Efficient and secure authentication of computing systems

US 20050210252A1
Filed: 03/19/2004
Published: 09/22/2005
Est. Priority Date: 03/19/2004
Status: Active Grant

First Claim

Patent Images

1. In a client computing system, a method for receiving credentials that can be used to can authentic with a server computing system, the method comprising:

an act of receiving a limited-use credential;

an act of establishing a secure link between the client computing system and the server computing system;

an act of submitting the limited-use credential to the server computing system over the established secure link; and

an act of receiving an additional credential that can be used for subsequent authentication with the server computing system, the additional credentials being provisioned at the sever computing system based on the limited-use credential.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

Citations

28 Claims

1. In a client computing system, a method for receiving credentials that can be used to can authentic with a server computing system, the method comprising:
- an act of receiving a limited-use credential;
  
  an act of establishing a secure link between the client computing system and the server computing system;
  
  an act of submitting the limited-use credential to the server computing system over the established secure link; and
  
  an act of receiving an additional credential that can be used for subsequent authentication with the server computing system, the additional credentials being provisioned at the sever computing system based on the limited-use credential.
- View Dependent Claims (2, 3, 4)
- - 2. The method as recited in claim 1, wherein the limited-use credential is a single-use password.
  - 3. The method as recited in claim 1, wherein establishing a secure link between the client computing system and the server computing system comprises generating a session key based on Diffie-Hellman public keys of the client computing system and the server computing system.
  - 4. The method as recite in claim 1, wherein the an act of receiving an additional credential that can be used for subsequent authentication with the server computing system comprises an act of receiving a certificate that can be used to access a wireless network.

5. In a server computing system, a method for providing credentials to a client computing system, the method comprising:
- an act of establishing a secure link between the server computing system and the client computing system;
  
  an act of receiving a limited-use credential from the client computing system over the established secure link, the limited-use credential authenticating the client computing system;
  
  an act of provisioning an additional credential for the client computing system based on the received limited-user credential, the additional credential for subsequently authenticating the client computing system; and
  
  an act of sending the additional credential to the client computing system over the established secure link.
- View Dependent Claims (6, 7, 8)
- - 6. The method as recited in claim 5, wherein establishing a secure link between the server computing system and the client computing system comprises generating a session key based on Diffie-Hellman public keys of the server computing system and the client computing system.
  - 7. The method as recited in claim 5, wherein the limited-use credential is a single-use password.
  - 8. The method as recited in claim 5, wherein the act of provisioning an additional credential for the client computing system based on the received limited-user credential comprises provisioning a certificate that can be used to access a wireless network.

9. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:
- an act of receiving a first server request that includes at least the authentication mechanisms deployed at the server computing system;
  
  an act of sending a first response that includes at least the authentication mechanisms deployed at the client computing system;
  
  an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and server computing system;
  
  an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key;
  
  an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content indicating a mutually deployed authentication mechanism; and
  
  an act of sending a second response, the second response including encrypted response data that is responsive to the unencrypted authentication content, the encrypted response data for authenticating with the server computing system according to the mutually deployed authentication mechanism.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 22)
- - 10. The method as recited in claim 9, wherein the first server request includes the authentication mechanisms deployed at the server computing system, a previous packet ID and a Nonce.
  - 11. The method as recited in claim 9, wherein the authentication mechanisms deployed at the server computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 12. The method as recited in claim 9, wherein the authentication mechanisms deployed at the client computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 13. The method as recited in claim 9, wherein the first response includes the authentication mechanisms deployed at the client computing system, a previous packet ID, a nonce, one or more security associations, and one or more public keys.
  - 14. The method as recited in claim 9, wherein the act of identifying a tunnel key comprises deriving a tunnel key based on a shared secret, a client side nonce, and a server side nonce.
  - 15. The method as recited in claim 9, wherein the act of receiving a second server request comprises receiving encrypted authentication content corresponding to an authentication method selected from among:
    - negotiating an authentication method, re-authenticating, boot-strapping a client with an existing user-name and password, boot-strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 16. The method as recited in claim 9, wherein the second server request includes encrypted authentication content, a previous packet ID, a security association, and a public key.
  - 17. The method as recited in claim 9, wherein the act of sending a second response includes sending encrypted responsive data for an authentication method selected from among:
    - negotiating an authentication method, re-authenticating, boot-strapping a client with an existing user-name and password, boot strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 18. The method as recite in claim 9, wherein the second response includes encrypted responsive data and a previous packet ID.
  - 22. The method as recited in claim 9, wherein the authentication mechanisms deployed at the client computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.

19. In a server computing system, a method for participating in authentication with a client computing system, the method comprising:
- an act of sending a first request that includes at least the authentication mechanisms deployed at the server computing system;
  
  an act of receiving a first client response that includes at least the authentication mechanisms deployed at the client computing system;
  
  an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and server computing system;
  
  an act of sending a second request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key, the encrypted authentication content indicating a mutually deployed authentication mechanism; and
  
  an act of receiving a second client response, the second client response including encrypted response data that is responsive to the encrypted authentication content, the encrypted response data for authenticating with the server computing system according to the mutually deployed authentication mechanism.
- View Dependent Claims (20, 21, 23, 24, 25, 26, 27, 28)
- - 20. The method as recited in claim 19, wherein the first request includes the authentication mechanisms deployed at the server computing system, a previous packet ID and a Nonce.
  - 21. The method as recited in claim 19, wherein the authentication mechanisms deployed at the server computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 23. The method as recited in claim 19, wherein the first client response includes the authentication mechanisms deployed at the client computing system, a previous packet ID, a nonce, one or more security associations, and one or more public keys.
  - 24. The method as recited in claim 19, wherein the act of identifying a tunnel key comprises deriving a tunnel key based on a shared secret, a client side nonce, and a server side nonce.
  - 25. The method as recited in claim 19, wherein the act of sending a second request comprises sending encrypted authentication content corresponding to an authentication method selected from among:
    - negotiating an authentication method, re-authenticating, boot-strapping a client with an existing user-name and password, boot-strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 26. The method as recited in claim 19, wherein the second request includes encrypted authentication content, a previous packet ID, a security association, and a public key.
  - 27. The method as recited in claim 19, wherein the act of receiving a second client response includes receiving encrypted responsive data for an authentication method selected from among:
    - negotiating an authentication method, re-authenticating, boot-strapping a client with an existing user-name and password, boot strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 28. The method as recite in claim 19, wherein the second client response includes encrypted responsive data and a previous packet ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Moore, Timothy M., Simon, Daniel R., Freeman, Trevor William, Aboba, Bernard D.

Granted Patent

US 7,549,048 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0428   wherein the data content is...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

Efficient and secure authentication of computing systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient and secure authentication of computing systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links