Device-level authentication with unique device identifiers

US 10,484,359 B2
Filed: 03/13/2017
Issued: 11/19/2019
Est. Priority Date: 07/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

transmitting, by a client device, a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;

establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;

receiving, by the client device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of a pre-validated server device, wherein the pre-validated server device is not the provisioning server device;

obtaining, by the client device, a unique client device identifier, wherein the unique client device identifier is configured to support secure access to the pre-validated server device; and

based on the unique client device identifier, accessing, by the client device, protected information available to the pre-validated server device, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the pre-validated server device, wherein the client device stores a plurality of unique tokens, each token limited to use once per an epoch defined by a pre-established number of seconds, and wherein accessing the protected information comprises transmitting a message to establish a second secure connection with the pre-validated server device, wherein the message contains a particular token, from the plurality of unique tokens, that has not been used in a current epoch.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment may include transmitting a manufacturer security certificate to a provisioning server device, and establishing, with the provisioning server device, a secure connection based on the manufacturer security certificate. The embodiment may also involve transmitting, over the secure connection, device data that characterizes the client device, and receiving, over the secure connection, a server security certificate. The embodiment may further include obtaining a unique client device identifier. The embodiment may additionally include, possibly based on the server security certificate and the unique client device identifier, accessing protected information available to a particular pre-validated server device.

83 Citations

View as Search Results

19 Claims

1. A method comprising:
- transmitting, by a client device, a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  receiving, by the client device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of a pre-validated server device, wherein the pre-validated server device is not the provisioning server device;
  
  obtaining, by the client device, a unique client device identifier, wherein the unique client device identifier is configured to support secure access to the pre-validated server device; and
  
  based on the unique client device identifier, accessing, by the client device, protected information available to the pre-validated server device, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the pre-validated server device, wherein the client device stores a plurality of unique tokens, each token limited to use once per an epoch defined by a pre-established number of seconds, and wherein accessing the protected information comprises transmitting a message to establish a second secure connection with the pre-validated server device, wherein the message contains a particular token, from the plurality of unique tokens, that has not been used in a current epoch.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the accessing the protected information comprises (i) establishing, between the client device and the pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the pre-validated server device.
  - 3. The method of claim 1, further comprising:
    - transmitting, by the client device over the secure connection, device data that characterizes the client device.
  - 4. The method of claim 3, wherein the device data comprises at least one of a manufacturer identity of the client device, a type of the client device, a model number of the client device, a serial number of the client device.
  - 5. The method of claim 4, wherein reception of the device data by the provisioning server device causes the provisioning server device to look up the device data in a device database, and verify that the device data is consistent with known devices.
  - 6. The method of claim 1, wherein at least one of the secure connection or the second secure connection is established, at least in part, by a web browser application operating on the client device.
  - 7. The method of claim 1, wherein the secure connection is based on Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
  - 8. The method of claim 1, wherein, prior to transmitting the manufacturer security certificate to the provisioning server device, the client device has not communicated with the provisioning server device or the pre-validated server device.
  - 9. The method of claim 1 further comprising:
    - in response to receiving the server security certificate, validating, by the client device, the server security certificate.
  - 10. The method of claim 1, wherein accessing the protected information available to the pre-validated server device comprises:
    - receiving, from the pre-validated server device, an indication that the client device is permitted to establish a second secure connection with the pre-validated server device; and
      
      in response to receiving the indication, establishing the second secure connection with the pre-validated server device.
  - 11. The method of claim 1, wherein obtaining the unique client device identifier comprises receiving the unique client device identifier from the provisioning server device.

12. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a client device, cause the client device to perform operations comprising:
- transmitting a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  receiving, over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of a pre-validated server device, wherein the pre-validated server device is not the provisioning server device;
  
  obtaining a unique client device identifier, wherein the unique client device identifier is configured to support secure access to the pre-validated server device; and
  
  based on the unique client device identifier, accessing protected information available to the pre-validated server device, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the pre-validated server device, wherein the client device stores a plurality of unique tokens, each token limited to use once per an epoch defined by a pre-established number of seconds, and wherein accessing the protected information comprises transmitting a message to establish a second secure connection with the pre-validated server device, wherein the message contains a particular token, from the plurality of unique tokens, that has not been used in a current epoch.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The article of manufacture claim 12, wherein the accessing the protected information comprises (i) establishing, between the client device and the pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the pre-validated server device.
  - 14. The article of manufacture claim 12, the operations further comprising:
    - transmitting, over the secure connection, device data that characterizes the client device.
  - 15. The article of manufacture claim 14, wherein the device data comprises at least one of a manufacturer identity of the client device, a type of the client device, a model number of the client device, a serial number of the client device.
  - 16. The article of manufacture claim 15, wherein reception of the device data by the provisioning server device causes the provisioning server device to look up the device data in a device database, and verify that the device data is consistent with known devices.
  - 17. The article of manufacture claim 12, wherein at least one of the secure connection or the second secure connection is established, at least in part, by a web browser application operating on the client device.
  - 18. The article of manufacture claim 12, wherein, prior to transmitting the manufacturer security certificate to the provisioning server device, the client device has not communicated with the provisioning server device or the pre-validated server device.

19. A client device comprising:
- a processor;
  
  memory; and
  
  program instructions, stored in the memory, that upon execution by the processor cause the client device to perform operations comprising;
  
  transmitting a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  receiving, over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of a pre-validated server device, wherein the pre-validated server device is not the provisioning server device;
  
  obtaining a unique client device identifier, wherein the unique client device identifier is configured to support secure access to the pre-validated server device; and
  
  based on the unique client device identifier, accessing protected information available to the pre-validated server device, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the pre-validated server device, wherein the client device stores a plurality of unique tokens, each token limited to use once per an epoch defined by a pre-established number of seconds, and wherein accessing the protected information comprises transmitting a message to establish a second secure connection with the pre-validated server device, wherein the message contains a particular token, from the plurality of unique tokens, that has not been used in a current epoch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Confia Systems, Inc.
Original Assignee
Confia Systems, Inc.
Inventors
Ramatchandirane, Nadaradjane
Primary Examiner(s)
Dolly, Kendall
Assistant Examiner(s)
Fields, Courtney D

Application Number

US15/457,135
Publication Number

US 20170302656A1
Time in Patent Office

981 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

G06F 21/73   by creating or determining ...

H04L 63/0823   using certificates cryptogr...

H04L 63/0869   for achieving mutual authen...

H04L 63/0876   based on the identity of th...

H04L 63/166   at the transport layer

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3268   using certificate validatio...

H04L 9/3273   for mutual authentication n...

Device-level authentication with unique device identifiers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

83 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Device-level authentication with unique device identifiers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links