Mobile device user authentication for accessing protected network resources

US 10,257,699 B2
Filed: 06/10/2016
Issued: 04/09/2019
Est. Priority Date: 01/29/2014
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, by a processor of a client device, an authentication token, wherein the authentication token is provided by one of;

a short-lived certificate or a one-time password;

transmitting, by the processor, an authentication request comprising a value generated by applying a pre-defined function to the authentication token, wherein no long-term authentication keys are stored by the client device;

receiving, in response to the authentication request, a single sign-on token authorizing access to a plurality of computing resources of an enterprise network;

transmitting, by the processor, a resource access token request using the single sign-on token;

receiving, in response to the resource access token request, a resource access token; and

transmitting, using the resource access token, a request to access a computing resource of the plurality of computing resources.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for user authentication for accessing protected applications by computing devices includes receiving, by a processor of a mobile computing device, a first authentication token. The method further includes transmitting an authentication request using the first authentication token. The method further includes receiving, in response to the authentication request, a second authentication token. The method further includes transmitting a resource access token request using the second authentication token. The method further includes receiving, in response to the resource access token request, a resource access token. The method further includes transmitting a computing resource access request using the resource access token.

23 Citations

17 Claims

1. A method, comprising:
- receiving, by a processor of a client device, an authentication token, wherein the authentication token is provided by one of;
  
  a short-lived certificate or a one-time password;
  
  transmitting, by the processor, an authentication request comprising a value generated by applying a pre-defined function to the authentication token, wherein no long-term authentication keys are stored by the client device;
  
  receiving, in response to the authentication request, a single sign-on token authorizing access to a plurality of computing resources of an enterprise network;
  
  transmitting, by the processor, a resource access token request using the single sign-on token;
  
  receiving, in response to the resource access token request, a resource access token; and
  
  transmitting, using the resource access token, a request to access a computing resource of the plurality of computing resources.
- View Dependent Claims (2, 3, 4, 5, 6, 16, 17)
- - 2. The method of claim 1, further comprising:
    - accessing a computing resource identified by the resource access token.
  - 3. The method of claim 1, wherein transmitting the authentication request is performed via a communication interface provided by at least one of:
    - a network communication interface, a near field communication (NFC) interface, a Bluetooth interface, or an infrared interface.
  - 4. The method of claim 1, wherein transmitting the authentication request is performed over a Secure Socket Layer (SSL) connection.
  - 5. The method of claim 1, wherein the single sign-on token is provided by a ticket granting ticket, and wherein the resource access token is provided by a service ticket.
  - 6. The method of claim 1, wherein the authentication request conforms to Kerberos protocol.
  - 16. The method of claim 1, wherein the authentication request is transmitted via a HyperText Transfer Protocol (HTTP) proxy server.
  - 17. The method of claim 1, wherein the authentication token is generated based on a secret known to an authentication server, and wherein the authentication request is transmitted to the authentication server.

7. A system, comprising:
- a memory; and
  
  a processor, operatively coupled to the memory, to;
  
  receive an authentication token, wherein the authentication token is provided by one of;
  
  a short-lived certificate or a one-time password;
  
  transmit an authentication request comprising a value generated by applying a pre-defined function to the authentication token, wherein no long-term authentication keys are stored by the system;
  
  receive, in response to the authentication request, a single sign-on token authorizing access to a plurality of computing resources of an enterprise network;
  
  transmit a resource access token request using the single sign-on token;
  
  receive, in response to the resource access token request, a resource access token; and
  
  transmit, using the resource access token, a request to access a computing resource of the plurality of computing resources.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the processor is further to:
    - accessing a computing resource identified by the resource access token.
  - 9. The system of claim 7, wherein the processor is to transmit the authentication request via a communication interface provided by at least one of:
    - a network communication interface, a near field communication (NFC) interface, a Bluetooth interface, or an infrared interface.
  - 10. The system of claim 7, wherein the processor is to transmit the authentication request over a Secure Socket Layer (SSL) connection.
  - 11. The system of claim 7, wherein the single sign-on token is provided by a ticket granting ticket, and wherein the resource access token is provided by a service ticket.
  - 12. The system of claim 7, wherein the authentication request conforms to Kerberos protocol.

13. A computer-readable non-transitory storage medium comprising executable instructions that, when executed by a processor of a computing device, cause the processor to:
- receive an authentication token, wherein the authentication token is provided by one of;
  
  a short-lived certificate or a one-time password;
  
  transmit an authentication request comprising a value generated by applying a pre-defined function to the authentication token, wherein no long-term authentication keys are stored by the computing device;
  
  receive, in response to the authentication request, a single sign-on token authorizing access to a plurality of computing resources of an enterprise network;
  
  transmit, by the processor, a resource access token request using the single sign-on token;
  
  receive, in response to the resource access token request, a resource access token; and
  
  transmit, using the resource access token, a request to access a computing resource of the plurality of computing resources.
- View Dependent Claims (14, 15)
- - 14. The computer-readable non-transitory storage medium of claim 13, further comprising executable instructions causing the processor to:
    - access a computing resource identified by the resource access token.
  - 15. The computer-readable non-transitory storage medium of claim 13, wherein the single sign-on token is provided by a ticket granting ticket, and wherein the resource access token is provided by a service ticket.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Pal, Dmitri
Primary Examiner(s)
Arani, Taghi T
Assistant Examiner(s)
Lane, Gregory A

Application Number

US15/178,725
Publication Number

US 20160286400A1
Time in Patent Office

1,033 Days
Field of Search

713155
US Class Current
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 63/162   at the data link layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/56   Provisioning of proxy servi...

H04L 67/561   Adding application-function...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

H04L 9/3234   involving additional secure...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/086   using security domains

Mobile device user authentication for accessing protected network resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile device user authentication for accessing protected network resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links