Gatekeeper

A major concern to all users of credentials based authentication solutions is the man-in-the-middle attack. In this type of attack, the cybercriminal installs a bot on a device in the authentication pathway. During authentication sessions, the bot intercepts inflight credentials and other information that is subsequently used by the cybercriminal to gain access where access should be denied. This is one form of leveraged credentials attack most prevalent in the 2017 cybercrime statistics.

Gatekeep protocol methodology discloses a solution to this perplexing problem. It begins by using three network links in a network triad arrangement. An authentication request is initiated by a user access device sending the request to a gatekeeper on one network link. The gatekeeper creates and transmits an identification request on a second network linked to a Personal Identifier device. That device produces the Personal Identification Code token by an amalgamation of the user in possession status and device identifiers, transferring the token over Bluetooth or other suitable near proximity network to the original network access device such as workstation or laptop, ATM or vehicle access FOB or Access Management Device etc. From there the PIC token is sent along a third network link back to the point of origin, to the gatekeeper originating the session where the token is validated and access is granted or denied.

A Session Identifier token is used to better protect the process against outsider attack or spoofing. The token is a time-stamped identifying piece of data originated by the gatekeeper at the time of authentication request. It is never stored and is assigned a very short time to live, no more than a few hundred milliseconds. It is included with the identification request sent to the Personal Identifier device where it is combined with the Personal Identification Code and device identifiers that eventually works its way back to the gatekeeper. The gatekeeper validates the Personal Identification Code establishing the identity of the person in possession of the Personal Identity device, the device identifiers to establish response from the expected device and Session Identifier and its latency confirming session integrity.

A key component of the process is the Personal Identification device, or more specifically its access methods. The initial gatekeeper request is sent over the cellular networks by suitable messaging methods to the requesting user’s smartphone number of record. Doing so, the gatekeeper has assured the message is delivered to a smartphone device associated with the requesting user’s smartphone account. Theoretically to the smartphone belonging to the user seeking access. The gatekeeper also sends a message at that instant to the access device over the original requesting network, a message containing the Bluetooth address of the requesting user’s smartphone. The access device reads the Personal Identification Code token from that specific address.

In this way it is assured the smartphone device is the device that belongs to the requesting user, that the smartphone is in possession of the requesting user, that the cellular account of the requesting user is intact and has not been hijacked and that the authentication session itself has not been hijacked by a cybercriminal man-in-the-middle attack. To better ensure the integrity of the process, all data originating in the process are encrypted at the point of origin with decryption keys held only by the gatekeeper. All else satisfied, if the user in possession prediction meets the minimum requirements of the installation, access is granted and if not then access is not granted.

Gatekeeper is a process that cannot be defeated. It is a process applicable in every online user identification verification process and in every access management application where access is gated by user identification.

ProteqsIt

Rick Hallock

Naples, FL 34119

Email: Rick.Hallock@ProteqsIt.COM