US010432595B2
`
`a2) United States Patent
`US 10,432,595 B2
`(0) Patent No.:
`Oct. 1, 2019
`(45) Date of Patent:
`Frederick et al.
`
`(54) SECURE SESSION CREATION SYSTEM
`UTILILIZING MULTIPLE KEYS
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(71) Applicant: BANK OF AMERICA
`CORPORATION, Charlotte, NC (US)
`
`(72)
`
`Inventors: Carl R. Frederick, Lexington, OH
`(US); Joel S. Kazin, Pleasantville, NY
`(US)
`
`(73) Assignee: BANK OF AMERICA
`CORPORATION, Charlotte, NC (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 196 days.
`
`(21) Appl. No.: 15/453,644
`
`(22)
`
`Filed:
`
`Mar.8, 2017
`
`(65)
`
`Prior Publication Data
`
`US 2018/0262472 Al
`
`Sep. 13, 2018
`
`(51)
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`Int. Cl.
`HOAL 29/06
`HOAL 92
`HOAL 9/08
`HOAL 9/00
`(52) U.S. Cl.
`CPC wee HOAL 63/045 (2013.01); HO4L 9/006
`(2013.01); HO4E 9/0819 (2013.01); HO4L
`9/3247 (2013.01); HO4L 9/3268 (2013.01);
`HOA4L 63/0435 (2013.01); HO4L 63/0823
`(2013.01); HO4E 63/126 (2013.01); HO4L
`2463/062 (2013.01)
`
`(58) Field of Classification Search
`CPC ... HO4L 9/0819; HO4L 9/0822; HO4L 9/0825;
`HO4L 9/085
`
`5,003,597 A
`5,606,617 A
`5,799,088 A
`6,097,811 A
`6,108,788 A
`6,134,327 A
`
`3/1991 Merkle
`2/1997 Brands
`8/1998 Raike
`8/2000 Micali
`8/2000 Moseset al.
`10/2000 Van Oorschot
`(Continued)
`
`OTHER PUBLICATIONS
`
`Layered email encryption with multiple private keys on separate
`media; https://security.stackexchange.com/questions/46430/layered-
`email-encryption-with-multiple-private-keys-on-separate-media; Dec.
`9, 2013 (Year: 2013).*
`
`(Continued)
`
`Primary Examiner — James R Turchen
`(74) Attorney, Agent, or Firm — Michael A. Springs;
`Moore & Van Allen PLLC; Jeffrey R. Gray
`
`(57)
`
`ABSTRACT
`
`Systems, computer products, and methods are described
`herein for an improvedsecure certificate system thatutilizes
`multiple digital signatures, and in some cases multiple
`public keys within one or morecertificates. The improved
`secure certificate systems allows for additional security by
`having multiple certification authorities validate the organi-
`zation as the owner of the organization application (e.g.,
`website, dedicated application, or the like), as well as
`allowing for the use of the multiple digital signatures and/or
`certificates to provide seamless verification of the organiza-
`tion application should one or more ofthe digital signatures
`and/or certificates become compromised. Moreover, secu-
`rity may be improved by utilizing multiple public keys to
`encrypt a session key for use in sending and receiving data.
`
`See application file for complete search history.
`
`18 Claims, 6 Drawing Sheets
`
`
`400 ™,
`SDENTIFY THE STATUS OF THE TWO OR MORE CERTIFICATES OR TWO OR MOREL'GITAL SIGNATURES
`Ato
`
`—>—_4
`DETERMINE THAT NONE OF THE TWO OR WORE
`CERTIFICATES OR NONE OF THE DIGITAL
`SIGNATURES ARE VERIFIED (E.G.. ALL EXPIRED.
`EXPIRED, REVOKED, OR COMPROMISED)
`REVOKED, OR COMPROMISED)
`430
`
`—
`
`NOTIEYTHE USER APPLICATION (E.G., USER) THAY NONE OF THE CERTIFICATES ARE VERIFIED AND
`REQUESTAPPROVALTO PROCEED WITH THE INTERACTION
`
`
`
`
`
`438
`
`
`
`UTILIZE AT LEAST TWO OR MOREOF THE PUSLIC KEYS FROMTHE TWO OR MORE CERTIFICATES OR ASSOCIATED
`WITH THE TWO OR MOREDIGITAL SIGNATURES TO ENCRYPTASESSION KEY(E.G., ENCRYPTUTILIZING A CHAIN
`GF TWG OR MORESESSION KEYS, BY UTILIZING A BOX WITHIN A BOX USING TWO OR MORE SESSION KEYS, USING
`AFUNCTION, OR THE LIKE}
`440
`
`SEND THE ENCRYPTED SESSION KEV, AND IN SOME EMBODIMENTS SEND THE DECRYPTION ORDER (E.G, THE
`PUBLIC KEY ENCRYPTION ORDER,OR THELiKE} TO THE ORGANIZATION APPLICATION
`
`
`THE ORGANIZATION APPLICATION DECRYPTS THE ENCRYPTED SESSION KEY USING THETWO OR MORE PRIVATE
`HEYS PAIRED WITH THE TWO OR MORE PUBLIC XEYS AND TRE DECRYPTION ORDER(E.G., THE PUBLIC KEY
`ENCRYPTION ORDER, A PRE-DETERMINED ENCRYPTION ORDER, OR THELIKE)
`450
`
`‘THE USER APPLICATION AND THE ORGANIZATION APPLICATION UTILIZE THE SESSION KEY (E.G., THE SYMMETRIC.
`SESSION KEY} TO SECURELY TRANSFERINFORMATION ASSOCIATED WITH THE INTERACTION
`40
`
`Page 1 of 27
`
`ironSource Exhibit 1021
`ironSource Ltd. v. Digital Turbine Inc. PTAB-PGR2021-00096
`
`
`
`a2) United States Patent
`US 10,432,595 B2
`(0) Patent No.:
`Oct. 1, 2019
`(45) Date of Patent:
`Frederick et al.
`
`(54) SECURE SESSION CREATION SYSTEM
`UTILILIZING MULTIPLE KEYS
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(71) Applicant: BANK OF AMERICA
`CORPORATION, Charlotte, NC (US)
`
`(72)
`
`Inventors: Carl R. Frederick, Lexington, OH
`(US); Joel S. Kazin, Pleasantville, NY
`(US)
`
`(73) Assignee: BANK OF AMERICA
`CORPORATION, Charlotte, NC (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 196 days.
`
`(21) Appl. No.: 15/453,644
`
`(22)
`
`Filed:
`
`Mar.8, 2017
`
`(65)
`
`Prior Publication Data
`
`US 2018/0262472 Al
`
`Sep. 13, 2018
`
`(51)
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`Int. Cl.
`HOAL 29/06
`HOAL 92
`HOAL 9/08
`HOAL 9/00
`(52) U.S. Cl.
`CPC wee HOAL 63/045 (2013.01); HO4L 9/006
`(2013.01); HO4E 9/0819 (2013.01); HO4L
`9/3247 (2013.01); HO4L 9/3268 (2013.01);
`HOA4L 63/0435 (2013.01); HO4L 63/0823
`(2013.01); HO4E 63/126 (2013.01); HO4L
`2463/062 (2013.01)
`
`(58) Field of Classification Search
`CPC ... HO4L 9/0819; HO4L 9/0822; HO4L 9/0825;
`HO4L 9/085
`
`5,003,597 A
`5,606,617 A
`5,799,088 A
`6,097,811 A
`6,108,788 A
`6,134,327 A
`
`3/1991 Merkle
`2/1997 Brands
`8/1998 Raike
`8/2000 Micali
`8/2000 Moseset al.
`10/2000 Van Oorschot
`(Continued)
`
`OTHER PUBLICATIONS
`
`Layered email encryption with multiple private keys on separate
`media; https://security.stackexchange.com/questions/46430/layered-
`email-encryption-with-multiple-private-keys-on-separate-media; Dec.
`9, 2013 (Year: 2013).*
`
`(Continued)
`
`Primary Examiner — James R Turchen
`(74) Attorney, Agent, or Firm — Michael A. Springs;
`Moore & Van Allen PLLC; Jeffrey R. Gray
`
`(57)
`
`ABSTRACT
`
`Systems, computer products, and methods are described
`herein for an improvedsecure certificate system thatutilizes
`multiple digital signatures, and in some cases multiple
`public keys within one or morecertificates. The improved
`secure certificate systems allows for additional security by
`having multiple certification authorities validate the organi-
`zation as the owner of the organization application (e.g.,
`website, dedicated application, or the like), as well as
`allowing for the use of the multiple digital signatures and/or
`certificates to provide seamless verification of the organiza-
`tion application should one or more ofthe digital signatures
`and/or certificates become compromised. Moreover, secu-
`rity may be improved by utilizing multiple public keys to
`encrypt a session key for use in sending and receiving data.
`
`See application file for complete search history.
`
`18 Claims, 6 Drawing Sheets
`
`
`400 ™,
`SDENTIFY THE STATUS OF THE TWO OR MORE CERTIFICATES OR TWO OR MOREL'GITAL SIGNATURES
`Ato
`
`—>—_4
`DETERMINE THAT NONE OF THE TWO OR WORE
`CERTIFICATES OR NONE OF THE DIGITAL
`SIGNATURES ARE VERIFIED (E.G.. ALL EXPIRED.
`EXPIRED, REVOKED, OR COMPROMISED)
`REVOKED, OR COMPROMISED)
`430
`
`—
`
`NOTIEYTHE USER APPLICATION (E.G., USER) THAY NONE OF THE CERTIFICATES ARE VERIFIED AND
`REQUESTAPPROVALTO PROCEED WITH THE INTERACTION
`
`
`
`
`
`438
`
`
`
`UTILIZE AT LEAST TWO OR MOREOF THE PUSLIC KEYS FROMTHE TWO OR MORE CERTIFICATES OR ASSOCIATED
`WITH THE TWO OR MOREDIGITAL SIGNATURES TO ENCRYPTASESSION KEY(E.G., ENCRYPTUTILIZING A CHAIN
`GF TWG OR MORESESSION KEYS, BY UTILIZING A BOX WITHIN A BOX USING TWO OR MORE SESSION KEYS, USING
`AFUNCTION, OR THE LIKE}
`440
`
`SEND THE ENCRYPTED SESSION KEV, AND IN SOME EMBODIMENTS SEND THE DECRYPTION ORDER (E.G, THE
`PUBLIC KEY ENCRYPTION ORDER,OR THELiKE} TO THE ORGANIZATION APPLICATION
`
`
`THE ORGANIZATION APPLICATION DECRYPTS THE ENCRYPTED SESSION KEY USING THETWO OR MORE PRIVATE
`HEYS PAIRED WITH THE TWO OR MORE PUBLIC XEYS AND TRE DECRYPTION ORDER(E.G., THE PUBLIC KEY
`ENCRYPTION ORDER, A PRE-DETERMINED ENCRYPTION ORDER, OR THELIKE)
`450
`
`‘THE USER APPLICATION AND THE ORGANIZATION APPLICATION UTILIZE THE SESSION KEY (E.G., THE SYMMETRIC.
`SESSION KEY} TO SECURELY TRANSFERINFORMATION ASSOCIATED WITH THE INTERACTION
`40
`
`Page 1 of 27
`
`ironSource Exhibit 1021
`ironSource Ltd. v. Digital Turbine Inc. PTAB-PGR2021-00096
`
`
`
`US 10,432,595 B2
`
`Page 2
`
`2009/0310789 Al
`2010/0211787 Al*
`
`2011/0202755 Al
`2012/0246065 Al*
`
`12/2009 Sie et al.
`8/2010 Bukshpun ............. HO4L 9/0838
`713/170
`
`8/2011 Orsiniet al.
`9/2012 Yarvis ....ce G06Q 30/02
`705/39
`............. HOAL 9/3268
`713/158
`............. HO4L9/008
`380/30
`7/2013) Aaron wo. G06Q 20/02
`705/14.51
`2013/0290701 Al* 10/2013 Takenaka .............. HO4L 9/0833
`713/153
`
`2013/0036303 Al*
`
`2/2013 Himawan.
`
`2013/0051551 Al*
`
`2/2013 El Aimani
`
`2013/0185152 AL*
`
`2014/0032913 Al
`2014/0059354 Al
`2014/0189351 Al*
`
`2014/0258724 Al*
`
`9/2014 Lambert
`
`2014/0281477 Al*
`
`2014/0281502 Al*
`
`2015/0058629 AL*
`
`2015/0188704 Al*
`
`1/2014 Tenenboym et al.
`2/2014 Jiang et al.
`7/2014 Steely oo... GO6F 21/608
`713/168
`............. HO4L 63/062
`713/170
`9/2014 Nayshtut ............. HO4L 9/0825
`713/150
`9/2014 Keung Chan ......... HO4L 9/3265
`713/157
`2/2015 Yarvis wo... HO4L 63/061
`TA3/171
`7/2015 Takenaka .............. HO4L 9/0869
`TA3/171
`2015/0287030 Al* 10/2015 Sagady ........... G06Q 20/3829
`705/71
`
`2015/0381374 Al
`2016/0043870 Al*
`
`2016/0173287 Al*
`
`12/2015 Zombik
`2/2016 AvanZi ...... HO4L9/302
`713/176
`6/2016 Bowen occ HO4L9/321
`713/156
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`Van Oorschotetal.
`Geer, Jr. et al.
`Bisbeeetal.
`Samar
`Micali
`ROSner wo. eee HO4L 9/0833
`713/178
`
`Weidong
`Mancini etal.
`Wildish et al.
`Yasalaet al.
`Ramzan etal.
`Wildish et al.
`Guptaetal.
`Spies ccc HO4L 9/3073
`380/281
`
`Guoetal.
`Johnson
`Vanstone
`Jiang vce HO4L 9/0825
`709/227
`
`Kapoor
`Maesetal.
`Schiefelbein
`Lazieret al.
`Watsen cee HO4L 9/3263
`713/157
`
`Brown
`YUNG veces HO4L 9/0618
`Raman etal.
`Furukawa oo... HO4L 9/3271
`380/28
`Wenocur oo... G06Q 10/107
`726/4
`
`Zuccherato
`Wenocur oo... G06Q 10/107
`709/206
`
`10/2000
`4/2001
`5/2001
`10/2001
`11/2002
`* 10/2003
`
`11/2004
`3/2005
`9/2006
`10/2006
`1/2008
`6/2008
`8/2008
`8/2009
`
`6/2011
`2/2012
`6/2013
`1/2014
`
`1/2014
`4/2014
`7/2014
`9/2014
`2/2015
`
`1/2016
`2/2016
`9/2016
`9/2001
`
`1/2003
`
`1/2003
`2/2003
`
`*
`
`*
`
`*
`
`*
`
`*
`
`*
`
`*
`
`AB
`
`l
`Bl
`Bl
`Bl
`Bl
`
`Bl
`Bl
`B2
`B2
`B2
`B2
`Bl
`Bl
`
`B2
`B2
`B2
`B2
`
`B2
`B2
`B2
`Bl
`Bl
`
`B2
`B2
`Bl
`Al
`
`6,134,550
`6,212,634
`6,237,096
`6,304,974
`6,487,658
`6,636,968
`
`6,819,766
`6,865,674
`7,103,774
`7,130,999
`7,315,941
`7,383,434
`7,412,524
`7,580,521
`
`7,971,240
`8,116,451
`8,457,307
`8,626,929
`
`8,627,085
`8,689,346
`8,776,192
`8,850,288
`8,954,732
`
`9,240,884
`9,264,221
`9,455,994
`200 1/0024501
`
`2003/0009694
`
`Al
`
`2003/00 14629
`2003/004 1110
`
`Al
`Al
`
`6/2016 Cignetti
`2016/0182473 Al
`7/2016 Adams
`2016/0218881 Al
`2016/0292447 Al* 10/2016 Lawrence........... GO6F 21/6218
`2016/0337484 Al* 11/2016 Tola.......
`.. HO4L 12/6418
`2017/0012950 Al*
`1/2017 Kim ...
`.. HO4L 63/0442
`
`2/2017 Nicholls 0.0... HO4L 9/0825
`2017/0041132 Al*
`3/2017 Kumar uu... HO4L 9/3263
`2017/0070485 Al*
`w. GOOF 16/29
`2017/0078094 Al*
`3/2017 Olson ....
`
`4/2017 Robertson .
`.. HO4L 63/062
`2017/0099269 Al*
`.. HO4L 9/0822
`2017/0180122 Al*
`6/2017 Smith ....
`
`8/2017 Schafer .....
`.. HO4L 63/045
`2017/0223529 Al*
`2017/0289137 Al* 10/2017 Pendarakis......... HO4L 63/0823
`
`OTHER PUBLICATIONS
`
`Yao, Y., Yang, L.T. and Xiong, N.N., 2015. Anonymity-Based
`Privacy-Preserving Data Reporting for Participatory Sensing. IEEE
`Internet of Things Journal, 2(5), pp. 381-390. (Year: 2015).*
`How to decrypt a file encrypted under multiple public keys GPG;
`https://security.stackexchange.com/questions/117600/how-to-decrypt-
`a-file-encrypted-under-multiple-public-keys-gpg; Mar. 16, 2016 (Year:
`2016).*
`Maurer, U.M. and Massey, J.L., 1993. Cascade ciphers: The impor-
`tance of being first. Journal of Cryptology, 6(1), pp. 55-61. (Year:
`1993).*
`Even, S. and Goldreich, O., 1985. On the power of cascade ciphers.
`ACMTransactions on Computer Systems (TOCS), 3(2), pp. 108-
`116. (Year: 1985).*
`Xavier Boyen, Mesh Signatures: How to Leak a Secret with
`Unwitting and Unwilling Participants, 2007, Eurocrypt 2007, LNCS
`4515 , pp. 210-227 (Year: 2007).
`Lein Ham, Chu-Hsing Lin, Contract signature in e-commerce, 2011,
`Computers and Electrical Engineering 37 (2011) 169-173 (Year :
`2011).
`
`* cited by examiner
`
`2003/0079 136
`2003/0081789
`
`2003/0133566
`2004/0037424
`
`Al
`Al
`
`Al
`Al
`
`2004/0236953
`
`Al
`
`2005/002 1969
`
`Al
`
`2005/0033956
`2005/0033957
`2005/008 1038
`
`Al
`Al
`Al
`
`*
`
`*
`
`*
`
`*
`
`*
`
`4/2003
`5/2003
`
`7/2003
`2/2004
`
`11/2004
`
`1/2005
`
`2/2005
`2/2005
`4/2005
`
`2005/0220095
`
`Al
`
`* 10/2005
`
`2006/0155984
`2006/02 12706
`
`Al
`Al
`
`*
`
`7/2006
`9/2006
`
`2006/0274856
`
`Al
`
`* 12/2006
`
`2007/00740 19
`
`Al
`
`2007/0083757
`
`Al
`
`2007/0195950
`
`Al
`
`2007/0206787
`
`Al
`
`*
`
`*
`
`*
`
`*
`
`2008/0034204
`2008/0162357
`2008/0216147
`
`3/2007
`
`4/2007
`
`8/2007
`
`9/2007
`
`2/2008
`7/2008
`9/2008
`
`Ericta et al.
`Numao once HO4L 9/085
`380/278
`
`Soldera
`Numao once HO4L 9/083
`380/277
`Merenne............. HO4L 63/0442
`713/182
`Williams ........... HO4L 9/3268
`713/176
`
`Krempl
`Enokida
`Arditti Modiano ... H04L 9/3255
`713/176
`Narayanan ............ HO4L 63/126
`370/389
`
`Tsuchida et al.
`Jiang vce HO4L 9/0825
`713/176
`DUNN wees H04K 1/00
`375/316
`Seidel we HO04L 63/0823
`713/156
`Nakano oo... eee GO6F 21/10
`713/168
`Kudelski oo... HOAN 7/162
`380/30
`Bell veces HO4L 9/0825
`380/30
`
`Lakshminarayanan
`Gerardi etal.
`Duffy
`
`Page 2 of 27
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 1 of6
`
`US 10,432,595 B2
`
`Fic. 1
`
`FIRST
`USER
`4
`
`
`COMMUNICATION COMPONENT22
`
`
`
`PROCESSING COMPONENT24
`
`
`
`
`
`MEMORY COMPONENT26
`
`COMPUTER READABLE
`INSTRUCTIONS 28
`
`
`USER APPLICATION E.G.
`WEB BROWSER,
`SPECIALIZED APP, OR THE
`LIKE)
`72
`
`DATASTORE29 COMPUTER
`
`SYSTEMS
`20
`
`COMMUNICATION COMPONENT12
`
`PROCESSING COMPONENT 14
`
`MEMORY COMPONENT 16
`COMPUTER READABLE
`INSTRUCTIONS 18
`ORGANIZATION
`APPLICATION(E.G., WEBSITE
`APPLICATION, SPECIALIZED
`APP., OR THE LIKE)
`7
`
`COMMUNICATION COMPONENT32 ORGANIZATION
`
`SYSTEMS
`10
`
`=
`°
`
`>
`S
`
`USER
`
`<7 &
`°
`APPLICATION
`SYSTEMS
`Ss
`SS
`50
`CERTIFICATE
`SYSTEMS
`40
`
`'
`
`PROCESSING COMPONENT 34
`
`MEMORY COMPONENT 36
`COMPUTER READABLE
`INSTRUCTIONS 38
`
`CERTIFICATE
`APPLICATION
`
`DATASTORE 39
`
`Page 3 of 27
`
`=
`
`S
`
`.
`d
`oS S
`CERTIFICATION
`AUTHORITY
`SYSTEMS
`30
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 2 of6
`
`US 10,432,595 B2
`
`
`
`SEND A REQUEST FOR A SECURE CERTIFICATE TO TWO OR MORE CERTIFICATION AUTHORITIES (E.G., THE
`REQUEST MAY BE SENT TO TWO OR MORE CERTIFICATION AUTHORITIES WITH OR WITHOUT THE KNOWLEDGE
`
`
`OF THE OTHER CERTIFICATION AUTHORITIES, MAY BE SENT AT THE SAME TIME OR IN SUCCESSION, OR THE
`
`
`LIKE)
`
`
`410
`
`
`THE ONE OR MORE CERTIFICATION AUTHORITIES VET THE ORGANIZATION(E.G., THE CERTIFICATION
`AUTHORITIES MAY SEPARATELY VET THE ORGANIZATION TO VALIDATE THE ORGANIZATION ASSOCIATED WITH
`
`THE ORGANIZATION APPLICATION)
`120
`
`150
`
`RECEIVE ONE OR MOREDIGITAL CERTIFICATES FROM THE ONE OR MORE CERTIFICATION AUTHORITY (E.G.,
`RECEIVE TWO SEPARATEDIGITAL CERTIFICATES OR RECEIVE A SINGLE DIGITAL CERTIFICATE, EITHER HAVING A
`SINGLE PUBLIC/PRIVATE KEY PAIR OR TWO OR MOREPUBLIC/PRIVATE KEY PAIRS). THE ONE OR MOREDIGITAL
`CERTIFICATES MAY INCLUDE AT LEAST THE DOMAIN OWNER, ONE OR MORE DIGITAL SIGNATURES, AND THE
`ONE OR MORE PUBLIC KEYS. EACH PUBLIC KEY HAS A MATCHING PRIVATE KEY THAT IS STORED AND KNOWN
`ONLY BY THE ORGANIZATION REQUESTING THE CERTIFICATE.
`140
`
`RECEIVE APPROVAL FOR A CERTIFICATE FROM THE ONE OR MORE CERTIFICATION AUTHORITIES(E.G., RECEIVE
`APPROVALFOR A SINGLE CERTIFICATE BY MULTIPLE CERTIFICATION AUTHORITIES, OR RECEIVE MULTIPLE
`CERTIFICATES FROM MULTIPLE CERTIFICATION AUTHORITIES). THE ONE OR MORE CERTIFICATION
`AUTHORITIES CREATE THE ONE OR MORE CERTIFICATES.
`130
`
`ASSOCIATE THE ONE OR MORE DIGITAL CERTIFICATES WITH THE ORGANIZATION APPLICATION(E.G., SECURE
`WEBSITE OR APPLICATION) TO ALLOW OTHER APPLICATIONS TO VERIFY THE ORGANIZATION AND/OR
`ORGANIZATION APPLICATION, AND TO CREATE A SECURELINK TO THE ORGANIZATION APPLICATION.
`
`Page 4 of 27
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 3 of6
`
`US 10,432,595 B2
`
`FIG. 3
`
`RECEIVE A REQUEST FROM A USER APPLICATION TO ACCESS AN ORGANIZATION APPLICATION(E.G., A SECURE
`WEBSITE, OR THE LIKE}
`
`210
`
`PROVIDE (E.G., SEND, ALLOW ACCESS TO, OR THE LIKE) THE TWO OR MORE DIGITAL SIGNATURES AND THE
`PUBLIC KEY OF THE CERTIFICATE TO THE USER APPLICATION
`220
`
`USER APPLICATION ATTEMPTS TO VERIFY AT LEAST ONE OF THE TWO OR MORE DIGITAL SIGNATURES OF THE
`CERTIFICATE
`230
`
`
`DETERMINE IF THE veurED SIGNATURE IS
`
`___
`240
`
`| DETERMINEiFTHESECONDDIGITALSIGNATURE
`
`IS VERIFIED (MAY BE VERIFIED REGARDLESS OF
`||
`249
`VERIFICATION OF THE FIRST DIGITAL SIGNATURE}
`
`USER IS NOTIFIED WHETHER OR NOT THE ORGANIZATION APPLICATION IS VERIFIED
`250
`
`USER ACCESS THE ORGANIZATION APPLICATION (AUTOMATICALLY OR THROUGH A SELECTION DEPENDING ONIF
`THE ORGANIZATION APPLICATIONIS VERIFIED, IF THE USER ACCEPTS THE POTENTIAL RISK, IF THE USER IS
`ALLOWED, ETC.}
`260
`
`280
`
`USER APPLICATION USES THE PUBLIC KEY TO ENCRYPT A SESSION KEY TO CREATE A TEMPORARY ENCRYPTION
`KEY
`220
`
`RECEIVE TEMPORARY ENCRYPTION KEY FROM THE USER APPLICATION AND DECRYPT THE KEY TO IDENTIFY THE
`SESSION KEY
`
`THE SECURED LINK IS CREATED BETWEEN THE USER APPLICATION AND THE ORGANIZATION APPLICATION
`BECAUSE ONLY THESE ENTITIES HAVE THE SESSION KEY
`290
`
`UTILIZE THE SESSION KEY TO SEND AND RECEIVE ENCRYPTED DATA TO AND FROM THE USER APPLICATION
`295
`
`Page 5 of 27
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 4 of6
`
`US 10,432,595 B2
`
`300 oS
`
`FIG. 4
`
`RECEIVE A REQUEST FROM A USER APPLICATION TO ACCESS AN ORGANIZATION APPLICATION (E.G., A SECURE
`WEBSITE, OR THE LIKE}
`310
`
`320
`
`PROVIDE(E.G., SEND, ALLOW ACCESS TO, OR THE LIKE) THE FIRST DIGITAL CERTIFICATE AND/OR SECOND
`DIGITAL CERTIFICATE (E.G., INCLUDING THE DIGITAL SIGNATURE AND THE PUBLIC KEY OF EACH}
`
`
`
`
`
`USER APPLICATION VERIFIES THE FIRST DIGITAL
`USER APPLICATION VERIFIES THE SECOND
`CERTIFICATE
`DIGITAL CERTIFICATE
`
`
`
`
`330
`340
`
`
`
`
`DETERMINE IF THE SECOND DIGITAL CERTIFICATE
`DETERMINE iF THE FIRST DIGITAL CERTIFICATE JS
`VERIFIED
`IS VERIFIED
`
`
`
`
`335
`345
`
`USER 1S NOTIFIED WHETHER OR NOT THE
`ORGANIZATION APPLICATION IS VERIFIED
`350
`
`USER ACCESS THE ORGANIZATION APPLICATION
`(AUTOMATICALLY OR THROUGH A SELECTION
`DEPENDING ON IF THE ORGANIZATION
`APPLICATION |S VERIFIED, IF THE USER ACCEPTS
`THE POTENTIAL RISK, IF THE USER 1S ALLOWED,
`OR THE LIKE}
`360
`
`
`
`USER APPLICATION USES THE PUBLIC KEY TO ENCRYPT A SESSION KEY TO CREATE A TEMPORARY ENCRYPTION
`KEY
`378
`
`RECEIVE TEMPORARY ENCRYPTION KEY FROM THE USER APPLICATION AND DECRYPT THE KEY TO IDENTITY THE
`SESSION KEY
`380
`
`THE SECURED LINK IS CREATED BETWEEN THE USER APPLICATION AND THE ORGANIZATION APPLICATION
`BECAUSE ONLY THESE ENTITIES HAVE THE SESSION KEY
`398
`
`UTILIZE THE SESSION KEY TO SEND AND RECEIVE ENCRYPTED DATA TO AND FROM THE USER APPLICATION
`395
`
`Page 6 of 27
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 5 of6
`
`US 10,432,595 B2
`
`FIG. 5
`
`IDENTIFY THE STATUS OF THE TWO OR MORE CERTIFICATES OR TWO OR MORE DIGITAL SIGNATURES
`
`440
`
`
`
`
`
`DETERMINE THAT NONE OF THE TWO OR MORE
`DETERMINE THAT AT LEAST ONE OF THE TWO OR
`MORE CERTIFICATES OR AT LEAST ONE OF THE
`CERTIFICATES OR NONE OF THE DIGITAL
`
`
`DIGITAL CERTIFICATES ARE VERIFIED (E.G., NOT
`SIGNATURES ARE VERIFIED (E.G., ALL EXPIRED,
`EXPIRED, REVOKED, OR COMPROMISED)
`REVOKED, OR COMPROMISED}
`
`420
`430
`
`
`
`
`NOTIFY THE USER APPLICATION (E.G., USER) THAT NONE OF THE CERTIFICATES ARE VERIFIED AND
`REQUEST APPROVAL TO PROCEED WITH THE INTERACTION
`435
`
`
`
`UTILIZE AT LEAST TWO OR MORE OF THE PUBLIC KEYS. FROM THE TWO OR MORE CERTIFICATES OR ASSOCIATED
`WITH THE TWO OR MOREDIGITAL SIGNATURES TO ENCRYPT A SESSION KEY (E.G., ENCRYPT UTILIZING A CHAIN
`OF TWO OR MORE SESSION KEYS, BY UTILIZING A BOX WITHIN A BOX USING TWO OR MORE SESSION KEYS, USING
`A FUNCTION, OR THE LIKE}
`440
`
`470
`
`SEND THE ENCRYPTED SESSION KEY, AND IN SOME EMBODIMENTS SEND THE DECRYPTION ORDER(E.G., THE
`PUBLIC KEY ENCRYPTION ORDER, OR THE LIKE) TO THE ORGANIZATION APPLICATION
`450
`
`THE ORGANIZATION APPLICATION DECRYPTS THE ENCRYPTED SESSION KEY USING THE TWO OR MORE PRIVATE
`KEYS PAIRED WITH THE TWO OR MORE PUBLIC KEYS AND THE DECRYPTION ORDER (E.G., THE PUBLIC KEY
`ENCRYPTION ORDER, A PRE-DETERMINED ENCRYPTION ORDER, OR THE LIKE)
`460
`
`THE USER APPLICATION AND THE ORGANIZATION APPLICATION UTILIZE THE SESSION KEY (E.G., THE SYMMETRIC
`SESSION KEY) TO SECURELY TRANSFER INFORMATION ASSOCIATED WITH THE INTERACTION
`
`Page 7 of 27
`
`
`
`U.S. Patent
`
`Oct. 1, 2019
`
`Sheet 6 of6
`
`US 10,432,595 B2
`
`500
`
`FIG. 6
`ACCESS THE ORGANIZATION APPLICATION
`510
`
`IDENTIFY THE STORED CERTIFICATION REQUIREMENTS(E.G., BY ACCESSING THE PINNED CERTIFICATION
`REQUIREMENTS, BY ACCESSING A CERTIFICATION REQUIREMENT DATABASE, BY RECEIVING THE REQUIREMENTS
`IN A CERTIFICATION REQUIREMENT CERTIFICATE, OR THE LIKE}
`520
`
`549
`
`RECEIVE THE RECEIVED CERTIFICATION REQUIREMENTS FROM THE ORGANIZATION APPLICATION (E.G., RECEIVE
`THE ONE OR MORE CERTIFICATION REQUIREMENTS FROM THE ORGANIZATION APPLICATION, OR THE LIKE)
`530
`
`DETERMINE WHEN THE RECEIVED CERTIFICATION REQUIREMENTS MEET THE STORED CERTIFICATION
`REQUIREMENTS(E.G., DETERMINE THAT THE PINNED CERTIFICATION REQUIREMENTS, THE CERTIFICATION
`REQUIREMENTS FROM THE CERTIFICATION REQUIREMENT DATABASE, OR THE CERTIFICATION REQUIREMENTS
`PROVIDED BY THE ORGANIZATION APPLICATION AND SIGNED BY THE CERTIFICATION REQUIREMENT SYSTEMS
`MEETS THE RECEIVED CERTIFICATION REQUIREMENTS FROM THE ORGANIZATION APPLICATION}
`
`
`DETERMINE IF THE RECEIVED ONE OR MORE CERTIFICATES MEET AN AUTHORIZED VERIFICATION (E.G., AN
`AUTHORIZED CERTIFICATE FOR AN AUTHORIZED ENTITY)
`550
`
`
`
`
`
`NOTIFY THE USER APPLICATION OF THE POTENTIAL UNAUTHORIZED ENTITY AND/OR PREVENT THE
`COMMUNICATION WITH THE ORGANIZATION APPLICATION (E.G., NOTIFY THE USER OF THE POTENTIAL MAN-
`IN-THE-MIDDLE ATTACK AND/OR PREVENT THE USER APPLICATION FROM ACCESSING THE ORGANIZATION
`
`
`WEBSITE}
`560
`
`
`
`ALLOW THE INTERACTION WITH THE ORGANIZATION APPLICATION(E.G, IF THE CERTIFICATION REQUIREMENTS
`MATCH, IF THE USER APPLICATION ALLOWSIT, IF THE USER ACCEPTS THE POTENTIAL SECURITY ISSUE, AND/OR
`THE LIKE}
`579
`
`580
`
`UTILIZE THE ONE OR MORE CERTIFICATES TO CREATE THE SECURE SESSION AND/OR TRANSFER INFORMATION
`AS PREVIOUSLY BISCUSSED HEREIN
`
`Page 8 of 27
`
`
`
`US 10,432,595 B2
`
`1
`SECURE SESSION CREATION SYSTEM
`UTILILIZING MULTIPLE KEYS
`
`FIELD
`
`The present invention relates to utilizing multiple certifi-
`cates and/or multiple certifying authorities to create an
`improved system and process for encrypting session keys for
`secure sessions.
`
`BACKGROUND
`
`A certificate provided by a certification authority is uti-
`lized by a website to indicate the owner of the website and
`to provide a way to transmit information with the website,
`for example by creating a secure session for the transmission
`of encrypted information between the website and the web
`browser accessing the website. However, the certification
`authority and/or the certificate can become compromised
`with or without anyone becoming aware of the compromised
`certification authority and/or certificate for weeks, months,
`years, or the like.
`
`SUMMARY
`
`The following presents a simplified summary of one or
`more embodiments of the present invention,
`in order to
`provide a basic understanding of such embodiments. This
`summary is not an extensive overview of all contemplated
`embodiments, and is intended to neither identify key or
`critical elements of all embodiments nor delineate the scope
`of any or all embodiments. Its sole purpose is to present
`some concepts of one or more embodiments of the present
`invention in a simplified form as a prelude to the more
`detailed description that is presented later.
`Generally, systems, computer products, and methods are
`described herein for an improved secure certificate system
`that utilizes multiple digital signatures, and in some cases
`multiple public keys and corresponding private keys within
`one or morecertificates, in order to verify the website or
`dedicated application and create a secure session. The
`improved secure certificate system allows for additional
`security by having multiple certification authorities validate
`the organization as the ownerof the organization application
`(e.g., website, dedicated application, or the like), as well as
`allowing for the seamless replacementof digital signatures
`and/or public keys that have been, or may potentially be,
`compromised without interrupting the user’s access to the
`organization application.
`As will be discussed in further detail herein, an organi-
`zation may request one or morecertificates with two or more
`digital signatures and two or more public and private key
`pairs from two or more certification authorities, and asso-
`ciate the forgoing with the organization’s application (e.g.,
`website, dedicated application, or the like). As such, when a
`user application (e.g., web browser, dedicated application, or
`the like) accesses the organization application,
`the user
`application may be able to verify the owner of the website
`as being a trusted entity using any combination of one or
`moreofthe digital signatures in the one or more certificates.
`Moreover,
`if a particular digital signature (and thus, an
`associated public/private key pair or other encryption infor-
`mation used to create a secure session) becomes compro-
`mised(e.g., misappropriated by a third-party entity, exposed
`to the public, issued by an untrustworthy entity, or the like)
`and/or a certification authority associated with the digital
`signature (and thus, potentially the associated public/private
`Page 9 of 27
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`key pair or other encryption information) becomes compro-
`mised (e.g., certification authority systems are illegally
`accessed, certification authority does not properly vet the
`organization, or the like) then the organization can remove
`the compromised digital signature, and continue to rely on
`one or more other digital signatures (and thus, one or more
`other public/private key pairs or other encryption informa-
`tion) in one or more certificates in order to continue to
`provide a secure organization application. Moreover, should
`a particular digital signature and/or a certificate become
`expired (e.g.,
`through the failure of the organization to
`renew the digital signature and/orthe certificate, or the like)
`then the organization can removethe expired digital signa-
`ture and/or certificate, and continue to rely on one or more
`other digital signaturesor certificates in order to continue to
`provide a secure organization application.
`In addition to utilizing one or more digital signatures in
`one or more certificates to verify the organization applica-
`tion, the user application may utilize two or more public
`keys from two or more public and private key pairs asso-
`ciated with two or more digital signatures in one or more
`certificates to encrypt a symmetric session key for use in
`securely sending and receiving information between the user
`application and the organization application. The private
`keys are held in secret by the organization application (or
`otherthird party hosting the organization application), while
`the public keys are made available to the public. It should be
`understood that the two or more public keys can be utilized
`regardless of whether or not the two or more associated
`private keys have become compromised, or otherwise
`revoked or expired (e.g., because of the associated digital
`signature and/or certificate has expired); however, in some
`instances at least one public and private key pair may be
`required to be active (e.g., not compromised or expired) in
`order to create the encrypted session key. It should be further
`understood that
`the two or more public keys may be
`encrypted in a string, an embedded, or a function configu-
`ration and the encryption method and/or encryption order
`maybereceived from or sent to the organization application,
`or previously agreed to between the user application and/or
`organization application, in order to allow the organization
`application to decrypt the encrypted session key, and to send
`and receive information using the session key.
`In addition to using multiple certificates, certification
`requirements may be utilized to identify potential compro-
`mised interactions between a user application and an orga-
`nization application, and/or to identify unauthorized entities
`involved in the potential compromisedinteractions. In addi-
`tion to the other benefits of utilizing two or morecertificates
`described herein, two or more certificates may be utilized to
`prevent unauthorized entities from intercepting an interac-
`tion (e.g., communication, transaction, or the like) between
`a user application and an organization application and redi-
`recting the interaction using a compromised or substitute
`certificate (e.g., a man-in-the-middle attack). When a user
`application interacts with an organization application, an
`unauthorized entity may intercept the initial communication
`and redirect the interaction between the user and organiza-
`tion using a compromisedcertificate from the organization
`application or using a substitute certificate generated by the
`unauthorized entity. By requiring two or morecertificates it
`is unlikely that the unauthorized entity could compromise
`two or more ofthe certificates from the organization appli-
`cation and/or create two or more substitute certificates that
`
`could be verified. However, unless a user application knows
`the certification requirements for the organization applica-
`tion, the user application may not know if the certification
`
`
`
`US 10,432,595 B2
`
`3
`requirements and/or one or morecertificates that it is receiv-
`ing is actually from the organization application or from an
`unauthorized entity trying to compromisethe interaction. As
`such, the use of certification requirements allows the user
`application to identity potential compromised interactions
`with the organization application before the interaction is
`fully initiated and before a secure session is established. The
`certification requirements may include threshold require-
`ments, such as a threshold number ofcertifications that
`require verification (e.g., at least two verified certificates, at
`least three verified certificates, or the like). The certification
`requirements may also include the certification authorities
`from which the certificates were verified (e.g., the specific
`entities that the organization uses to provide the certificates
`and/or a threshold number of verified certificates from
`different certification authorities). The certification require-
`ments may further include the numberofcertificates, or
`minimum threshold numberofcertificates, provided by the
`organization entity. As such,the stored certification require-
`ments may be compared by the user application (e.g., web
`browser) against received certification requirements in order
`to determine when an unauthorized entity may be trying to
`set up an interaction using certificates that do meet the
`certification requirements set up by the organization appli-
`cation 17 (e.g., a website). As will be discussed further
`herein, stored certification requirements may be stored by
`pinning certification requirements from the organization
`application when the user application first accesses the
`organization application, may be accessed through third
`party certification requirements systems, and/or may be
`includedin certification requirementcertificates provided by
`the organization application when the user application
`accesses the organization application.
`Embodiments of the invention comprise systems, meth-
`ods, and computer program products for creating a secure
`session utilizing multiple keys. Embodiments of the inven-
`tion comprise receiving two or more public keys from an
`organization application, through an organization system;
`creating a symmetric session key for the secure session with
`the organization application; encrypting the symmetric ses-
`sion key to create an encrypted symmetric session key using
`the two or more public keys; sending the encrypted sym-
`metric session key to the organization application, through
`the organization system, wherein the encrypted symmetric
`key is decrypted by the organization application using two
`or more private keys corresponding to the two or more
`public keys; and receiving and sending information from
`and to the organization application using the symmetric
`session key.
`In further accord with embodiments of the invention,
`encrypting the symmetric session key comprises encrypting
`the symmetric session key using the two or more public keys
`in a string configuration or a function configuration.
`In other embodiments of the invention, encrypting the
`symmetric session key comprises encrypting the symmetric
`session key using the two or more public keys in an
`embedded configuration.
`In still other embodiments of the invention, the two or
`more public keys and the corresponding two or more private
`keys comprise at least one active private and public key pair,
`and one revokedprivate and public key pair or compromised
`private and public key pair.
`In yet other embodiments of the invention, the two or
`more public keys and the corresponding two or more private
`keys comprise at least three private and public key pairs, and
`wherein the at
`least three private and public key pairs
`comprise at least one active private and public key pair, at
`Page 10 of 27
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`4
`least one revoked private and public key pair, and at least
`one compromised private and public key pair.
`In further accord with embodiments of the invention,
`sending the encrypted symmetric session key to the organi-
`zation application further comprises sending an encryption
`order to the organization, and wherein the organization
`application uses
`the encryption order
`to decrypt
`the
`encrypted session key.
`In other embodiments of the invention, a user application
`and the organization application have previously agreed to
`an encryption order, wherein the user application uses the
`encryption order to create the encrypted session key, and
`wherein the organization application uses the encryption
`order to decrypt the encrypted session key.
`In still other embodiments of the invention, receiving the
`two or more public keys from the organization application
`further comprises receiving an encryption order from the
`organization, wherein the user application uses the encryp-
`tion order to create the encrypted session key, and wherein
`the organization application uses the encryption order to
`decrypt the encrypted session key.
`In yet other embodiments of the invention, the two or
`more public keys are associated with one or morecertifi-
`cates.
`
`In further accord with embodiments, the invention further
`comprises accessing the organization application, through
`an organization system or a third party system; accessing
`two or more digital signatures associated with the organi-
`zation application, wherein the two or more digital signa-
`tures are included within the one or morecertificates; and
`attempting to verify at least one of the two or moredigital
`signatures as being signed by a certification authority thatis
`trusted.
`In other embodiments of the invention, at least one of the
`two or more public keys from the organization application is
`a self-created public key from a self-created public and
`private key pair within a self-signed certificate generated or
`provided by the organization application.
`To the accomplishmentthe foregoing andtherelated ends,
`the one or more embodiments comprise the features here-
`inafter described and particularly pointed out in the claims.
`The following description and the annexed drawings set
`forth certain illustrative features of the one or more embodi-
`ments. These features are indicative, however, of but a few
`of the various ways in which the principles of various
`embodiments may be employed, and this description is
`intended to include all such embodiments and their equiva-
`lents.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Having thus described embodiments of the invention in
`general terms, reference will now be made to the accompa-
`nying drawings, and wherein:
`FIG. 1 illustrates a block system diagram of a secure
`certificate system environment, in accordance with embodi-
`ments of the invention.
`FIG.2 illustrates a process flow regarding how an orga-
`nization requests and receives two or morecertificates or
`two or morevalidations for a certificate and to use the same
`to create a secure session, in accordance with embodiments
`of the invention.
`
`FIG.3 illustrates a process flow regarding how an orga-
`nization application is verified and a secure session is
`created utilizing a single certificate with multiple valida-
`tions, in accordance with embodiments of the invention.
`
`
`
`US 10,432,595 B2
`
`5
`FIG.4 illustrates a process flow regarding how an orga-
`nization application is verified and a secure session is
`created utilizing multiple certificates,
`in accordance with
`embodiments of the invention.
`FIG.5 illustrates a process flow regarding how a secure
`session is creat
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
