Efficient and secure authentication of computing systems
First Claim
1. In a client computing system, a method for receiving credentials that can be used to can authentic with a server computing system, the method comprising:
- an act of receiving a limited-use credential;
an act of establishing a secure link between the client computing system and the server computing system;
an act of submitting the limited-use credential to the server computing system over the established secure link; and
an act of receiving an additional credential that can be used for subsequent authentication with the server computing system, the additional credentials being provisioned at the sever computing system based on the limited-use credential.
4 Assignments
0 Petitions
Accused Products
Abstract
The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.
-
Citations
28 Claims
-
1. In a client computing system, a method for receiving credentials that can be used to can authentic with a server computing system, the method comprising:
-
an act of receiving a limited-use credential;
an act of establishing a secure link between the client computing system and the server computing system;
an act of submitting the limited-use credential to the server computing system over the established secure link; and
an act of receiving an additional credential that can be used for subsequent authentication with the server computing system, the additional credentials being provisioned at the sever computing system based on the limited-use credential. - View Dependent Claims (2, 3, 4)
-
-
5. In a server computing system, a method for providing credentials to a client computing system, the method comprising:
-
an act of establishing a secure link between the server computing system and the client computing system;
an act of receiving a limited-use credential from the client computing system over the established secure link, the limited-use credential authenticating the client computing system;
an act of provisioning an additional credential for the client computing system based on the received limited-user credential, the additional credential for subsequently authenticating the client computing system; and
an act of sending the additional credential to the client computing system over the established secure link. - View Dependent Claims (6, 7, 8)
-
-
9. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:
-
an act of receiving a first server request that includes at least the authentication mechanisms deployed at the server computing system;
an act of sending a first response that includes at least the authentication mechanisms deployed at the client computing system;
an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and server computing system;
an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key;
an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content indicating a mutually deployed authentication mechanism; and
an act of sending a second response, the second response including encrypted response data that is responsive to the unencrypted authentication content, the encrypted response data for authenticating with the server computing system according to the mutually deployed authentication mechanism. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 22)
-
-
19. In a server computing system, a method for participating in authentication with a client computing system, the method comprising:
-
an act of sending a first request that includes at least the authentication mechanisms deployed at the server computing system;
an act of receiving a first client response that includes at least the authentication mechanisms deployed at the client computing system;
an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and server computing system;
an act of sending a second request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key, the encrypted authentication content indicating a mutually deployed authentication mechanism; and
an act of receiving a second client response, the second client response including encrypted response data that is responsive to the encrypted authentication content, the encrypted response data for authenticating with the server computing system according to the mutually deployed authentication mechanism. - View Dependent Claims (20, 21, 23, 24, 25, 26, 27, 28)
-
Specification