AUTHENTICATION CERTIFICATE MANAGEMENT FOR ACCESS TO A WIRELESS COMMUNICATION DEVICE

US 20090113543A1
Filed: 10/30/2007
Published: 04/30/2009
Est. Priority Date: 10/25/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for authenticating a user to a user device, the method comprising:

verifying, using authentication information stored at a user device, data received in association with a request for access to the user device and checking a status indicator stored at the user device and associated with the authentication information to determine whether the authentication information is valid;

allowing access to the user device if the data received in association with the request for access is verified and the status indicator indicates that the authentication information is valid; and

updating the status indicator on an intermittent basis when the user device is in communication with an authentication information status source.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating a user to a user device using one or more-factor authentication with a certificate are provided. The status of the certificate is stored at the user device such that the stored status is queried during the authentication process. The status is updated as a background operation on the user device on a periodic basis. In the event that the user device fails to obtain updated status information, further status update requests are issued by the user device at varying time intervals until a response is received. In the event that the user is authenticated to the device but the certificate is subsequently revoked, access to all or a subset of user data and functions on the user device may be restricted.

Citations

25 Claims

1. A method for authenticating a user to a user device, the method comprising:
- verifying, using authentication information stored at a user device, data received in association with a request for access to the user device and checking a status indicator stored at the user device and associated with the authentication information to determine whether the authentication information is valid;
  
  allowing access to the user device if the data received in association with the request for access is verified and the status indicator indicates that the authentication information is valid; and
  
  updating the status indicator on an intermittent basis when the user device is in communication with an authentication information status source.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein updating the status indicator is repeated at a first predetermined time interval, and further comprises:
    - if the user device is in communication with a network providing access to the authentication information status source,transmitting a request for status information for the authentication information to the authentication information status source;
      
      if a response to the request comprising status information is received, updating the status indicator with the received status information.
  - 3. The method of claim 2, wherein updating the status indicator further comprises:
    - if a response to the request is not received, repeating the act of updating the status indicator after a second predetermined time interval shorter than the first predetermined time interval.
  - 4. The method of claim 3, wherein updating the status indicator further comprises:
    - if a response to the repeated act of updating the status indicator is not received, further repeating the updating of the status indicator after a further predetermined time interval, wherein the further predetermined time interval is greater than the second predetermined time interval.
  - 5. The method of claim 3, wherein if a response to the request is received in response to the repeated act of updating the status indicator, further repeating the updating of the status indicator at the first predetermined time interval.
  - 6. The method of claim 4, wherein the further predetermined time interval is at least twice the duration of a previous predetermined time interval.
  - 7. The method of claim 3, further comprising:
    - if the user device is not in communication with a network providing access to the authentication information status source,intermittently attempting to transmit a request for status information for the authentication information to the authentication information status source at increasing time intervals until a response to the request is received.
  - 8. The method of claim 1, wherein the authentication information comprises public key data, and wherein the act of verifying data received in association with a request for access to the user device further comprises:
    - providing an authentication token storing private key data;
      
      transmitting a challenge to the authentication token;
      
      receiving from the authentication token a response comprising the challenge signed using the private key data; and
      
      verifying the response using the public key data, such that the user is authenticated if the response is verified and the status indicator indicates that the certificate comprising the public key data is valid.
  - 9. The method of claim 8, wherein transmitting to and receiving from the authentication token are executed using an authentication token access device in communication with the user device and the authentication token, wherein the authentication token access device is separate from the user device.
  - 10. The method of claim 9, wherein allowing access to the user device further comprises allowing said access if a user-entered password is also verified.
  - 11. The method of claim 2, wherein if the status indicator indicates that the authentication information is not valid, further comprising denying the user access to the user device.
  - 12. The method of claim 11, wherein the authentication information is valid if it is at least one of:
    - not expired;
      
      either on hold or not revoked;
      
      or trusted.
  - 13. The method of claim 12, wherein the authentication information comprises a certificate and wherein the status indicator comprises one of:
    - a subset of a Certificate Revocation List and a response from a certificate status source.
  - 14. The method of claim 12, wherein the status indicator comprises:
    - a timestamp indicating a latest time at which the status indicator had been refreshed, an identifier of an authentication information status source, andstatus information associated with the authentication information.

15. A computer-readable medium comprising code executable by a computing device for causing said computing device to:
- verify, using authentication information stored at a user device, data received in association with a request for access to the user device and checking a status indicator stored at the user device and associated with the authentication information to determine whether the authentication information is valid;
  
  allow access to the user device if the data received in association with the request for access is verified and the status indicator indicates that the authentication information is valid; and
  
  update the status indicator on an intermittent basis when the user device is in communication with an authentication information status source.

16. An authentication system for a user device, the authentication system comprising:
- a memory storing authentication information for authenticating a user to the user device and for storing a status indicator comprising status information associated with the authentication information;
  
  a status checking module for checking the status indicator stored in association with the authentication information, wherein the user is allowed access to the user device if the user is authenticated wherein the status indicator indicates that the authentication information is valid; and
  
  an updating module for transmitting a request for status information for the authentication information to a authentication information status source periodically at a first predetermined time interval, receiving a response comprising status information in response to the request, and updating the stored status indicator with the received status information.

20. The authentication system of claim 20, wherein the authentication module is configured to lock the user out of the user device if the stored status indicator indicates that the certificate used to authenticate the user is not valid.
- View Dependent Claims (17, 18, 19, 21, 22, 24)
- - 17. The authentication system of claim 20, wherein the updating module is configured to transmit a further request for status information at a further predetermined time interval if a response to a previous request is not received, wherein the further predetermined time interval is less than the first predetermined time interval.
  - 18. The authentication system of claim 21, wherein a second further predetermined time interval is twice the duration of a first further predetermined time interval.
  - 19. The authentication system of claim 20,wherein the authentication information is a certificate comprising public key data, andfurther comprising an authentication module, wherein the authentication module is configured to:
    - transmit a challenge to an authentication token,receive from the authentication token a response comprising the challenge signed using private key data stored at the authentication token, andverify the response using the public key data, such that the user is authenticated if the response is verified and the status indicator indicates that the certificate is valid.
  - 21. The authentication system of claim 20, wherein the authentication module is configured to issue a user-invoked request for status information for the certificate to the certificate status source.
  - 22. The authentication system of claim 20, wherein the certificate is valid if it is at least one of:
    - not expired;
      
      either on hold or not revoked;
      
      or trusted.
  - 24. The authentication system of claim 20 wherein the authentication system is resident on a wireless communication device.

23. The authentication system of claim 23, wherein the authentication module is further configured to verify a user-entered password, such that the user is authenticated if the response is verified, the status indicator indicates that the certificate is valid, and the user-entered password is also verified.

25. A method for managing secure access to a wireless communication device, the method comprising:
- receiving a request to authenticate a security token;
  
  determining, using authentication certificate status information, whether an authentication certificate is revoked, wherein the authentication certificate comprises public key data and wherein both the authentication certificate and the authentication certificate status information are locally stored at the wireless communication device;
  
  authenticating the security token using the locally stored authentication certificate if the locally stored authentication certificate is determined to be not revoked; and
  
  requesting authentication certificate status information from a remotely located certificate status source via a wireless communication link,wherein the act of requesting authentication certificate status information is automatically performed periodically according to a predetermined time interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Research In Motion Limited (Blackberry Limited)
Inventors
Adams, Neil P., Brown, Michael K., Little, Herbert A.

Application Number

US11/928,679
Publication Number

US 20090113543A1
Time in Patent Office

Days
Field of Search
US Class Current

726/18
CPC Class Codes

G06F 21/33   using certificates

G06F 21/35   communicating wirelessly

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 2463/082   applying multi-factor authe...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 9/3234   involving additional secure...

H04L 9/3268   using certificate validatio...

H04L 9/3271   using challenge-response

H04W 12/082   using revocation of authori...

AUTHENTICATION CERTIFICATE MANAGEMENT FOR ACCESS TO A WIRELESS COMMUNICATION DEVICE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHENTICATION CERTIFICATE MANAGEMENT FOR ACCESS TO A WIRELESS COMMUNICATION DEVICE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links