1. Field of the Invention
The invention relates generally to client (or a user at a client platform)/server multi-factor mutual authentication systems and methods for computer and network security access control systems employing Random Partial Shared Secret Recognition (RPSSR) algorithms with a focus on in- and out-of-band multi-factor authentication of a server to the user; and more particularly multi-factor authentication of a server to the user based on virtual reference grids of data with low entropy leakage of user personalized, embedded, and hidden in the grid server credentials (entropy leakage per an authentication session), and high resilience against online identity theft attacks like guessing, phishing (using social engineering techniques) and/or pharming attacks.
2. Description of the Related Art
Server Authentication to a User (at a Client Platform)
For both, business-to-consumer (B2C) and business-to-business (B2B) transaction networks, online e- and m-commerce require a certain level of trust between parties to perform a variety of business transactions with typical parties to a transaction being an online consumer or a business representative (a user at a client platform) and a server providing services, applications, and goods. There are user authentication systems integrated with and trusted by servers. So that a user proves one's identity by submitting a user ID (or a username, or an email address, or any other pre-arranged digital identifier) and authentication credential(s) (typically, it is either a PIN, or a password, or a hardware token pass code (PIN+a currently indicated token number in a case of a two-factor authentication). There is a variety of authentication factors, and authentication credentials associated with them, that are used alone or in multi-factor combinations to enhance user authentication security.
The common security feature of these authentication systems is a fundamental reliance on the user/server shared secrets whether it be “what user knows” PINs or passwords, or “what user is” biometric traits like fingerprints or sound bites, or “what user has” like hardware tokens or software tokens on mobile devices. Illegal activities by hackers and criminal organizations utilizing hacker talents are centered in many cases on attacks aiming at stealing user authentication credentials, which is the most efficient way to preempt user identities and deplete user accounts. Among best known are social engineering attacks like “shoulder surfing”, allegedly administrator's calls, Trojan horse attacks, guessing attacks, Man-in-the-Middle (MITM) and Man-in-the-Browser (MITB) attacks, brute force attacks, keyboard memory sniffing, network sniffing, video recording of credential entry sessions, authentication system user store breaches, etc.
Phishing and Pharming Attacks
During the last several years, a couple of new social engineering attacks called phishing (http://en.wikipedia.org/wiki/Phishing) and pharming (http://en.wikipedia.org/wiki/Pharming) attacks were employed by intruders to the significant detriment of e- and m-commerce security. Without providing here a detailed technique used in initiating these attacks, it is sufficient to note that during such an attack a user is brought to a false server which looks very similar to the real one, and the user is lured to enter one's user credentials into this false graphical user interface. The scale of phishing attacks can be seen from the following citation of quite eloquent data presented by the Anti-Phishing World Group (APWG) (http://www.antiphishing.org/) in PHISHING ACTIVITY TREND REPORT 1st HALF 2009 (see the full report in http://www.antiphishing.org/reports/apwg_report_h1—2009.pdf):
“1st Half '09 Phishing Activity Trends Summary
                Unique phishing reports submitted to APWG recorded a high of 37,165 in May, around 7 percent higher than last year's high of 34,758 in October. [p. 4]        The number of unique phishing websites detected in June rose to 49,084, the highest recorded since April, 2007's record of 55,643. [p. 4]        Brand□domain pairs increased to a record 21,085 in June, up 92 percent from the beginning of 2009. [p. 5]        The number of hijacked brands ascended to a high of 310 at the end of Q1. [p. 6]        Payment Services became phishing's most targeted sector, displacing Financial Services in Q1 & Q2. [p. 7]        Banking Trojan/password□stealing crime ware infections detected increased during more than 186 percent between Q4, 2008 and Q2, 2009. [p. 10]        The total number of infected computers rose more than 66 percent between Q4 2008 and the end of the half, 2009 to 11,937,944, representing more than 54 percent of the total sample of scanned computers. [p. 10]        Sweden moved ahead of the United States as the nation hosting the most phish web sites at the half's end. [p. 7]        China hosted the most websites harboring Trojans and Downloaders from March through June. [p. 9]”        
Site Key, SSL Certificate, and Extended Validation (EV) SSL Certificate Technologies
Some of these attacks described above became so ubiquitous and efficient that a significant number of potential e- and m-commerce users decline to do business online or they would keep it highly limited in scope, unless stronger protection services/technologies/laws are becoming available to protect security of users' authentication credentials. There are conventional technologies like server SSL certificates (http://en.wikipedia.org/wiki/Ssl_certificate) and server extended validation (EV) SSL certificates (http://en.wikipedia.org/wiki/Extended_Validation_Certificate), or server's image/text mark (like site key technology http://en.wikipedia.org/wiki/Site_key)—all these technologies allowing with a varying level of assurance to authenticate a server to the user, before the user enters either one's authentication credentials, or some personally identifiable information (PII), or any other data potentially jeopardizing privacy, security, confidentiality, and business interests of transacting parties.
Hence, the security tiers to thwart phishing or pharming attacks are based on a mutual authentication of first a server to the user and then second, the user to the server. In a case of server certificates utilizing Public Key Infrastructure and the existence of Certification Authorities, users see either a lock icon on the browser frame or the same icon inside an address bar along with the green colored background of the address bar. The site key is the only user/server shared knowledge-based secret technology which is requiring hackers' personalized attacks, instead of hackers using a standard scheme, to harvest numerous user credentials with minimal efforts. Nevertheless, the security level of site keys against personalized attacks does not seem strong enough to protect user credentials.
EV SSL certificate technology looks stronger than the site key one. However, it is a relatively new technology and its resilience against phishing and pharming attacks remains to be tested yet. As a commodity mass protection layer, EV SSL certificate technology looks quite simple to use. However, for a certain amount of proficient users and ones that are highly concerned with their security, this technology is not user personalized, it is not user/server interactive, engaging, and providing a personalized sense of security. With regard to Extended Validation's defense against phishing, according to Tec-Ed Inc. “Extended Validation and VeriSign Brand” http://www.verisign.com/static/040655.pdf. Retrieved 2008-08-28 Tec-Ed research reveals that when a site adopts green address bars, then 23% of specially trained users visiting what appears to be the same site but without the green address bar will complete the transaction. It is difficult to anticipate behavior of non-trained users, though most likely the number of users ignoring the absence of the green bar will grow.
Hardware Token Based Server Authentication to the User
VASCO Data Security International, Inc. (http://www.vasco.com) offered several hardware token based solutions to authenticate a server to the user. In the first solution (dated 2004), the user was sending to a server's Web site the user name along with several first digits (say four digits) displayed by the user's token that time. Then, this server was expected to send back to the user the remaining digits currently displayed by the token (let's say the last four digits). Otherwise, if digits were not sent, or the sent digits did not match with the last four digits displayed at the token that time, the server was not authenticated.
Lately (in 2009), the company revealed another hardware token based solution. The user sends to a server the user name and obtains back from the server a certain one-time code (for example, 391483). The user is to enter this code into the user's token, and if the token positively authenticates the server, then the token generates another one-time code (say One-Time PIN; for example, 204817) which the user is to enter into a browser or another GUI, and sent to the server to authenticate the user. If the user is positively authenticated by the server, it completes the mutual authentication process and the user is provided the access requested.
In the first described solution, the user has to check personally if the last digits match, while also performing simple instructions of entering the digits into the browser or another GUI. In the second solution, the user is performing simple instructions only, without a need to make any decisions. In both cases, the disadvantage of such solutions is a necessity to carry a hardware device with the user all the time. Usability level of these solutions and their total cost of ownership are to be other points to consider as well. Another disadvantage yet, there is no protection if the hardware token gets into “wrong hands.”
Back-End Client (User at a Client Platform)/Server Mutual Authentication Protocols
It is important to outline to what extent user (at a client platform)/server mutual authentication protocols, that are available at the back end, complement a server to the user authentication on the front-end. User/server back end mutual authentication protocols (for instance, Kenneth C. Kung et al., U.S. Pat. No. 5,434,918, Victor Vladimir Boyko et al, U.S. Pat. No. 7,047,408, Len L. Mizrah, U.S. Pat. No. 7,506,161) are typically a series of client/server encrypted messages enabled by knowledge-based credentials that are used in the protocol on both ends of a user/server communication pair but never transmitted in any form over non-trusted communication media. Normally, when the user and the server are who they claim they are, the failure of the protocol's positive mutual authentication with back end protocols would mean that somehow messages have been tampered with during transmission over the communication lines. That is, the protocols would report intrusion detection based on the server side logic (the client side Graphical User Interface (GUI) logic, unless there is a permanent software client installed at the client platform and communicating with the server, is defined by the server side logic as well).
However, in a case of phishing or pharming attacks, the user deals with a fraudulent server, so that a server side logic cannot be trusted in the first place. Therefore, back end protocols are not much help in such cases, and what is needed is that the control be given directly to the user to decide through user's cognitive recognition of server's personalized credentials as to whether the user communicates to the truly authenticated server. Certainly, the key requirements for such user control would be a very strong protection of server credentials against various attacks, and first of all a very low credential entropy leakage (per server-to-user authentication session) and a high combinatorial capacity of server credential(s) against guessing attacks.