Two-way authentication using a combined code

US 20070136800A1
Filed: 12/13/2005
Published: 06/14/2007
Est. Priority Date: 12/13/2005
Status: Active Grant

First Claim

Patent Images

1. One or more device-readable media encoded with device-executable instructions for performing steps comprising:

identifying in a combined code at least two sets of data for authentication;

sending a connection request to a target service;

receiving a certificate from the target service for establishing a secure channel;

validating the certificate with a first set of data included in the combined code; and

if the certificate is validated, providing the second set of data to the target service, the second set of data including credential for authentication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication process using a combined code as a shared secret between a client and target service is provided. The combined code is provided out-of-band and includes data to perform two-way authentication for both the client and the target service. The target service may provide the client with a certificate to establish a secure channel. The client may use the data in the combined code to validate the target service. When the target service is validated, the client may provide credentials in the combined code to the target service for authentication. In one example implementation, the combined code includes a hash of a public key. The client may compute another hash of another public key in the certificate provided by the target service and validate the service by comparing the hash in the combined code and the computed hash.

Citations

21 Claims

1. One or more device-readable media encoded with device-executable instructions for performing steps comprising:
- identifying in a combined code at least two sets of data for authentication;
  
  sending a connection request to a target service;
  
  receiving a certificate from the target service for establishing a secure channel;
  
  validating the certificate with a first set of data included in the combined code; and
  
  if the certificate is validated, providing the second set of data to the target service, the second set of data including credential for authentication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The one or more device-readable media as recited in claim 1, wherein the first set of data includes a first hash associated with a valid public key.
  - 3. The one or more device-readable media as recited in claim 2, further comprising:
    - identifying a public key included in the certificate;
      
      computing a second hash of the public key in the certificate; and
      
      if the first hash and second hash match, determining that the certificate is valid.
  - 4. The one or more device-readable media as recited in claim 1, further comprising receiving the combined code from an out-of-band mechanism.
  - 5. The one or more device-readable media as recited in claim 4, wherein the out-of-band mechanism includes at least one of entering the combined code through a user-interface, a bar code scanner, radio frequency identification (RFID) reader, wired data connection, wireless data connection, and optical data communication.
  - 6. The one or more device-readable media as recited in claim 1, further comprising:
    - determining an indicator in the combined code; and
      
      parsing the combined code to identify the two sets of data based, at least in part, on the indicator.
  - 7. The one or more device-readable media as recited in claim 1, wherein the target service is included in at least one of a network device, a computer device, a network appliance, a wireless access point, a printer, a router, a scanner, a phone and a camera.

8. A device configured to offer services to a client through a network connection, the device also configured to provide a combined code containing data for the client to authenticate the device and a certificate to establish a secure channel with the client, the combined code being provided to the client out-of-band and containing a first credential, the certificate including data verifiable by the data in the combined code provided to the client, the device further configured to receive a second credential from the client with the established secure channel and to authenticate the client by comparing the second credential received from the client with the first credential included in the provided combined code.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The device as recited in claim 8, wherein the data in the combined code for the client to authenticate the device includes a hash of a public key included in the certificate.
  - 10. The device as recited in claim 8, wherein the combined code provided to the client is included in at least one of a physical label on the device, a message, an email, a radio frequency identification (RFID) tag, a magnetic data strip, optical communications, and data connection.
  - 11. The device as recited in claim 10, wherein the combined code is displayed on the label as at least one of plain text, human-readable symbols, machine-readable data, bar code, and Braille.
  - 12. The device as recited in claim 8, wherein the credential in the combined code is only valid for a limited number of uses.
  - 13. The device as recited in claim 8, wherein the device is further configured to require the client to provide a valid credential within a limited number of attempts.
  - 14. The device as recited in claim 8, wherein the certificate is provided to the client using Hyper-Text Transport Protocol (HTTP) communications.
  - 15. The device as recited in claim 8, wherein the secure channel is established using Transport Layer Security (TLS) protocols.
  - 16. The device as recited in claim 8, wherein the device is at least one of a network device, a computer device, a network appliance, a wireless access point, a printer, a router, a scanner, a phone and a camera.

17. A system for establishing a connection between a client and a target service comprising:
- means for incorporating data in a combined code for the client and the target service to perform mutual authentication;
  
  means for providing the combined code to the client out-of-band;
  
  means for the client to authenticate the target service using data in the combined code; and
  
  means for the client to provide credential in the combined code to the target service for authentication.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The system as recited in claim 17, further comprising:
    - means for incorporating a first hash of a public key in the combined code;
      
      means for providing a certificate to the client to establish a secure channel with the target service;
      
      means for identifying a public key in the certificate;
      
      means for computing a second hash of the public key in the certificate; and
      
      means for authenticating the target service by comparing the first hash and the second hash.
  - 19. The system as recited in claim 17, further comprising:
    - means for incorporating a hash of the combined code within the combined code; and
      
      means for identifying typographically error with the hash.
  - 20. The system as recited in claim 17, further comprising:
    - means for encoding the combined code using a coding format; and
      
      means for determining the coding format based on the first character of the combined code.
  - 21. The system as recited in claim 18, further comprising means for marking the certificate as trusted and storing the certificate in the trusted certificate store if the target service is authenticated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kuehnel, Thomas, Chan, Shannon

Granted Patent

US 7,814,538 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/1466   Active attacks involving in...

H04L 63/18   using different networks or...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3263   involving certificates, e.g...

Two-way authentication using a combined code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Two-way authentication using a combined code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links