1. Field of the Invention
The present invention relates generally to data encryption and decryption systems and methods and, more particularly, to a system and method for preventing interception and decryption of information by an unauthorized party when that information is transmitted over a network.
2. Background Information
A computer network session is the time during which two computers in a network maintain a connection. In an interactive computer program running on the network, a network session can be considered the time during which one computer, such as a server, accepts, processes, and outputs information from another computer, such as a client. Programs designed for contacting different servers on the Internet are commonly known as “web applications” or “web browsers”.
During a network session, a user, or client, accesses a remotely located computer, or server, to exchange data with the server via a computer network, such as the Internet or an Intranet, for example. During the network session the client may further exchange data with a second client via the server and may exchange data with one or more additional servers.
Frequently, confidential data is exchanged between the client and server during a network session and this data may be valuable to outside parties. Such confidential data may include personal information, financial information, and proprietary information, for example. Thus, if an unauthorized party were to obtain a client's confidential information they could use that information however they desire.
The processes of data encryption and decryption are well known for inhibiting unauthorized access to confidential data. Data encryption is the process of encoding data to prevent unauthorized access to the data, especially during transmission. Encryption of data is usually based on an encryption/decryption key, or key, that may comprise a predetermined sequence of data, that is essential for decoding the data. The encryption key is used to encrypt the data prior to transmission. The intended recipient of the data is provided with a like key for decrypting the data, to allow access to the data by the intended recipient.
One common method of data encryption/decryption is “Public Key Encryption”. Public key encryption comprises an asymmetric scheme that uses a pair of keys for encryption. A public key is one of two keys in public key encryption. A user releases the public key to the public. The public uses the public key for encrypting data this is sent to the user and for decrypting the user's digital signature. A private key is the other of the two keys in public key encryption. The user keeps the private key secret and uses it to encrypt digital signatures and to decrypt received messages. A disadvantage of public key encryption is that it may be vulnerable to “Man-In-The-Middle” (MITM) attacks, since the client and server are unable to verify the identity of each other.
A Man-In-The-Middle (MITM) attack typically involves an interceptor posing as a target, which may be a sever, for example. The interceptor uses its own public key, instead of the target's public key, for asymmetric encryption. This allows the interceptor to decrypt confidential data that is intended for the target. The interceptor can then use this decrypted information to gain unauthorized access to the target's confidential information.
A known attempt to defend against MITM attacks is, to ensure that the public key is coming from its legitimate owner. To ensure that a public key is coming from its legitimate owner, an encrypted link can be created between a server, such as a web server on the Internet, and web browser software. Secure Sockets Layer (SSL) is a security technology standard for creating encrypted links between web servers and browsers. This encrypted link attempts to ensure that data transmitted between the web server and browser remains private and integral. SSL technology requires the use of an electronic certificate, issued by a trusted Certification Authorities (CA), to be used to generate the encrypted link. The electronic certificate is an electronic document that binds some pieces of information together, such as a user's identity and their public key. The pieces of information are bound by the signature of the CA.
A trusted Certification Authority (CA) is a trusted third party responsible for issuing digital certificates and managing them throughout their lifetime. Digital certificates are electronic files containing the user's public key and specific identifying information about the user.
Digital signatures are also used to defend against MITM and other attacks. With digital signatures, a sender uses a secret key to create a unique electronic number. This unique electronic number can be read by anyone possessing the corresponding public key, which verifies that the message is truly from the sender.
Another known method of attempting unauthorized access to encrypted data is a “replay” attack. Web browsers may be vulnerable to a replay attacks, if a user's authentication tokens are captured or intercepted by an attacker. In a replay attack, an attacker directly uses authentication tokens, such as a session ID in a URL cookie, for example. For clarification, “URL” is an acronym for Uniform Resource Locator. A URL is an address for a resource on the Internet used by Web browsers to locate Internet resources. The attacker uses the authentication token to obtain or create service to a user's account, while bypassing normal user authentication, such as logging in with the appropriate username or password.
For example, an attacker discovers a URL that contains session ID information. With this information, the attacker may be able to obtain or create service to user's account contained in the session ID information, simply by pasting that URL back into the internet address widow of their web browser. The legitimate user may not need to be logged into the application at the time of the replay attack.