Financial transaction server with process-based security
A system and method for performing a financial transaction over a network between a point-of-sale server and a financial server includes generating an identifier corresponding to a credit card number at a financial transaction server in communication with the point-of-sale server and the financial server. The transaction server sends the identifier to the point-of-sale server. When a customer chooses to use a stored credit card, the point-of-sale server sends the corresponding identifier to the transaction server. The transaction server retrieves the credit card number corresponding with said received identifier; and sends said retrieved credit card number to a financial server for processing.
This application is a continuation-in-part of U.S. patent application Ser. No. 10/061,701 filed on Feb. 1, 2002.
TECHNICAL FIELD OF THE INVENTIONThe present invention relates in general to software security systems and, more 5 particularly, to a financial transaction server using process-based security.
BACKGROUND OF THE INVENTIONData processing systems have, as of recent, seen a large increase in the use thereof. For small users, such as home users, a typical system will run multiple programs that will allow access to various stored data files, allow the user to access resources such as disk drives, modems, faxes, etc. Access to these types of systems is typically what is referred to as “unrestricted”, i.e., any one possessing the required knowledge to access a given program can access it on any unrestricted computer. However, for a larger data processing system that may contain confidential information, the user may be provided access to resources that are billed on a time-use, etc., these systems usually requiring restricted access.
In restricted access systems, a user is typically given an I.D. to the system. A system administrator can then configure a system, via a network or even a stand-alone system, to define the user's access to the system, once the user has logged in to the system. For example, in the network environment, there are a plurality of network drives, network resources such as printers, faxes and mailboxes, etc. The user has a configuration file that defines what access the user has. Upon logging in, the network will then access the configuration table and allow that user access to the given system resources. The user can then execute a program and utilize the program to access the resources through something as simple as a disk operating system (DOS). The disadvantage to this type of access is that the user now has full access to resources for any purpose, other than the purpose for which the user was given access.
As an example, a user may need access to a modem for the purpose of running database searching software. This database searching software allows the user to dial up a provider with the modem to perform predefined searching. In order for a prior restricted system to utilize the modem, the user must be granted access to a given serial port. However, the user need not run the database searching software in order to have access to the modem. This allows the user to run other programs that can gain access to the system. The disadvantages to this is that, although the database searching software may have certain restrictions that are inherent in the software itself, a user can bypass this system to utilize the modem for other purposes. This can also be the case with respect to data files, wherein a word processing program has the ability to read and write files and gain access to printers through the word processing software. However, this access must be granted in a global manner, such that the user can access the files and printers via any other means, once logged into the system.
As another example, consider a database that allows access to databases such as payroll, criminal records, etc., which a user has been given access. With current operating system security, the user can certainly go outside of a given program that is utilized with a specific database to copy, delete or even change files in the database outside of the program. As such, there exists a problem in that security for current operating systems provides that resources are allocated based on users or the groups to which the users belong. This therefore allows the user access to those resources even though the process that needs those resources is not being run. These rights will in turn allow the user to use the resource outside of its intended use.
In a general purpose computer system operating with a wide assortment of applications or processes, usually as part of a bundled package, security is based on the control of user access which allows access to all of the resources on the system whether they are needed or not. A disadvantage of this system is that it is not very secure and is prone to break-in or misuse of resources, some of which contain very sensitive information, primarily because of the unrestricted access to resources. All that is required to enter such a system is a user ID and a password. One solution, implementing process-based access to a general purpose computer system, where the access to each resource is controlled in addition to the entry of a user ID and password, would provide an additional level of access control.
SUMMARY OF THE INVENTIONA system and method for providing access for a user to resources user identification information and loads user resource access information ed with the user identification information including process resource access ion associated with a process. The system executes processes where the access resources. When the process accesses resources, the system checks the resource access information when the process attempts to access a specified to determine if the access of the specified resource by the process is permitted ws the process to access the specified resource if access is permitted or denies ess access to the specified resource if access is not permitted.
BRIEF DESCRIPTION OF THE DRAWINGSFor a more complete understanding of the present invention and the advantages thereof, reference is now made to the following description taken in conjunction with the accompanying Drawings in which:
Referring now to the drawings, wherein like reference numbers are used to designate like elements throughout the various views, several embodiments of the present invention are further described. The figures are not necessarily drawn to scale, and in some instances the drawings have been exaggerated or simplified for illustrative purposes only. One of ordinary skill in the art will appreciate the many possible applications and variations of the present invention based on the following examples of possible embodiments of the present invention.
Referring now to
The CPU 10 also interfaces with peripheral resources through an Input/Output (I/O) block 24. The I/O block 24 allows access to such things as a modem 26, a network card 28, a scanner 30 and a printer 32. The scanner 30 and the printer 32 are referred to as local resources. The modem/fax 26, however, allows access to remote resources, such as a public telephone network (PTN) 34. The network card 28 allows access to a network 36, which in turn allows access to network resources 38.
Referring now to
It can be seen in the prior art system of
Referring now to
Referring further to
The process expresses its need via a process requesting mechanism 66 which is an inherent aspect of process execution for any given process. The process requesting mechanism 66 initiates a request for a resource and, if the process running on the system has access to that resource, as noted in the resource access table 64, the operating system 60 will then grant the resource for use by the process within the operating system. If not, then the operating system will block access.
Referring now to
By way of example, if a word processing program were being operated and, on the same computer, a user had the ability to operate an accounting program, the word processor would be provided access to certain regions on a disk and the files associated therewith. The user could retrieve these files, delete them, modify them and restore them. However, the user would not be allowed through the word processor to access the accounting database for any purpose, since the process does not require this. In another example, if a modem were provided, this would not usually be a resource that was available to a word processor. The modem would, for example, only be accessible to a communications program.
In another example of the operation of the process based security system, where resources are permitted access only in association with the particular process that is selected, reference is made to Table 1, which is an example of the resource access table 64 of
The example in Table 1 illustrates a general personal computer of the clone type, running an MS DOS operating system which is attached to a network with a process based security. When the computer is started, any process with the C:\ drive (denoted with the wild card processing of *.*) and its sub-directories (denoted with the /S option on the end of the process name) is provided full access to anything on the C:\drive (once again denoted with the wild card resource name of *.*) and its sub-directories (once again denoted with the /S option on the end of the resource name). The user can also execute the process E:\LOGIN\LOGIN.EXE from the network. All other resources from the network are not available to the computer at this time. This situation represents a user, on a computer, who can log into a network, but has not done so. In essence, the user can do anything with their local resources, but nothing with network resources, until they are identified to the network with the login program.
In step 2 in Table 1, when the user executes the E:\LOGIN\LOGIN.EXE process, the process changes from something on C:\ to LOGIN.EXE which can read the E:\SYSTEM\PASSWORDS file and execute the E:\PROGRAMS\MENU\MENU.EXE program. The file LOGIN.EXE is the network's method of identifying users of the network. Execution of LOGIN.EXE will verify the user through its read-only access to the E:\SYSTEM\PASSWORDS file. If the user is verified as a valid user, LOGIN.EXE will pass control on to step 3 and the process E:\PROGRAMS\MENU\MENU\.EXE.
In step 3, when MENU.EXE gets executed, it will read the appropriate menu options from its SCREENS file and display it for the user. MENU.EXE controls what programs can be executed and as such, it has been given rights to execute any program in the E:\PROGRAMS directory or any of E:\PROGRAMS sub-directories (this is denoted with the /S option after the partial wild card name *.EXE and *.COM). In step 4, in the event the user executes the WP.EXE program, this process has full access to a local F:\LIBRARY directory, a shared G:\COMMON directory and the sub-directories of G:\COMMON. The example in step 4 may also represent a network, where personal files are stored in a user-related directory (F:\LIBRARY) and company shared documents are stored in a common directory (G:\COMMON).
In the preceding example, it can be seen that the user cannot, for example, obtain access to the PASSWORDS file by any other process except for the LOGIN.EXE process and this process determines how the user can deal with that particular file.
Referring now to
It is important to note that the process must be running and, during the running thereof, execute instructions that request a given resource. It is the running of the process and the request by that running process that allows access to a resource. The fact that the process has been opened and initiated is not sufficient to gain access to the resource since it is the use of the resource by a given process that is selected. For example, if a multi-tasking operating system were utilized and a given program executed from that platform as a first task, it may be desirable to place that task in the background and initiate a second task. Even if the first task were running in the background, the ability of the first task to request a given resource does not in any way effect the rights of the second task to have access to that same resource. Unless it is in the resource access table, no access to the resource will be allowed. Even if the first task were operating and it were utilized to “launch” a second process, this would not effect the resource access of the launched process, since when the launched process is running, the launching process is not running and it is not the launching process that is requesting access to the resource. Therefore, it is only the requesting resource that is of concern.
Referring now to
After the log in block 104, the program will flow to a function block 106 to run the process. Once the process is running, the program then flows to a decision block 108 to determine if a resource request has been made by the running process. If not, the program will flow along the “N” path back to the input of function block 106. When a resource request has been made by the running process, the program will flow from decision block 108 along a “Y” path to a function block 110, wherein the resource access table is accessed to determine access rights for the requesting process. The program will then flow to a decision block 112 to determine if access has been granted for that particular resource. If not, the program will flow along a “N” path to a function block 114 to return an “access denied” error code. The program will then flow back to the input of function block 106. However, if access rights have been granted in accordance with the resource access table, the program will flow along a “Y” path from decision block 112 to a function block 116 to allow access to the system and then back to the input of function block 106. This will continue unless the resource is halted.
Referring now to
Referring now to
If access rights exist in the resource access table for the given resource, the program will then flow to function block 144 to determine if the mode of access that is requested by the requesting process is present in the resource access table, i.e., whether the resource access table has been set up to grant this mode of access to the given resource. An example of this would be a file that is defined as the resource with the modes being READ and WRITE, with either reading of the file from the disk or writing of the file to disk. The program will then flow to a decision block 146 to determine if the mode of access is available. If not, the program will flow along the “N” path back to the function block 142 and, if the mode of access is available, the program will flow along the “Y” path to a decision block 148 to determine if the requested resource and mode of access are valid for the requesting process. For example, a process may request access to a particular memory device or portion of a memory device and it may require access to that memory device for writing of information thereto. The system will first determine if the resource has access rights associated therewith and then check to see what mode of access is allowed. In this example, if the resource is available, it may have a mode of access available for reading and a mode of access available for writing. However, the resource access table may only grant reading rights to the requesting process. In this event, access will be denied. This is represented by the path that flows along the “N” path back to function block 142. If access is allowed, the program will flow along a “Y” path from decision block 148 to a function block 150 to grant access and then to a return block 152. The following is the process flow for the process generating the request: Process
The following is the process flow for the operating system when servicing the request: Operating System
The foregoing describes a system for providing process-based security to an operating system. In this security system, access to any resource on the system, although provided by the operating system, is restricted by the operating system to only those requested by a given process. Whenever a process, during operation thereof with the operating system, requires or requests access to a resource, the operating system makes a determination as to whether a resource can be made available for that given process. This is facilitated by storing access rights for any process in a resource access table. When a process is running on the system and it requests for its use a given resource, the operating system will then look up in the resource access table to determine if the resource is available and, if so, grant access to the resource.
It has been described hereinabove that a process-based security system controls access to resources via the process (i.e., application) that requests the resource. Experimentation and development have shown, however, that such a security system is is particularly efficient when implemented in a dedicated, or single-purpose environment, such as a web server, or other, computer appliance-type of application.
Thus, it can be appreciated that the process-based security described hereinbelow, as applied to a dedicated, single purpose computer system, could exhibit the following advantages:
-
- (1) prevent a user from loading their own applications into the system,
- (2) prevent a user from attempting to access files from uncontrolled processes, e.g., trying to load in a hex editor to obtain access to the sensitive files such as accounting records, etc.;
- (3) prevent access to all the resources in a system, even though individual resources are needed by a particular program or process;
- (4) process-based security, in a dedicated environment, is self contained, i.e., independent of the rest of the system, and is thus relatively easy to implement in existing systems;
- (5) process-based security is context-specific or can be made to be dynamic by the way in which resource access is interpreted; and
- (6) in a process-based security system, the user only has the right to execute a specific application or process and that process includes access rights only to specific resources keyed to the requesting process.
Referring to
Referring further to
The operating system 162 (OS 162) receives as inputs an indication of which of the process blocks 168 is running. In one embodiment the OS 162 may include or be responsive to a System Administrator function to set the parameters of the access control for the resources 172. The OS 162 in conjunction with the resource access table 164 then selects which of the resources 172 is authorized access. It is important to note that it is a request from a process 168 during the running of that process 168 that is utilized by the OS 162 to grant access to the resource access table 164.
Continuing with
In operation of the system 160 of
In an example of the operation of a process based security system, reference is made to Table 2:
For purposes of illustration, the example in Table 2 applies to a personal computer (PC) which is attached to a network and running an MS DOS operating system that is provided with process-based security. Although a PC is usually considered a general purpose system, the simplicity of the illustration provided by Table 1 applies equally well to a dedicated computer system. When the computer is started, as in step 1 in Table 1 described previously, any process to be run with the C:\ drive (denoted with the wild card designation *.*) and its sub-directories (denoted with the /S option on the end of the process name) is provided full access to any resource on the C:\ drive. Note also that the user can execute the resource. E:\LOGIN\LOGIN.EXE from the network but that all other resources from the network are not available to the computer at this time as being limited by the statement E:\LOGIN\LOGIN.EXE. This statement will be described further in the next paragraph. This example, so far, represents a user, on a computer, who can log into a network, but has not done so. In essence, the user can do anything with his or her local resources, but nothing with network resources, until they are identified to the network with the login program.
In step 2 in Table 2, when the user executes the E:\LOGIN\LOGIN.EXE process, the process changes from something on C:\ to LOGIN.EXE which is permitted to read the E:\SYSTEM\PASSWORDS file and execute the E:\PROGRAMS\MENU\MENU.EXE program. The file LOGIN.EXE is the network's method of identifying users of the network. Execution of LOGIN.EXE will verify the user through its read-only access to the E:\SYSTEM\PASSWORDS file. If the user is verified as a valid user, LOGIN.EXE will pass control on to step 3 and the process E:\PROGRAMS\MENU\MENU.EXE.
In step 3, when the file MENU.EXE is executed, it will read the appropriate menu options from its SCREENS file and display it for the user. MENU.EXE controls what programs can be executed and as such, it has been given rights to execute any program in the E:\PROGRAMS directory or any of E:\PROGRAMS sub-directories (this is denoted with the /S option after the partial wild card name *.EXE and *.COM as listed in the resources column of Table 2). In step 4, in the event the user executes the WP.EXE program, this process has full access to a local F:\LIBRARY directory, a shared G:\COMMON directory and the sub-directories of G:\COMMON. Step 4 may also represent a network, where personal files are stored in a user-related directory (F:\LIBRARY) and company shared documents are stored in a common directory (G:\COMMON).
In the preceding examples illustrated by Table 2, it can be seen that the user, because of the table which must be accessed during a resource request, cannot obtain access to the PASSWORDS file by any other process except via the LOGIN.EXE process. This process also determines how the user can deal with that particular file.
Referring now to
Continuing further with
A study of
During the interpretation step 220 of
As described in the foregoing, to provide process-based security access in a single-purpose “appliance” computer system, a resource access table (RAT) is bound to, i.e., associated with, the requesting process when the process or application is launched. The RAT contains entries in which the defined execution paths, i.e., process paths, are modified using meta symbols. These meta symbols provide instructions for interpreting the process or execution paths. For example, meta symbol entries enable the system to determine which part(s) of an entry in a RAT must be matched character-by-character to produce a valid comparison or which part(s) may be ignored or which part(s) has a substituted instruction, etc., in order to be granted the security access rights associated with that particular entry in the RAT. Each entry or statement in the RAT may correspond to a resource whose access is defined by the entry. For example, an unmodified entry in a RAT might appear as:
-
- PROGRAMS/WP/WP.EXE
- and the resources to be associated therewith might be:
- /HOME/$U/$P.
So, when a user initiates a program operation the command string is compared to the RAT entry. In this example, the meta symbol $U means that the current user name is substituted into the entry and permitted access to the respective resource. Similarly, the $P modifies the RAT entry and means that the rest of the path is ignored, i.e., it is “matched” no matter what the rest of the path is.
Referring now to
Continuing with
Suppose the user is operating in the HOME directory, and wishes to run a word processor (e.g. WordPerfect). The word processor program (application or process) is in the directory: /PROGRAMS/WP/WP.EXE. Here, the resource access table statement is: /HOME/$U/$S.WP, where $S is used as an intervening suffix. This statement limits access to files in the user's home directory (/HOME/$U/) that end in the characters WWP ($S.WP).
It will be appreciated in the foregoing example that any resource can be moved to any place in an execution path it is desired, merely by defining the access rights for that path in the Resource Access Table. Thus, the access rights “move” with the new placement of the resource. Further, many resources, e.g., utility programs, can be wild carded into part of an execution path. In effect, these programs are executed, not out of the original program or process but out of the resource access table 166. This provides a simple way to limit access rights—merely by statements in the resource access table. Moreover, since the substituted directory path identified the word processor WP in its execution path—and not some other resource such as an EXCEL program—access rights to EXCEL (or any other program that may be part of the system) are excluded from the WP program execution path.
Suppose, alternatively, the user is running EXCEL and wishes to use a spell check resource. Unless that spell check resource, which resides in the WP program, is included in the allowed access rights of the RAT entries for the EXCEL program any user attempt to access it from EXCEL will be denied. It will thus be appreciated that the process-based security described hereinabove provides the advantages of (1) preventing users from loading their own applications on a dedicated system configured according to the present disclosure; and (2) preventing users from attempting to access files via uncontrolled ways such as trying to load in a hex editor, e.g., to obtain access to accounting or other sensitive files.
EXAMPLE NO. 3 Consider a web server (WS) which can execute any common gateway interface (CGI) serving a plurality of companies, e.g., A, B, C, D, E and F. Prefixing is used to distinguish whose CGI is allowed execution (e.g., ABC/CGI for access to ABC/DATA directory but which may exclude DEF/CGI) by substitution according to a $E(#) meta symbol that identifies the path that is executable out of the original structure in the RAT. In the RAT, as illustrated in Table 4 hereinbelow, it is seen that there are two kinds of entries instead of one: one statement for the web server, another for the CGI for which access rights are defined. Table 4 illustrates a fragment of the RAT for Example 3.
Here, the path /PROGRAMS/ABC is granted access, according to the statement $E(2)/DATA/$P.
The resource access table 166 entries, thus modified by meta symbols, as described hereinabove, define both the access to resources and the execution path through the directory. The resource access table 166, uniquely determined for the dedicated, single purpose system, is called by the request for access made by the application or process. Thus, the entries in the resource access table are, at the same time, both statements of the access rights and statements of the execution path. In some operations, for example, a meta symbol (identified by a $ followed by a character) inserted into a statement in the resource access table may provide for, referring to Table 3:
-
- (1) association of user identity information with the application or process (user ID and a password, e.g.);
- (2) substitution of one user or a group of users for another user;
- (3) substitution of a part of one execution path for another one;
- (4) specifying at what point in the directory path the access begins, or how far into the directory the access rights extend; and
- (5) specifying an access path limited to a particular file name or keyed to the access of a particular file. The meta symbols enable modifications to the entries in the resource access table 166 with instructions that define, on the fly, the particular access rights available to a particular process. Thus, instead of just performing a string comparison of the access rights string (with a predetermined set of access rights) the string is read and interpreted, based on its content, as it proceeds on the execution path.
In summary, the process-based security as disclosed hereinabove is most efficiently applied to specific functions. The operating system 162 of the dedicated, single-purpose system 160 is bundled only with the specific applications 168 needed including the resource access tables 166 and the necessary code to implement the use of the meta symbols and the process-based security access. Only internal resources are affected. Requests for access to resources 172 are processed from within the particular process or application 168 before invoking the operating system 162 but before the request handler is invoked.
With reference to
A first user 300 is authenticated by an authentication agent in the operating system 60 or process-based security module 76 of a computer. Once the first user 300 has established an authenticated identity, the process based security system loads the first user resource access table 312 in database 310. The first user resource access table 312 includes permissions, establishing the resources available to each process that is available to the first user. A first process permission table 314 includes a list of files, directories and other processes that may be accessed by the first user 300 through the first process 302. A second process permission table 316 includes a list of files, directories and other processes that may be accessed by the first user 300 through the second process 306. The first process 302 sends calls to the OS 60, requesting access to a resource 324. A process-based security module 76 consults database 310 for the first user resource access table 312, including the first process resource access table 314. If the requested resource 324 is identified in the first process resource access table 314 of the first user resource access table 312, first process 302 is given access to the requested resource 324.
When the first user 300 accesses a second process 306, the second process 306 is given access to resources 326 in accordance with a second process resource access table 316 in the first user resource access table 312. The resources 324 available to the first user 300 in the first process 302 will only be available to the first user 300 in the second process 306 where the resource 324 is identified as available to the first and second processes in their respective process resource access table in the first user resource access table 312.
A second user 304 is authenticated by the operating system 60. The process-based security module 76 reads the second user resource access table 318 in database 310. When the second user 304 accesses the first process 302, the process-based security module 76 checks the first process 302 access permissions with reference to the second process resource access table 320 of the second user resource access table 318. If the second user 304 does not have permission to access the second process 306, there is no second process resource access table in the second user resource access table 318, or the second process resource access table for that user is given a null value. A third process 308 accessed by the second user 304 is governed by the third process resource access table 322 of the second user resource access table 318.
The resources available to the first process 302 depend on the identity of the user that has been identified to the system. The use of a user name meta-symbol ($U) in the resource access tables allows the system to identify resources based on the name of the user associated with the process. For example, the resource access table may provide permission for each user to a directory that has been named using the user name. The multi-user process based security system is particularly useful where the system is a web-server or any system having multiple users and a need to control access.
Because the operating system checks the authorization of every resource call, the security of data, such as password files, does not need to depend on encryption or other forms of masking. Typical prior art systems do not save passwords in cleartext, but instead save hashes of the passwords. When the password is set using a set password function, the password is hashed and stored in association with a username. A login process may request a username and password. The password is hashed and the username is used to retrieve the hash of the password associated with the username. If the two hashes match, the user is authenticated.
In accordance with the preferred embodiment, a given resource can only be accessed by an authorized user using an authorized process. This allows a password file to be stored as cleartext, which allows greater flexibility in the use of the password in key exchange protocols.
With reference to
The authentication module works in conjunction with the process based security system to authenticate users to any process that calls on it. In the simplest embodiment, the authentication module receives usernames and passwords and compares the received password with a stored password associated with the username. In accordance with the preferred embodiment, the authentication module uses a handshaking operation to authenticate the user.
The user or client initiates the authentication process in step 330. The authentication process may be initiated by executing a login program, by executing a task that calls on a login program, or by selecting some function in a program that requires authentication before it will proceed. When the authentication process has been initiated, the authenticating process sends a request for a random number (RN) from the authentication module at step 332.
When the authenticating process sends a request for a random number to the authentication module, the operating system using process-based security will check to see if the authenticating process is authorized to access the authentication module. Only the processes listed in the resource access table will be able to access the authentication module.
The authentication module generates a random number (RN) in step 334. In accordance with the preferred embodiment, the random number (RN) is a sixteen byte cryptographically strong random number. In accordance with the preferred embodiment, the system uses random numbers that are cryptographically strong random numbers, created using processed noise. Other forms of random numbers may be used, as appropriate, including pseudo-random numbers. Pseudo-random numbers may be necessary in protocols where the random numbers need to be reproducible. Preferably, the random numbers are sixteen byte random numbers, although any length random number may be used as appropriate. The authentication module modifies the authenticating process' task structure to reflect the pending authentication request and to restrict access to data storage where the random number (RN) will be stored in step 336. The random number is stored (RNs) at a designated storage location with restricted access in step 338. The random number (RNa) is also sent to the authenticating process in step 340. RNs RNa
The user enters a username (USERID) and a password (PWa) in step 342. In a client/server environment, where a process run on the client machine is calling an authenticating process on the server, the username (USERID) and password (PWa) may be kept at the client. In this case, the authenticating process may forward the random number (RNa) to the client. The client uses the password (PWa) and the random number (RNa) to generate a hash H(PWa,RNa) at step 344. In accordance with the preferred embodiment the password (PWa) and the random number (RNa) are concatenated, with the concatenation serving as the data hashed. A keyed hash function, such as a keyed MD5 hash, may use the password (PWa) as the data hashed and the random number (RNa) as the key (K).
In a local environment where a user is communicating directly with the authenticating process, the user submits the username (USERID) and password (PWa) to the authenticating process. The authenticating process generates the hash H(PWa,RNa).
In either case, the username (USERID) and the hash H(PWa,RNa) is sent to the authentication module in step 346. The authentication module checks the task structure of the authenticating process to determine if there is an outstanding request for authentication in step 348. If there is no outstanding request for authentication, the authentication module does not proceed with the authentication process. This deters a malicious user from using a brute force attack against an unchanged stored random number (RNs) by submitting false hashes H(??, RNs) until authentication is achieved. By performing this check of the task structure, the authentication process changes the random number (RNs) for each attempted authentication, reducing the effectiveness of a brute force attack.
If the task structure of the authenticating process shows a pending request for authentication, the authentication module retrieves the stored random number (RNs) in step 350. The authentication module retrieves a stored password (PWs) associated with the username (USERID) at step 352. The authentication module uses the stored password (PWs) and the stored random number (RNs) to calculate a hash H(PWs,RNs) at step 354. The received hash H(PWa,RNa) is compared to the calculated hash H(PWs,RNs) at step 356. If the hashes are equal, H(PWa,RNa)=H(PWs,RNs), then the user is authenticated. If the hashes are not equal, the authentication process fails.
In either instance, the authentication module modifies the task structure of the authenticating process to reflect the completion of the pending authentication process at step 358. This prevents further attempts at authentication without generating a new random number (RN). The authentication module may set the user as the username (USERID) in the task structure of the authenticating process in step 360. The authentication is communicated to the authenticating process, which may set the user as the username (USERID) for the application settings in step 362.
With reference to
With reference to
The client, or more specifically a process operating in a client relationship with a server, requests a key exchange from the server in step 374. The client sends the username (USERID) to the server in step 375, unless the user has already been authenticated to the system, in which case the server uses the authenticated username. A user enters a password (PW) at the client at step 377. The password (PW) is typically not transmitted to the server.
The authentication module in step 376 modifies the client task structure to reflect the key exchange process initiation. The server generates a first random number (RN1) in step 378 and sends the first random number (RN1) to the client. In accordance with the preferred embodiment, the system uses random numbers that are cryptographically strong random numbers, created using processed noise. Other forms of random numbers may be used, as appropriate, including pseudo-random numbers. Pseudo-random numbers may be necessary in protocols where the random numbers need to be reproducible. Preferably, the random numbers are sixteen byte random numbers, although any length random number may be used as appropriate. Depending on the hash function used, the length of the random number and the strength of the randomization function may affect the strength of the key generated, so the random number generation process used should be chosen accordingly.
The server retrieves the password (PW) associated with the username (USERID) from data storage in step 382. Both the client in step 382 and the server in step 384 independently calculate a hash H(PW,RN1) based on the password (PW) and the first random number (RN1). In accordance with the preferred embodiment, a keyed MD5 signature function is used as the key generating hash function. Other signature or hash functions with sufficient pseudo-random distributions may be used. A first key (K1) is set as equal to the hash H(PW,RN1) in step 386 at the client and step 388 at the server. In one embodiment, the first key (K1) may be used as a symmetric key for all communications between the client and server for the session. In the preferred embodiment, the server sends a second random number (RN2) to the client in step 392, and a second hash is performed by both the client in step 394 and server at step 396 H(PW,RN2) to generate a second key (K2) at step 400 for the client and 398 for the server. The first key (K1) may be used to symmetrically encrypt communications from the server to the client, while the second key (K2) may be used to symmetrically encrypt communications from the client to the server. Once the keys are generated, the authentication module modify the task structure for the client in step 402, ending the key generation process.
The process-based security system can be used to facilitate secure financial transactions over a network. A typical Internet commerce system allows users to make purchases using a credit card. In order to save the user time and encourage further purchases, the Internet commerce system may save the credit card number, as well as other data used to validate the credit card number such as the expiration date or CCV number. In the event that the Internet commerce system server is compromised, either by hackers or insiders, the credit card numbers may be stolen and abused. Implementing a process-based security system on the Internet commerce system server could secure the credit card number database, but in some cases the implementation may be too extensive a change.
With reference to
When the buyer initiates the purchase at the point-of-sale server at step 404, the buyer is typically authenticated to the point-of-sale server using a standard authentication technique. With knowledge of the buyer's identity, the point-of-sale server retrieves one or more stored portions of credit card numbers in step 406, allowing the buyer to choose one of those credit card to complete the transaction. Because the storage of credit card numbers at the point-of-sale server is insecure, in accordance with one embodiment, the point-of-sale server displays only the last four numbers of the credit card numbers, uniquely identifying the buyer's credit cards without revealing the actual credit card number.
When the buyer has selected a credit-card to use for the purchase in step 408, the point-of-sale server correlates a credit card identifier with the portion of the credit card number that has been selected. The credit card identifier is a number previously defined by the process-based security server to serve as a representation of the credit card in communication between the point-of-sale server and the process-based security server. The point-of-sale server sends the credit card identifier to the process-based security server, along with any necessary transaction data such as the amount of purchase in step 410.
The process-based security server receives the credit card identifier and retrieves the associated credit card number, expiration data and CCV number from secured storage in step 412. Because the process-based security server can control access to the sensitive data, the credit card numbers stored at the process-based security server cannot be compromised by hackers or malicious insiders. The credit card number, along with the expiration date and the CCV number, are sent to a financial server associated with the chosen credit card in step 414. The financial server processes the transaction and sends a message either approving or denying the transaction to the point-of-sale server in step 416. In some embodiments, the message may be sent to the process-based security server to be forwarded to the point-of-sale server. If the transaction has been approved, the point-of-sale server completes the transaction with the buyer in step 418. If the transaction has been denied, the point-of-sale server informs the buyer of the denial. In either case, the process-based security server may generate a new credit card identifier in step 420. The new credit card identifier is stored in the process-based server in association with the credit card number data and sent to the point-of-sale server to replace the old credit card identifier in step 422. This continual refreshing of the credit card identifier limits any possible damage caused by intercepting a communication containing the credit card identifier, as the identifier ceases to be valid after one attempted use.
Another use of the process-based security system is for secure file transfer. With reference to
With reference to
A process-based security system may be used on a server in a network computing environment, on any computer or computing device, either in isolation or working as a client connected to a server. Other digital devices suitable for implementing operating system level access protection, such as laptops, hand-held computing devices, personal digital assistants (PDA), or cellular telephones, may implement process-based security.
Although the illustrative embodiment has been described in detail, it should be understood that various changes, substitutions and alterations can be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims
1. A method of performing a financial transaction over a network comprising the steps of:
- generating an identifier corresponding to a credit card number at a financial transaction server;
- sending said identifier to a point-of-sale server;
- receiving said identifier at said financial transaction server from said point-of-sale server when a financial transaction is undertaken;
- retrieving said credit card number corresponding with said received identifier; and
- sending said retrieved credit card number to a financial server.
2. The method of claim 1, further comprising the steps of:
- generating a second identifier corresponding to said credit card number; and
- sending said second identifier to said point-of-sale server, such that a subsequent financial transaction will use said second identifier.
3. The method of claim 1, wherein said financial transaction server includes a process-based security system.
4. The method of claim 3, wherein said process-based security system includes an operating system using process-based security.
5. The method of claim 4, wherein said operating system intercepts a file call to read a file and determines an authorization of the file call before permitting the file to be read.
6. The method of claim 5, wherein said authorization is determined by accessing a resource access table.
7. The method of claim 6, wherein said resource access table indicates access authorization for a process, such that a process is unable to access a file unless the resource access table indicates authorization for that file.
8. The method of claim 1, further comprising the step of authenticating the point-of-sale server at the financial transaction server and loading a resource access table associated with the authenticated point-of-sale server.
9. The method of claim 6, further comprising the step of authenticating the point-of-sale server at the financial transaction server and loading a resource access table associated with the authenticated point-of-sale server.
10. The method of claim 9, wherein said resource access table indicates access authorization for a process, such that a process is unable to access a file unless the resource access table indicates authorization for that file.
11. A transaction server for performing a financial transaction over a network comprising:
- a processor for executing processes;
- a memory connected to said process;
- a network connection for connecting the processor to a point-of-sale server and a financial server;
- wherein said processor generates an identifier to correspond with a credit card number and stores the identifier and corresponding credit card number in memory, such that when a point-of-sale server transmits said identifier to said transaction server, said processor retrieves the credit card number corresponding to said identifier and transmits said credit card number to said financial server.
12. The transaction server of claim 11, wherein said processor generates a second identifier corresponding to said credit card number; and sends said second identifier to said point-of-sale server, such that a subsequent financial transaction will use said second identifier.
13. The transaction server of claim 11, wherein said transaction server includes a process-based security system.
14. The transaction server of claim 13, wherein said process-based security system includes an operating system using process-based security.
15. The transaction server of claim 14, wherein said operating system intercepts a file call to read a file and determines an authorization of the file call before permitting the file to be read.
16. The transaction server of claim 15, wherein said authorization is determined by accessing a resource access table.
17. The transaction server of claim 16, wherein said resource access table indicates access authorization for a process, such that a process is unable to access a file unless the resource access table indicates authorization for that file.
18. The transaction server of claim 11, further comprising the step of authenticating the point-of-sale server at the financial transaction server and loading a resource access table associated with the authenticated point-of-sale server.
19. The transaction server of claim 16 wherein the point-of-sale server is authenticated by the transaction server and wherein said transaction server loads a resource access table associated with the authenticated point-of-sale server.
20. The transaction server of claim 19, wherein said resource access table indicates access authorization for a process, such that a process is unable to access a file unless the resource access table indicates authorization for that file.
Type: Application
Filed: Aug 5, 2003
Publication Date: Mar 10, 2005
Inventor: Vincent Larsen (Plano, TX)
Application Number: 10/635,755