Authentication of remotely originating network messages
First Claim
1. A computer-implemented method for authenticating data messages using a challenge-response authentication mechanism, comprising:
- (i) receiving a message comprising a first authentication credential, a user ID and a predetermined sequence number;
(ii) retrieving a secret corresponding at least to the user ID;
(iii) generating a second authentication credential based on information comprising the retrieved secret and the predetermined sequence number; and
(iv) comparing the first and second authentication credentials.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and system for authenticating messages received from users across multiple remote devices are provided. A residential gateway authenticates a user using a modified digest authentication scheme by storing a sequence number in the nonce field. Access encryption keys and sequence number spaces may be assigned based on user or on user/remote device pairs. When sequence number spaces are assigned based on user, and the user uses multiple remote devices to access the residential gateway, the sequence number space may be divided into mini-sequence number spaces for each of the multiple remote devices. Access encryption may be two-tiered, such that a secondary key is generated based on a user'"'"'s primary key, and the secondary key is only valid for a limited amount of time before it expires and a new secondary key must be generated.
-
Citations
52 Claims
-
1. A computer-implemented method for authenticating data messages using a challenge-response authentication mechanism, comprising:
-
(i) receiving a message comprising a first authentication credential, a user ID and a predetermined sequence number;
(ii) retrieving a secret corresponding at least to the user ID;
(iii) generating a second authentication credential based on information comprising the retrieved secret and the predetermined sequence number; and
(iv) comparing the first and second authentication credentials. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A data processing device that authenticates communications from a user using a plurality of remote devices, comprising:
-
a processor for controlling operation of the data processing device;
a first database for storing information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and for storing sliding window information corresponding to each range of sequence numbers;
memory storing software comprising computer executable instructions that, when executed by the processor, perform a method comprising (i) receiving a first message comprising a user ID and a first remote device ID;
(ii) assigning a first available range of sequence numbers to the user ID and first remote device ID pair;
(iii) receiving a second message comprising the user ID and a second remote device ID; and
(iv) assigning a second available range of sequence numbers to the user ID and second remote device ID pair. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A data processing device using a challenge response mechanism to authenticate communications from a user using a plurality of remote devices to communicate with at least one networked appliance, comprising:
-
a processor for controlling operation of the data processing device;
memory storing software comprising computer executable instructions that, when executed by the processor, perform a method comprising;
(i) initially establishing a primary key corresponding to the user;
(ii) generating a secondary key corresponding to the user based on the primary key, wherein the secondary key is valid for a predetermined amount of time;
(iii) authenticating messages from the user received within the predetermined amount of time based on the secondary key. - View Dependent Claims (31, 32, 33, 34)
-
-
35. A mobile device, comprising:
-
a processor controlling operation of the device;
memory storing software comprising computer executable instructions that, when executed by the processor, cause the device to perform a method utilizing a challenge-response authentication mechanism, said method comprising;
(i) sending a first message including a predetermined sequence number, and a first authentication credential value based on information including the predetermined sequence number and a secret;
(ii) incrementing the sequence number; and
(iii) sending a second message including the incremented sequence number, and a second authentication credential value based on information including the incremented sequence number and the secret. - View Dependent Claims (36, 37, 38, 39, 40, 41, 52)
-
-
42. A data processing device that uses a challenge-response mechanism to authenticate communications with a user, comprising:
-
a processor for controlling operation of the data processing device;
memory storing software comprising computer executable instructions that, when executed by the processor, perform a method comprising (i) receiving a message comprising a first authentication credential, a user ID and a predetermined sequence number;
(ii) retrieving a secret corresponding at least to the user ID;
(iii) generating a second authentication credential based on information comprising the retrieved secret and the predetermined sequence number; and
(iv) comparing the first and second authentication credentials. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. A data processing device acting as a gateway between a networked appliance connected to the data processing device via a local network, and a remote access device communicating with the networked appliance by sending authenticated networked appliance control messages over a wide area network using a challenge-response authentication mechanism, said data processing device comprising:
-
a processor for controlling operation of the data processing device;
a user database for storing user authentication information;
a sequence number database for storing information corresponding to ranges of sequence numbers associated with pairs of users and remote devices, and for storing sliding window information corresponding to each range of sequence numbers, said sliding window information indicating whether each message within the sliding window has or has not been received;
software comprising computer executable instructions that, when executed by the processor, perform a method comprising;
(i) receiving a networked appliance control message comprising a first authentication credential value, a user ID and a sequence number;
(ii) querying the sequence number database for the sequence number;
(iii) rejecting the networked appliance control or monitoring message when the sequence number is below the corresponding window of sequence numbers, or the sequence number is within the corresponding window of sequence numbers and is marked as received;
(iv) querying the user database for a password corresponding to the user ID;
(v) generating a second authentication credential based on information including the password and the sequence number;
(vi) comparing the first and second authentication credentials. (vii) rejecting the networked appliance control or monitoring message when the two authentication credentials do not match;
(viii) accepting the networked appliance control message when the authentication credentials match and, either, the sequence number is within the corresponding window of sequence numbers and is marked as not received, or the sequence number is above the corresponding window of sequence numbers;
(ix) moving the corresponding window of sequence numbers up to the sequence number when in step (viii) the sequence number is above the window of allowed sequence numbers and the authentication credentials match; and
(x) marking the sequence number as received within the window.
-
Specification