Enhanced authentication for secure communications

US 10,637,855 B2
Filed: 06/26/2017
Issued: 04/28/2020
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

obtaining a challenge value from an authentication service;

subsequent to performing a cryptographic key exchange with a client computer in accordance with a cryptographic protocol that includes an authentication phase, sending, to the client computer using the cryptographic protocol, the challenge value within a field that is not reserved by the cryptographic protocol for the challenge value, wherein the field is in a handshake message, the handshake message in accordance with the cryptographic protocol, transmitted as part of a handshake of the cryptographic protocol; and

authenticating a response to the challenge value based at least in part on the challenge value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server obtains a challenge from another computer system during a negotiation with a client according to a protocol. The server injects the challenge into a message of the protocol to the client. The client uses the challenge in an authentication request. The server submits the authentication request to the other computer system for verification. The other computer system verifies the authentication request using a key registered to the client. The server operations are further dependent at least in part on whether verification of the authentication request was successful.

24 Citations

View as Search Results

17 Claims

1. A computer-implemented method comprising:
- obtaining a challenge value from an authentication service;
  
  subsequent to performing a cryptographic key exchange with a client computer in accordance with a cryptographic protocol that includes an authentication phase, sending, to the client computer using the cryptographic protocol, the challenge value within a field that is not reserved by the cryptographic protocol for the challenge value, wherein the field is in a handshake message, the handshake message in accordance with the cryptographic protocol, transmitted as part of a handshake of the cryptographic protocol; and
  
  authenticating a response to the challenge value based at least in part on the challenge value.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving the challenge value from a server; and
      
      wherein authenticating the response to the challenge value comprises transmitting the response to the challenge value to the server to be authenticated.
  - 3. The computer-implemented method of claim 1, wherein the response to the challenge value comprises a digital signature.
  - 4. The computer-implemented method of claim 1, wherein:
    - the computer-implemented method is performed by a first system;
      
      authenticating the response comprises transmitting the response to a second system to cause the second system to perform a cryptographic operation to authenticate the response; and
      
      the cryptographic operation is performed using a cryptographic key that is inaccessible to the first system.
  - 5. The computer-implemented method of claim 1, wherein the challenge value comprises a randomly generated value.

6. A system, comprising:
- one or more processors; and
  
  memory storing instructions that, if executed by the one or more processors, cause the system to;
  
  perform, before an authentication phase of a cryptographic protocol, a key exchange with a client computer, the key exchange being a condition of the cryptographic protocol;
  
  send, to the client computer in accordance with the cryptographic protocol, a challenge value within a field that is not reserved by the cryptographic protocol for the challenge value, the challenge value obtained from an authentication service, the field in a handshake message sent as part of a handshake of the cryptographic protocol; and
  
  authenticate a response, from the client computer, to the challenge value based at least in part on the challenge value.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The system of claim 6, wherein the challenge value is generated by another system.
  - 8. The system of claim 6, wherein:
    - the response comprises a digital signature; and
      
      the system authenticates the response by verifying the digital signature using a message of the cryptographic protocol that comprises the challenge value.
  - 9. The system of claim 6, wherein the system authenticates the response by at least:
    - transmitting over a network a request to authenticate the response; and
      
      receiving, over the network, an indication of whether the response is successfully authenticated.
  - 10. The system of claim 6, wherein the cryptographic protocol is to establish a cryptographically protected communications session.
  - 11. The system of claim 6, wherein the instructions, if executed, further cause the system to provide access to computing resources as a result of successful authentication of the response.
  - 12. The system of claim 6, wherein the field is optionally populated according to the cryptographic protocol.

13. A non-transitory computer-readable storage medium storing thereon instructions that, if executed by one or more processors of a computer system, cause the computer system to:
- obtain, after exchanging a key with a first computer in accordance with a cryptographic protocol that includes an authentication phase, a challenge value from the first computer within a field that is not reserved by the cryptographic protocol for the challenge value, the field in a handshake message transmitted as part of a handshake of the cryptographic protocol;
  
  send a response to the challenge value; and
  
  obtain an indication from the first computer whether the response to the challenge value has been verified by an authentication service.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The non-transitory computer-readable storage medium of claim 13, the field is optionally populated according to the cryptographic protocol.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the field is reserved by the cryptographic protocol for another value.
  - 16. The non-transitory computer-readable storage medium of claim 13, wherein the cryptographic protocol is to establish a cryptographically protected communications session.
  - 17. The non-transitory computer-readable storage medium of claim 13, whether the instructions, if executed, further cause the computer system to generate the response by at least computing a digital signature over information that comprises a message of the cryptographic protocol that comprises the challenge value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mikulski, Andrew Paul, Allen, Nicholas Alexander, Roth, Gregory Branchek
Primary Examiner(s)
Chen, Shin-Hon (Eric)

Application Number

US15/632,787
Publication Number

US 20170331822A1
Time in Patent Office

1,037 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Enhanced authentication for secure communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced authentication for secure communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links