MOBILE DEVICE ASSISTED SECURE COMPUTER NETWORK COMMUNICATION

US 20090287921A1
Filed: 05/16/2008
Published: 11/19/2009
Est. Priority Date: 05/16/2008
Status: Active Grant

First Claim

Patent Images

1. In a system comprising a server which is in communication with a client computer over a computer network, and a user'"'"'s mobile device which is in communication with the client computer, a process for conducting communications over the computer network, the process comprising using said client computer to perform the following process actions:

facilitating an authentication by the server of the user who is attempting to access a network site associated with the server, wherein said facilitation comprises,receiving a representation of a secret value from the mobile device, wherein the mobile device generates the secret value representation whenever needed, and wherein the server knows the secret value,combining the secret value representation and a password which is entered into the client computer by the user and known to the server, to produce a combined representation,transmitting the combined representation to the server for use in determining if the password and secret value known to the server were used to generate the combined representation, andreceiving a notice from the server as to whether access to said network site has been granted or not, wherein access is granted only if the password and secret value known to the server were used to generate the combined representation; and

informing the user as to whether access to said network site has been granted or not.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Mobile device assisted secure computer network communications embodiments are presented that employ a mobile device (e.g., a mobile phone, personal digital assistant (PDA), and the like) to assist in user authentication. In general, this is accomplished by having a user enter a password into a client computer which is in contact with a server associated with a secure Web site. This password is integrated with a secret value, which is generated in real time by the mobile device. The secret value is bound to both the mobile device'"'"'s hardware and the secure Web site being accessed, such that it is unique to both. In this way, a different secret value is generated for each secure Web site accessed, and another user cannot impersonate the user and log into a secure Web site unless he or she knows the password and possesses the user'"'"'s mobile device simultaneously.

377 Citations

20 Claims

1. In a system comprising a server which is in communication with a client computer over a computer network, and a user'"'"'s mobile device which is in communication with the client computer, a process for conducting communications over the computer network, the process comprising using said client computer to perform the following process actions:
- facilitating an authentication by the server of the user who is attempting to access a network site associated with the server, wherein said facilitation comprises,receiving a representation of a secret value from the mobile device, wherein the mobile device generates the secret value representation whenever needed, and wherein the server knows the secret value,combining the secret value representation and a password which is entered into the client computer by the user and known to the server, to produce a combined representation,transmitting the combined representation to the server for use in determining if the password and secret value known to the server were used to generate the combined representation, andreceiving a notice from the server as to whether access to said network site has been granted or not, wherein access is granted only if the password and secret value known to the server were used to generate the combined representation; and
  
  informing the user as to whether access to said network site has been granted or not.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The process of claim 1, wherein the process action of receiving a representation of a secret value from the mobile device, comprises the actions of:
    - receiving from the server, a server identification and a server challenge number generated by the server;
      
      prompting the user to enter a user identification and password via a user interface of the client computer, wherein the password is known by the server;
      
      inputting said user identification and password, and forwarding the server identification, user identification and server challenge number to the mobile device; and
      
      receiving from the mobile device, a mobile device challenge number which was generated by the mobile device and said secret value representation.
  - 3. The process of claim 2, wherein the process action of transmitting the combined representation to the server, further comprises an action of transmitting the user identification and the mobile device challenge number along with the combined representation.
  - 4. The process of claim 1, further comprising, whenever a notice is received from the server granting access to the network site, the process actions of:
    - receiving from the server, a server authentication value for the client computer comprising a combination of the password and a server-generated version of the secret value representation;
      
      determining if the password input by the user and the secret value representation passed from the mobile device were used by the server in generating the server authentication value;
      
      only allowing the user to access said network site if the password input by the user and the secret value representation passed from the mobile device were used by the server in generating the server authentication value; and
      
      whenever the passwords match and the secret value representations match, forwarding the server-generated version of the secret value representation to the mobile device.
  - 5. The process of claim 1, further comprising the actions of:
    - monitoring the status of a communication session between the client computer and the server, and noting the storage location of cookies, temporary files and cached data associated with the session;
      
      monitoring the communication link between the client computer and the mobile device;
      
      whenever it is found that the session between the client computer and the server has been closed, deleting any cookies, temporary files and cached data associated with the closed session;
      
      whenever it is found that the session between the client computer and the server is still open, but that the communication link between the client computer and the mobile device is lost for more than a prescribed period of time,closing the session between the client computer and the server, anddeleting any cookies, temporary files and cached data associated with the closed session.

6. In a system comprising a server which is in communication with a client computer over a computer network, and a mobile device which is in the possession of a user of the client computer and which is in communication with the client computer, a process for conducting communications over the computer network, the process comprising using said mobile device to perform the following process actions:
- facilitating an authentication by the server of the user who is attempting to access a network site associated with the server, wherein said facilitation comprises,generating a representation of a secret value, wherein the mobile device generates the secret value representation whenever needed, and wherein the server knows the secret value, andforwarding the secret value representation to the client computer for use in combining the secret value representation and a password which is entered into the client computer by the user and known to the server, to produce a combined representation, which is then transmitted to the server for use in determining if the password and secret value known to the server were used to generate the combined representation.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The process of claim 6, wherein the process action of generating the secret value representation, comprises the actions of:
    - receiving from the server via the client computer a server identification and server challenge number;
      
      generating the secret value;
      
      generating a mobile device challenge number using the secret value;
      
      generating a session key comprising a combination of a user identification, the server identification, the server challenge number, the mobile device challenge number, and a verification value created from the server challenge number and a number generated by the mobile device; and
      
      generating the secret value representation as a combination comprising the session key and the user and server identifications.
  - 8. The process of claim 7, wherein the mobile device comprises an unique identification number, and wherein the process action of generating the secret value, comprises the action of:
    - retrieving a hidden number stored by the mobile device, wherein the hidden number is unique to the mobile device; and
      
      generating the secret value as a combination of the hidden number, a site identification which is unique to the network site the user is attempting to access, and the mobile device identification number, such that the secret value is unique to the mobile device and the network site the user is attempting to access.
  - 9. The process of claim 7, wherein the process action of generating the mobile device challenge number using the secret value, comprises the actions of:
    - randomly choosing a number n from prescribed set of numbers Z*_q;
      
      computing gⁿ^mmod p wherein g is a prescribed number in Z*_qwith order q, and wherein p and q are large prime numbers such that q|p−
      
      1;
      
      computing ε
      
      _l(gⁿ^m) wherein ε
      
      _l(·
      
      ) is one of a pair of prescribed symmetric encryption algorithms with l as the secret key, and wherein l is the secret value; and
      
      designating the result of the ε
      
      _l(gⁿ^m) computation as the mobile device challenge number; and
      
      whereinthe verification value is computed as the server challenge number raised to the n_mpower modulo p.
  - 10. The process of claim 7, further comprising, whenever the server has granted access to the network site, the process actions of:
    - receiving from the server via the client computer, a server authentication value for the mobile device comprising a combination of the user identification, the server identification and a server-generated version of the session key;
      
      deriving a mobile device-generated version of the session key;
      
      ensuring that the mobile device-generated session key matches the server-generated version of the session key used in generating the server authentication value; and
      
      only allowing communication of prescribed high security data between the server and the mobile device via the client computer if the mobile device-generated session key matches the server-generated version of the session key.
  - 11. The process of claim 10, wherein the process action of only allowing communication of prescribed high security data between the server and the mobile device via the client computer if the mobile device-generated session key matches the server-generated version of the session key, further comprises the actions of:
    - receiving high security data from the server via the client computer which is encrypted using a security protocol employing the previously generated session key, said receiving comprising,inputting the server-encrypted high security data, anddecrypting the high security data, which has been encrypted by the server via said security protocol comprising generating a combination of a time value, a nonce chosen by the server and the high security data, and applying one of a pair of prescribed symmetric encryption algorithms having the session key as its secret key, to the generated combination, to produce the server-encrypted high security data, wherein the decrypting comprises,applying the one of said pair of prescribed symmetric encryption algorithms, which was not employed by the server to encrypt the high security data, to the inputted server-encrypted high security data, andderiving the time value, nonce and high security data from the decrypted combination; and
      
      transmitting secure feedback to the server in response to the previously received high security data, said transmitting comprising,generating a combination of the previously received nonce and the feedback it is desired to send to the server,applying one of said pair of prescribed symmetric encryption algorithms having the session key as its secret key, to the generated combination, to produce the secure feedback, andtransmitting the secure feedback to the server via the client computer.
  - 12. The process of claim 6, wherein the process action of generating the secret value representation, comprises the actions of:
    - receiving from the server via client computer a server identification and server challenge number;
      
      generating the secret value;
      
      generating a mobile device challenge number;
      
      generating a server verification value in the form of a combination comprising a user identification, the server identification, the secret value and the server challenge number;
      
      generating a mobile device verification value in the form of a combination comprising the user identification, the server identification, the secret value and the mobile device challenge number;
      
      generating a session key comprising a combination of the user identification, the server identification, the server verification value, and mobile device verification value; and
      
      generating the secret value representation as a combination comprising the session key and the user and server identifications.
  - 13. The process of claim 12, further comprising, whenever the server has granting access to the network site, the process actions of:
    - receiving from the server via the client computer, a server authentication value for the mobile device comprising a combination of the user identification, the server identification and a server-generated version of the session key;
      
      deriving a mobile device-generated version of the session key;
      
      ensuring that the mobile device-generated session key matches the server-generated version of the session key used in generating the server authentication value; and
      
      only allowing communication of prescribed high security data between the server and the mobile device via the client computer if the mobile device-generated session key matches the server-generated version of the session key.

14. In a system comprising a server which is in communication with a client computer over a computer network, and a mobile device which is in the possession of a user of the client computer and which is in communication with the client computer, a process for conducting communications over the computer network, the process comprising using said server to perform the following process actions:
- authenticating the user who is attempting to access a network site associated with the server, wherein said authenticating comprises,generating a challenge number,providing a server identification and the server-generated challenge number to the mobile device via the client computer;
  
  receiving a user identification, a mobile device-generated challenge number and a combined representation from the client computer, wherein the combined representation is a combination comprising the user identification, the server identification, a mobile device-generated secret value representation, and a password which was entered into the client computer by the user, and wherein a secret value used to create components of the combined representation, as well as the password, are known to the server,computing a session key comprising a combination of the user identification, the server identification, a plurality of unique numbers which are generated by the server and mobile device,computing a server version of the secret value representation as a combination comprising the session key, the user identification and the server identification,computing a server version of the combined representation using the user identification, the server identification, the server version of the secret value representation, and the password known to the server,comparing the server version of the combined representation to the combined representation received from the client computer,determining if the password and secret value known to the server were used to generate the combined representation received from the client computer, andtransmitting a notice to the client computer as to whether access to said network site has been granted or not, wherein access is granted only if the password and secret value known to the server were used to generate the combined representation received from the client computer.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The process of claim 14, wherein the process action of computing the session key, comprises the action of:
    - deriving a mobile device-generated authentication number from the mobile device-generated challenge number using the secret value known to the server; and
      
      computing the session key comprising a combination of the user identification, the server identification, the server-generated challenge number, the mobile device-generated challenge number, and a verification value created from the server challenge number and the mobile device-generated authentication number.
  - 16. The process of claim 15, wherein:
    - the process action of deriving the mobile device-generated authentication number from the mobile device-generated challenge number (X_m) using the secret value known to the server, comprises the actions of,computing D_l(X_m) wherein D_l(·
      
      ) is the one of a pair of prescribed symmetric encryption algorithms having l as the secret key that was not used by the mobile device to generate the mobile device-generated challenge number, and wherein l is the secret value known to the server, anddesignating the result of the D_l(X_m) computation as mobile device-generated authentication number gⁿ^m; and
      
      whereinthe process action of generating the server-generated challenge number, comprises the actions of,randomly choosing a number n_sfrom prescribed set of numbers Z*_q, andcomputing gⁿ^smod p wherein g is a prescribed number in Z*_qwith order q, and wherein p and q are large prime numbers such that q|p−
      
      1.
  - 17. The process of claim 14, further comprising, whenever a notice is transmitted granting access to the network site, a process action of transmitting a server authentication value to the client computer comprising a combination of the password known to the server and the server-generated version of the secret value representation, such that the server authentication value can be used by the client computer to verify that the password used in generating the server-generated combination matches the password entered by the user, and that the mobile device-generated secret value representation matches the server-generated version of the secret value representation used in generating the server-generated combination, thereby proving the authenticity of the server.
  - 18. The process of claim 14, further comprising, whenever a notice is transmitted granting access to the network site, a process action of transmitting the server-generated version of the secret value representation to the mobile device via the client computer, such that the server-generated version of the secret value representation can be used by the mobile device to verify that the mobile device-generated secret value representation matches the server-generated version of the secret value representation, thereby proving the authenticity of the server.
  - 19. The process of claim 14, wherein the process action of computing the session key, comprises the action of:
    - generating a server verification value in the form of a combination comprising the user identification, the server identification, the secret value and the server challenge number;
      
      generating a mobile device verification value in the form of a combination comprising the user identification, the server identification, the secret value and the mobile device challenge number; and
      
      generating the session key comprising a combination of the user identification, the server identification, the server verification value, and mobile device verification value.
  - 20. The process of claim 14, further comprising, whenever a notice is transmitted granting access to the network site, the process actions of:
    - transmitting data previously identified as high security data to the mobile device via the client computer using a security protocol employing the previously computed session key, said transmitting comprising,choosing a nonce,generating a combination of a current time value, the nonce and the high security data being transmitted,applying one of a pair of prescribed symmetric encryption algorithms having the session key as its secret key to the generated combination, to produce a secure transmission, andtransmitting the secure transmission to the mobile device via the client computer; and
      
      .receiving secure feedback from the mobile device in response to the previously transmitted secure transmission which has been encrypted by the mobile device using said security protocol employing the previously computed session key, said receiving comprising,inputting the mobile device-encrypted secure feedback, anddecrypting the secure feedback, which has been encrypted by the mobile phone via said security protocol comprising generating a combination of the nonce and feedback, and applying one of said pair of prescribed symmetric encryption algorithms having the session key as its secret key, to the generated combination, to produce the secure feedback, wherein the decrypting comprises,applying the one of said pair of prescribed symmetric encryption algorithms, which was not employed by the mobile device to encrypt the secure feedback, to the encrypted secure feedback, andderiving the nonce and feedback from the decrypted combination,comparing the derived nonce to the nonce chosen by the server and used in the producing the secure transmission to ensure the nonces match, andwhenever the nonces match, accepting the feedback.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shao, Jun, Yin, Xu, Zhang, Yao, Zhu, Bin, Yang, Yang, Feng, Min

Granted Patent

US 8,209,744 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06Q 10/02   Reservations, e.g. for tick...

H04L 2463/082   applying multi-factor authe...

H04L 63/0838   using one-time-passwords

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/18   using different networks or...

MOBILE DEVICE ASSISTED SECURE COMPUTER NETWORK COMMUNICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

377 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

MOBILE DEVICE ASSISTED SECURE COMPUTER NETWORK COMMUNICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

377 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others