attack. Therefore, this solution supposes a limit on the resources available to an attacker to organize and attack. First, the invention seeks to reduce the risk ofan attack directed to an authentication/authorization process by tem porarily blocking the operation execution mechanism. Thereby decreasing the period of exposure of these systems and, therefore, decreasing the chances ofsuccess ofattack on the system. In addition, a ?rst server or service provider can force the use ofa second authentication phase (using an OTP infrastructure) for service providers who do not provide this option in their account management processes or even let the user activate it. [0031] According to a ?rst aspect there is provided a com puter implemented method to prevent attacks against autho rization systems, comprising: receiving at least one ?rst server a request in the name of a user to be logged into a service of said ?rst server; and authorizing said request, said ?rst server, by verifying user identi?cation information of said user. [0032] On contrary of the known proposals, and in a char acteristic manner, in order said request to be authorized the method further comprises: [0033] sending, by said ?rst server to a second server in connection with a user computing device with a dedicated program, a request about a status associated to said user; [0034] initializing a credential exchange between said ?rst and second server in order to provide mutual authentication; [0035] verifying said associated status that has been previ ously set as valid or as invalid by said user and stored in a memory of said second server; [0036] sending, said second server, said associated status to said ?rst server; and [0037] using said ?rst server said received associated status for: [0038] authorizing said request for said service in the name of said user if said associated status is set as valid, or [0039] rejecting said request for said service ifsaid asso ciated status is set as invalid, Dec. 25, 2014 wherein in case said request to be logged into a service ofsaid ?rst serverbeing authorized, and a request is done inthe name of said user to perform an operation in said ?rst server using at least a part of the resources of said ?rst server, the method comprises following steps: [0040] performing, an operation status veri?cation associ atedto said user comprising a status request to said ?rst server to determine what entry in a scheme corresponds with said operation; [0041] receiving, said second server from said ?rst server said request about an operation status associated to said user concerning said entry; [0042] initializing a credential exchange between said ?rst and second server; [0043] evaluating, said second server a scheme entry status from a root to said entry; [0044] sending, said second server an evaluation result to said ?rst server; [0045] making a decision, said ?rst server, by at least using said received result for allowing or blocking said request in the name of said user to perform said operation. [0046] The status request associated to the user comprises the sending of a security token, said security token being generated during a previous pairing user accounts process. This token links the user with the ?rst server without disclo sure of any personal information of the user to the second server information. Then, the token is securely stored in a memory of the ?rst server and in a memory of the second server once the user has con?gured the pairing ofthe ?rst and second servers’ identi?cations. [0047] The credentials exchange to secure mutual authen tication between the ?rst server and the second server, is performed, preferably, via a standard authentication proce dure based on certi?cates’ exchange de?ning, as a result, a secured channel. The exchange is performed to verify that both ?rst server and second server are who they claim to be. [0048] The second server may notify the user in case said request to be logged into a service of the ?rst server is rejected. For instance, by the sending of a Short Message Service (SMS), ofan email, ofor a message by a smartphone messenger application, orjust by the highlighting or pushing in said dedicated program of said user computing device. [0049] Optionally, the step of evaluating the scheme entry status performed by the second server may further include a second factor authentication comprising, ifsaid scheme entry status is set as valid: [0050] sending, said second server an OTP to the ?rst server within the result of the operation status request; [0051] requesting, the ?rst server to the user, an OTP that the user is going to use as temporal second factor; [0052] sending, the second server the same OTP sent to the ?rst server to the user through said another user dedicated program; [0053] recovering, theuser, saidrequestedtemporal second factor OTP through said dedicated program, introducing it into said another user dedicated program and further sending it via said another user dedicated program to the ?rst server; and [0054] checking, the ?rst server, if the received OTP from the second server and the received temporal second factor OTP from said another user dedicated program matches in order to allowing or blocking said request in the name of said user to perform said operation.
- 8. US 2014/0380431A1 [0055] The associated status is set as valid (unlocked) or as invalid (locked) a certain period oftime and can be modi?able by the user whenever the latter want it. For instance, the user can plan a locking/unlocking policy to automate the manage ment of their accounts held with different servers using dif ferent criteria: time, geo-localization (different policies for home, work, etc.). Another possibility for modifying said associated status can be by delegating the control said user has of their accounts to other users. This can be done by considering two different options. In the ?rst one, a parental control mechanism is used so the children’s (original) accounts access control is delegated to the parent control mechanism. In the second one, a single account allows mul tiple locks. In this latter case, the unlock action will require that multiple users unlock their locks concurrently. In both cases, the delegation is performed securely maintaining the privacy of every user unchanged. [0056] The request to be logged into a service and/or the request to perform an operation may be recorded in order to provide statistics. In this way, the user can obtain system usage statistics that re?ect activity ofthe system and track the attempts of impersonation. These statistics inform about when someone had attempted to access to a service with user’s usemame. [0057] The subject matter described herein can be imple mented in software in combination with hardware and/or ?rmware, or a suitable combination ofthem. For example, the subject matter described herein can be implemented in soft ware executed by a processor. [0058] According to another aspect there is provided a computer program comprising computer program code means adapted to perform the steps according to the method of claim 1 when said program is run on a computer, a digital signal processor, a ?eld-programmable gate array, an appli cation-speci?c integrated circuit, a micro-processor, a micro controller, or any other form of programmable hardware. [0059] Embodiments ofthe invention also embrace a com puter program product including program code means adapted to perform a second factor authentication according to the method of claim 6. [0060] The present invention allows the user to plan a lock ing/unlocking policy to automate the management of accounts held with different servers using different criteria: time, geo-localization (different policies for home, work, etc.); delegate the control of their accounts to other said second server users; enable monitoring systems that allow users to be warned of identity theft attempts or untrue user’s impersonation in operation execution requests, providing a course of action to take action to control the digital identity; establish a second factor for authentication for veri?ers that are not providing it; establish an account to be blocked or unblocked and change it with immediate effect by the use of a switch control; ?x a schedule to Valid/Invalid (Block/Un block) an account or said operation automatically based on time and date settings. Once a check-status request is received the second server responds based on the current state of the scheduler; improve the security level of an account or said operation by con?guring a second factor authentication inte grated with second server; control different actions associ ated with an account, authorizing or banning the execution of them in a compatible manner with the authorization scheme established. [0061] Furthermore, the invention allows homogenizing the security level for all the different accounts a user has. It Dec. 25, 2014 allows offering a security level comparable with level 4 de?ned by NIST. And this is done for different accounts that can be now controlled with only one device and regardless of the authentication/authorization scheme de?ned for every service provider. [0062] The invention does not propose any new authenti cation/authorization scheme. Indeed, the intention is to complement the existent schemes with an extra security layer. Although this may limit its usability and deployability, the invention design is orientedto minimize the impact overthese criteria. As it is stated before, the authentication scheme choice determinates the security risk that is assumed for an authorization system. What is proposed here is to reduce the risk taken with the choice ofany authentication/authorization mechanism reducing the time in which this system is acces sible to be broken. [0063] Assuming that there is a relationship between the success and failure of an attack on the auth system with the time in which this system is accessible (exposure time) as conditional probability (p(SuccessfulAttack|exposed)) is possible determining that the relative risk (RR) satis?es the following expression: p(SuccessfulAltac/< | exposed) Eq. 1 _ p(SuccessfulAltac/< | unexposed) [0064] In this expression it is assumed that the probability ofsuccess ofan attack is directly related to the exposure time. That is, the continuous exposure ofa computer system, in this case the authentication system, increases the likelihood of success of an attack in contrast with a scenario in which the exposure is limited. In the same way one can evaluate the following expression: p(SuccessfulAttac/<| exposed) Eq. 2 p(FailedAllac/<| exposed) m p(FailedAtlac/< | unexposed) [0065] Indicating that there is a greater probability for a successful attack ifexists a continued systems exposure. It is also possible to estimate the portion of all successful attacks that could have been avoided ifthe exposure had been avoided (Attributable Risk Percent (ARP)). This is calculated with expression 3. ARP: RR [0066] This expression allows assessing the investment required to enable a solution designed to reduce the time that is accessible authentication process. The professional expe rience and technical knowledge of the documented attack techniques to break authentication/authorization systems con?rm the assumption made earlier (RR>l). Therefore, it can be asserted that ARP>l once the Account-locker is adopted. [0067] This reduction in the exposure time allows mitigat ing the effects of most of the threats related with the authen tication phase before a user can access to some privileged
- 9. US 2014/0380431Al resources. This invention also permits reducing the exposure ofparticular actions that can be taken after the login process has been accomplished. Therefore, this exposure reduction supposes the limitation in the time in what the action can be executed and the establishment ofa channel that allow to send critical information to assure the integrity of this action execution. [0068] The invention encompasses the solutions for the threats de?ned by NIST. But, in this case, these solutions are provided to users through a dedicated program designed to be executed in a mobile device, which facilitates the interaction with a second server. In addition, this second server brings privacy in the communications relative to the control of the user’s accounts and incorporates all the control information that the users have set about the actions the service providers have offered them. BRIEF DESCRIPTION OF THE DRAWINGS [0069] The previous and other advantages and features will be more deeply understood from the following detailed description of embodiments, with reference to the attached, which must be considered in an illustrative and non-limiting manner, in which: [0070] FIG. 1 is an illustration of the present invention general architecture. [0071] FIG. 2 is a ?ow diagram illustrating an account pairing sequence with authorization. [0072] FIG. 3 is a ?ow diagram illustrating how a status of a user account can be checked for authentication. [0073] FIG. 4 shows the ?ow diagram that summarizes the way the process introduced in FIG. 3 can be extended to its generalization, adopting the authentication process as other operation from the directory proposed by ?rst server. DETAILED DESCRIPTION OF SEVERAL EMBODIMENTS [0074] In reference to FIG. 1 it is showed the general archi tecture of the present invention. Concerning FIG. 1, a user computing device 100 such as a mobile phone, a smartphone, a tablet-PC or a PDA among any other, is used by said user in order to login into a dedicated program 102 in communica tion with a second server 200 and to manage the status for every ?rst server 300 with which a user wants to request a service. [0075] With this new proposal said user 100 can unblock said operation de?ned for a particular account created with said ?rst server 300. As stated below, this action can enhance the control de?ned for this account by decision of the ?rst server 300. In this decision, the ?rst server 300 can choose to incorporate a new control of security beyond the block/un block default option or the second factor of authentication. This control of security consists ofto provide a communica tion channel from the user 100 to the ?rst server 300, through the second server 200. The ?rst server 300 can con?gure the system to ask the user 100 for a particular information related to said operation to be performed. This information can be used by the second server 200 to verify ifthe user 100 is who actually is demanding said operation and to con?rm if the operation that has arrived to the ?rst server 300 is exactly as the one the user 100 had ordered. [0076] Assuming that the ?rst server 300 could want to verify the integrity of the operation, it can be selected what parameters are critical to ensure the operation integrity. Inthis Dec. 25, 2014 case, it is important that the requested information corre sponds univocally with the operation critical parameter in order to identify it correctly. [0077] In this architecture, the user 100, besides having an account in the second server 200, can have multiple accounts with different service providers. One ofthese service provid ers is the ?rst server 300. Once the user 100 completes the login process with these accounts he or she will have access to multiple operations speci?c to each service providers. The second server 200 eases how a ?rst server 300 can integrate this control within the logic of its applications. [0078] When a ?rst server 300 decides to integrate its ser vices, it will provide the ability to link their accounts with the accounts that the user 100 has in the second server 200. When the said user 100 decides to establish this link, she or he starts a pairing process that ensures complete privacy to the user 100. Once the pairing process is completed, the user 100 can access the con?guration ofthe control ofthe account with the ?rst server 300 from a dedicated program 102 (i.e. a mobile application). [0079] Every time the settings associated with an account are changed on said mobile application, this modi?cation is immediately propagated to the second server 200 to change the status ofthe account that can be accessedby the ?rst server 300. [0080] Second server core implements the main function of the second server 200: lock or unlock said user account with the ?rst server 300 and the operations provided by ?rst server 300. In order to do that, the second server 200 accepts and processes the check-status requests sent from the ?rst server 300. This second server 200 also manages all data about the links with said ?rst server 300 de?ned by the user 100 and the requests for the pairing ofnew locks. The key is the user 100 is never asked for any private information. Once the user 100 creates his account with second server 200, he can establish locks with different service providers, like said ?rst server 300. To activate these locks the second server 200, according to an embodiment, generates a token. A unique token and the de?nition of secured channels are needed to complete the pairing process between the user 100 and the ?rst server 300. As result of this pairing process, the cryptographic token is sent from the second server 200 to the ?rst server 300 who has to store this information with their user’ s personal data. Later, this cryptographic token will be used to request the corre sponding lock status. The user 100 can modify the status of their locks, by the activation or con?guration ofthe different options that second server 200 provides. [0081] In case the user 100 has set up a lock with a second factor for authentication over an account or a particular action, the second server 200 will incorporate all the needed logic for the generation and communication of the OTP. When the second server 200 receives a request from the ?rst server 300 asking for the user account status, a second factor ofauthentication is triggered. An OTP is generated and sent to the user 100. The same OTP is sent to the ?rst server 300 along with the account status. Ifthe status is ON and the user 100 has activated the second factor, the ?rst server 300 should prompt the user to introduce the OTP to proceed with the operation. [0082] Now, if the user 100 has set up a lock over a said operation with an integrity factor to verify that the operation parameters have not been modi?ed, said second server 200 incorporates the needed logic to get the critical information from the user 100 and from the ?rst server 300 and to check if
- 10. US 2014/0380431Al both are equal. The second server 200 sends the result of the checking as the account status to the ?rst server 300. In case of mismatching, the ?rst server 300 can conclude that an intruder can be intercepting the information from the user 100. The ?rst server 300 can then build mechanisms to elude the fraud and to raise security alerts. [0083] In reference to FIG. 2 it is illustrated a pairing pro cess of the user 100 account of the second server 200 with different accounts for different ?rst servers 300. In FIG. 2, once a user 100, using for instance the dedicated program 101 such as a browser, has completedthe login process (A-B) with a ?rst server 300 (in this particular case a Bank online, a social network, a credit card providers, etc.), the user 100 decides to perform said accounts’ pairing process. The user 100 requests the pairing to the ?rst server 300 (C) using the browser 101. As response, the ?rst server 300 asks for a pairing token (D). The user 100 then uses the dedicated program 102 (D') to get this pairing token from the second server 200, after a previous login process. The second server 200 generates a token (for instance as an OTP) (E) and sends it to the user’s dedicated program 102 (F). This token can be used for several pairing processes meanwhile it is valid. The user get the token (OTP) from the dedicated program 102 and introduces it in the web page displayed in the browser 101 by the ?rst server 300 (G-G'). The ?rst server 300 then sends the received token to the second server 200, after a previous credentials exchange (H). If the ?rst server 300 identity is validated, the second server 200 stores the link between the user 100 and the ?rst server 300 and generates a new token that identi?es this link. This token (accountID) is sent to the ?rst server 300 (I) and there it is stored for future communications (I). At last, a pairing acknowledges is sent to the user’s browser 101 (K). [0084] In reference now to FIG. 3 it is illustrated how a status of a user account can be checked for authentication. In FIG. 3, a user 100, using for example a browser 101, requests to be logged in a service (A) of a ?rst server 300 so once user existence has been validated (B) by said ?rst server 300, the latter demands to the second server 200 the user account status (C). Then the second server 200 initializes the creden tials exchange before the result of the account status infor mation is sent (D). With the result status, the ?rst server 300 makes the decision of allowing or blocking the user access (E). [0085] In an embodiment, ifthe account status is unlocked or valid but the second factor of authentication is on, within the answer ofthe status request, the second server 200 sends an OTP to the ?rst server 300 that has to employ to complete the authentication. The ?rst server 300 then requests to the user 100 the OTP that is going to be a temporal second factor (P). Then the second server 200 sends the same OTP to the to the user’s dedicated program 102 (G). The user 100 recovers the OTP from the dedicated program 102 and introduces it in the browser 101 (H) and sends it to the ?rst server 300 (I). The ?rst server 300 can check ifthe OTP sent through the browser 101 matches with the one received with the account status (I). Depending on ofthe results ofthis veri?cation, the ?rst server performs the authentication process (K) and communicates the result to the user via 101. [0086] When a ?rst server 300 sends a Status Request, the second server 200 understands that someone, with the proper service identi?cation information (i.e. ID and password), is trying to access to the service. If the account status is set as blocked, or if this request has come in a moment that is not included in the interval de?ned by the user 100, the second Dec. 25, 2014 server 200 registers this event as a fake attempt. The second server 200 could send, according to an embodiment, an alert of this event to the user if said user has con?gured it so (for instance by sending a Short Message Service (SMS), an email, a message by a smartphone messenger application, by a highlighting or pushing in said dedicated program 102 of said user computing device 100, etc.) or just update the sta tistics for a later revision. Then the second server 200 returns the status associated with the account as locked. [0087] With the aim ofimproving the security ofany autho rization system, the use of the said second server 200 is proposed as a new layer that gives the users the chance of control the access to the resources and procedures associated with their accounts de?ned with any ?rst servers. These resources and procedures are seen as operations which depend on the main actions de?ned for an account (i.e. login process). This dependency is established like a hierarchy where the changes in the root entries are propagated to their children. [0088] In this embodiment, in reference to FIG. 4 it is showed the operation status veri?cation process. This opera tion is proposed by the ?rst server 300 attached to the account management. The user 100, using for example a browser 101, requests, according to an embodiment, to execute an opera tion related with an account (A) of a ?rst server 300. This operation can be to be logged in a particular service or to execute some other action related with the services provided by ?rst server (e.g. Internet payment with a credit card). So once user existence has been validated (B) by said ?rst server 300, the latter makes the correspondence of the operation requested with the scheme entry in the hierarchy de?ned by this user’s account (D) and demands to the second server 200 this entry status (E). [0089] Then the second server 200 initializes the creden tials exchange before evaluating the scheme entry status from the root to the entry (F). The status of the user’s account is retrieved and if it is unlocked the same evaluation is per formed with every step founded until reach the scheme entry. The scheme entry status information is sent (G) and, with this information, the ?rst server 300 makes the decision ofallow ing or blocking the user access to the operation. [0090] The second factor ofauthentication can be activated if the scheme entry status is valid or unlocked in order to strengthen the process. The second server 200 sends an OTP to the ?rst server 300 within the answer ofthe status request. This ?rst server 300 employs it to complete the authentica tion. The ?rst server 300 requests to the user 100 the OTP that is going to be a temporal second factor (H). The second server 200 sends the same OTP to the to the user’s dedicated pro gram 102 (I). The user 100 recovers the OTP from the dedi cated program 102 and introduce it in the browser 101 (J) and sends it to the ?rst server 300 (K). The ?rst servers can check ifthe OTP sent through the browser 101 matches with the one received with the account status (L). The ?rst server 300 denies operation execution if the OTPs don’t ?t. [0091] The scope ofthe present invention is de?ned in the following set of claims. 1. A computer implemented method to prevent attacks against authorization systems, comprising: receiving at least a ?rst server (300) a request in the name of a user (100) to be logged into a service of said ?rst server (300); and authorizing said request, said ?rst server (300), by verify ing user identi?cation information of said user (100),
- 11. US 2014/0380431Al characterized in that in order said request to be authorized said method further comprises: sending, by said ?rst server (300) to a second server (200) in connection with a user computing device with a dedi cated program (102), a request about a status associated to said user; initializing a credential exchange between said ?rst (300) and second server (200) in order to provide mutual authentication; verifying said associated status that has beenpreviously set as valid or as invalid by said user (100) and stored in a memory of said second server (200); sending, said second server (200), said associated status to said ?rst server (300); and using said ?rst server (300) said received associated status for: authorizing said request in the name of said user if said associated status is set as valid, or rejecting said request if said associated status is set as invalid. wherein in case said request to be logged into a service ofsaid ?rst server (300) being authorized and a request is done in the name of said user to perform an operation in said ?rst server (300) using at least a part ofthe resources of said ?rst server (300), the method comprises following steps: performing, an operation status veri?cation associated to said user (100) comprising a status request to said ?rst server (300) to determine what entry in a scheme corre sponds with said operation; receiving, said second server (200) from said ?rst server (300) said request about an operation status associatedto said user (100) concerning said entry; initializing a credential exchange between said ?rst (300) and second server (200); evaluating, said second server (200) a scheme entry status from a root to said entry; sending, said second server (200) an evaluation result to said ?rst server (300); making a decision, said ?rst server (300), by at least using said receivedresult for allowing orblocking saidrequest in the name of said user to perform said operation. 2. A computer implemented method according to claim 1, comprising notifying, by said second server (200) the user in case said request to be logged into a service ofsaid ?rst server (300) is rejected. 3. A computer implemented method according to claim 2, wherein said notifying comprises one of a sending ofa Short Message Service (SMS), a sending of an email, a sending of a message by a smartphone messenger application, a high lighting or pushing in said dedicated program (102) of said user computing device. 4. A computer implemented method according to claim 1, wherein said associated status is set as valid or as invalid a certain period of time. Dec. 25, 2014 5. A computer implemented method according to claim 1, wherein a second factor authentication is used within the answer ofsaid scheme entry status if said scheme entry status is set as valid. 6. A computer implemented method according to claim 5, wherein said second factor authentication comprises: sending, said second server (200) to the ?rst server (300), a one-time password (OTP); requesting, the ?rst server (300) to the user (100), an OTP that the user (100) is going to use as temporal second factor; recovering, the user (100), said requested temporal second factor OTP through said dedicated program (102) and further sending it to the ?rst server (300); and checking, the ?rst server (300), if the received OTP from the second server (200) and the received temporal sec ond factor OTP from the user matches in order to autho rizing or rejecting said request for said service in the name of the user. 7. A computer implemented method according to claim 6, wherein the ?rst server (300) comprises: allowing said opera tion if said OTPs matches or blocking said operation if said OTPs not matches. 8. A computer implemented method according to claim 1, wherein said step of evaluating is performed for every step founded until reach the scheme entry. 9. A computer implemented method according to claim 1, wherein said request to be logged into a service and/or said request to perform an operation are recorded in order to provide statistics. 10. A computer program comprising computer program code means adapted to perform the steps according to the method ofclaim 1 when said program is run on a computer, a digital signal processor, a ?eld-programmable gate array, an application-speci?c integrated circuit, a micro-processor, a micro-controller, or any other form of programmable hard ware. 11. A computer program product according to claim 11, further comprising program code means adapted to perform a second factor authentication wherein said second factor authentication comprises: sending, said second server (200) to the ?rst server (300), a one-time password (OTP); requesting, the ?rst server (300) to the user (100), an OTP that the user (100) is going to use as temporal second factor; recovering, the user (100), said requested temporal second factor OTP through said dedicated program (102) and further sending it to the ?rst server (300); and checking, the ?rst server (300), if the received OTP from the second server (200) and the received temporal sec ond factor OTP from the user matches in order to autho rizing or rejecting said request for said service in the name of the user. * * * * *