COMPUTER SYSTEM FOR AUTHENTICATING A COMPUTING DEVICE

US 20090007234A1
Filed: 12/06/2006
Published: 01/01/2009
Est. Priority Date: 07/29/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for establishing a communications session between two computing devices connected to a network, the method comprising:

receiving a request from a first registered computing device to establish a communications session with a second registered computing device;

receiving from the first registered computing device a first short-term authentication credential of the first registered computing device and a second short-term authentication credential of the second registered computing device;

authenticating the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge; and

when the first registered computing device is authenticated, sending to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. A unique identity is assigned to each device, user and application to provide security services. A communications session is established between two devices using an authentication service that authenticates the device that is initiating the establishment of the communications session with another device. After authenticating the initiating device, the authentication service provides to the initiating device the network address of the other device and an authentication credential for use in the communications session between the initiating device and the other device.

162 Citations

View as Search Results

39 Claims

1. A method for establishing a communications session between two computing devices connected to a network, the method comprising:
- receiving a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receiving from the first registered computing device a first short-term authentication credential of the first registered computing device and a second short-term authentication credential of the second registered computing device;
  
  authenticating the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge; and
  
  when the first registered computing device is authenticated, sending to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising:
    - sending a request for the second short-term authentication credential from the first registered computing device to the second registered computing device; and
      
      receiving at the first registered computing device the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 3. The method of claim 1 wherein the session credential includes session information encrypted with the first short-term authentication credential of the first registered computing device.
  - 4. The method of claim 1 wherein the session credential includes session information encrypted with the second short-term authentication credential of the second registered computing device.
  - 5. The method of claim 1 wherein the session credential includes policy settings for use in the communications session between the first registered computing device and the second registered computing device.
  - 6. The method of claim 1 wherein the second short-term authentication credential of the second registered computing device is invalid after a registration expires.
  - 7. The method of claim 6 wherein the registration of the second registered computing device comprises a registration that expires when a predetermined amount of time has elapsed since the short-term authentication credential of the second registered computing device was created.
  - 8. The method of claim 6 wherein the registration of the second registered computing device comprises a registration that expires when the second computing device powers off.
  - 9. The method of claim 1 further comprising:
    - using a long-term authentication credential to authenticate the second registered computing device; and
      
      when the second registered computing device is authenticated, associating the short-term authentication credential of the second registered computing device with the second registered computing device.
  - 10. The method of claim 9 further comprising associating a predetermined amount of time with the short-term authentication credential of the second registered computing device.
  - 11. The method of claim 1 wherein the short-term authentication credential of the first registered computing device comprises a cryptographic key, the authentication challenge comprises a non-repeatable number, the authentication challenge response comprises the non-repeatable number encrypted using the cryptographic key, and using the received first short-term authentication credential to determine whether the authentication challenge response is a correct response comprises:
    - encrypting the non-repeatable number using the cryptographic key;
      
      comparing the encrypted non-repeatable number with the received encrypted non-repeatable number of the authentication challenge response; and
      
      determining that the authentication challenge response is a correct response when the encrypted non-repeatable number matches the encrypted non-repeatable number of the authentication challenge response.
  - 12. The method of claim 11 wherein encrypting the non-repeatable number comprises encrypting the non-repeatable number using a symmetric cryptographic algorithm.
  - 13. The method of claim 11 wherein encrypting the non-repeatable number comprises encrypting the non-repeatable number using an asymmetric cryptographic algorithm.
  - 14. The method of claim 11 wherein the non-repeatable number is a sequence number.
  - 15. The method of claim 11 wherein the non-repeatable number is a randomly generated number.
  - 16. The method of claim 11 wherein the non-repeatable number is a time-stamp derived from a date and a time.

17. A method for establishing a communications session between two computing devices connected to a network, the method comprising:
- receiving a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receiving from the first registered computing device a first short-term authentication credential of the first registered computing device;
  
  authenticating the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge;
  
  determining whether the first registered computing device is permitted to establish the communications session with the second registered computing device; and
  
  when the first registered computing device is authenticated and permitted to establish the communications session with the second registered computing device;
  
  sending to the first registered computing device a network address associated with the second registered computing device for use in completing establishment of the communications session with the second registered computing device,receiving from the first registered computing device a second short-term credential of the second registered computing device,sending to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device, andsending the session credential from the first registered computing device to the second registered computing device for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17 further comprising:
    - sending a request for the second short-term authentication credential from the first registered computing device to the second registered computing device; and
      
      receiving at the first registered computing device the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 19. The method of claim 17 wherein the session credential includes session information encrypted with the first short-term authentication credential of the first registered computing device.
  - 20. The method of claim 17 wherein the session credential includes session information encrypted with the second short-term authentication credential of the second registered computing device.
  - 21. The method of claim 17 further comprising:
    - determining policy information for use in the communications session between the first registered computing device and the second registered computing device; and
      
      when the first registered computing device is authenticated and permitted to establish a communications session with the second registered computing device, sending the policy information to the first registered computing device.
  - 22. The method of claim 17 wherein the session credential includes policy information for use in the communications session between the first registered computing device and the second registered computing device.
  - 23. The method of claim 17 wherein an authentication service receives the request from the first registered computing device, receives the first short-term credential from the first registered computing device, authenticates the first registered computing device, determines whether the first registered computing device is permitted to establish the communications session with the second registered computing device, and sends the network address, receives the second short-term credential, and sends the session credential when the first registered computing device is authenticated and permitted.
  - 24. The method of claim 23 wherein the authentication service authenticates the first registered computing device before determining whether the first registered computing device is permitted to establish the communications session.
  - 25. The method of claim 23 wherein the authentication service authenticates the first registered computing device after determining whether the first registered computing device is permitted to establish the communications session

26. A computer-readable medium or propagated signal having embodied thereon a computer program configured to establish a communications session between two computing devices connected to a network, the medium or signal comprising one or more code segments configured to:
- receive a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receive from the first registered computing device a first short-term authentication credential of the first registered computing device and a second short-term authentication credential of the second registered computing device;
  
  authenticate the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge; and
  
  when the first registered computing device is authenticated, send to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (27, 28)
- - 27. The medium or signal of claim 26 wherein the one or more code segments are further configured to:
    - send a request for the second short-term authentication credential from the first registered computing device to the second registered computing device; and
      
      receive at the first registered computing device the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 28. The medium or signal of claim 27 wherein the short-term authentication credential of the first registered computing device comprises a cryptographic key, the authentication challenge comprises a non-repeatable number, the authentication challenge response comprises the non-repeatable number encrypted using the cryptographic key, wherein the one or more code segments configured to use the received first short-term authentication credential to determine whether the authentication challenge response is a correct response comprise one or more code segments configured to:
    - encrypt the non-repeatable number using the cryptographic key;
      
      compare the encrypted non-repeatable number with the received encrypted non-repeatable number of the authentication challenge response; and
      
      determine that the authentication challenge response is a correct response when the encrypted non-repeatable number matches the encrypted non-repeatable number of the authentication challenge response.

29. A computer-readable medium or propagated signal having embodied thereon a computer program configured to establish a communications session between two computing devices connected to a network, the medium or signal comprising one or more code segments configured to:
- receive a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receive from the first registered computing device a first short-term authentication credential of the first registered computing device;
  
  authenticate the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge;
  
  determine whether the first registered computing device is permitted to establish the communications session with the second registered computing device; and
  
  when the first registered computing device is authenticated and permitted to establish the communications session with the second registered computing device;
  
  send to the first registered computing device a network address associated with the second registered computing device for use in completing establishment of the communications session with the second registered computing device,receive from the first registered computing device a second short-term credential of the second registered computing device,send to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device, andsend the session credential from the first registered computing device to the second registered computing device for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (30, 31, 32)
- - 30. The medium or signal of claim 29 wherein the one or more code segments are further configured to:
    - send a request for the second short-term authentication credential from the first registered computing device to the second registered computing device; and
      
      receive at the first registered computing device the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 31. The medium or signal of claim 29 wherein the one or more code segments are further configured to:
    - determine policy information for use in the communications session between the first registered computing device and the second registered computing device; and
      
      when the first registered computing device is authenticated and permitted to establish a communications session with the second registered computing device, send the policy information to the first registered computing device.
  - 32. The medium or signal of claim 29 wherein the one or more code segments are configured as an authentication service for receiving the request from the first registered computing device, receiving the first short-term credential from the first registered computing device, authenticating the first registered computing device, determining whether the first registered computing device is permitted to establish the communications session with the second registered computing device, sending the network address, receiving the second short-term credential, and sending the session credential when the first registered computing device is authenticated and permitted.

33. A system for establishing a communications session between two computing devices connected to a network, the system comprising a processor connected to a storage device and one or more input/output devices, wherein the processor is configured to:
- receive a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receive from the first registered computing device a first short-term authentication credential of the first registered computing device and a second short-term authentication credential of the second registered computing device;
  
  authenticate the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge; and
  
  when the first registered computing device is authenticated, send to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (34, 35)
- - 34. The system of claim 33 wherein the first registered computing device is configured to:
    - send a request for the second short-term authentication credential to the second registered computing device; and
      
      receive the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 35. The system of claim 33 wherein the short-term authentication credential of the first registered computing device comprises a cryptographic key, the authentication challenge comprises a non-repeatable number, the authentication challenge response comprises the non-repeatable number encrypted using the cryptographic key, and the processor is further configured to:
    - encrypt the non-repeatable number using the cryptographic key;
      
      compare the encrypted non-repeatable number with the received encrypted non-repeatable number of the authentication challenge response; and
      
      determine that the authentication challenge response is a correct response when the encrypted non-repeatable number matches the encrypted non-repeatable number of the authentication challenge response.

36. A system for establishing a communications session between two computing devices connected to a network, the system comprising a processor connected to a storage device and one or more input/output devices, wherein the processor is configured to:
- receive a request from a first registered computing device to establish a communications session with a second registered computing device;
  
  receive from the first registered computing device a first short-term authentication credential of the first registered computing device;
  
  authenticate the first registered computing device by sending the first registered computing device an authentication challenge, receiving an authentication challenge response from the first registered computing device, and using the received first short-term authentication credential of the first computing device to determine whether the authentication challenge response is a correct response to the authentication challenge;
  
  determine whether the first registered computing device is permitted to establish the communications session with the second registered computing device; and
  
  when the first registered computing device is authenticated and permitted to establish the communications session with the second registered computing device;
  
  send to the first registered computing device a network address associated with the second registered computing device for use in completing establishment of the communications session with the second registered computing device,receive from the first registered computing device a second short-term credential of the second registered computing device, andsend to the first registered computing device a session credential for use in completing establishment of the communications session with the second registered computing device.
- View Dependent Claims (37, 38, 39)
- - 37. The system of claim 36 wherein the first registered computing device is configured to send the session credential to the second registered computing device for use in completing establishment of the communications session with the second registered computing device.
  - 38. The system of claim 37 wherein the first registered computing device is further configured to:
    - send a request for the second short-term authentication credential to the second registered computing device; and
      
      receive the second short-term authentication credential of the second registered computing device from the second registered computing device.
  - 39. The system of claim 36 wherein the processor is further configured to:
    - determine policy information for use in the communications session between the first registered computing device and the second registered computing device; and
      
      when the first registered computing device is authenticated and permitted to establish a communications session with the second registered computing device, send the policy information to the first registered computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ConnecTerra, Inc. (Oracle Corporation)
Original Assignee
ConnecTerra, Inc. (Oracle Corporation)
Inventors
Douglas, David C., Traub, Kenneth R., Birger, Chet, Rosenthal, Steven

Application Number

US11/567,508
Publication Number

US 20090007234A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 61/50   Address allocation

H04L 63/0492   by using a location-limited...

H04L 67/125   involving control of end-de...

H04L 67/52   specially adapted for the l...

H04W 12/02   Protecting privacy or anony...

COMPUTER SYSTEM FOR AUTHENTICATING A COMPUTING DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

162 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER SYSTEM FOR AUTHENTICATING A COMPUTING DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links