Transparent Client Authentication

US 20100100946A1
Filed: 09/17/2009
Published: 04/22/2010
Est. Priority Date: 10/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method for registering an application to a service for later re-authentication comprising:

sending from the server to the application a service identifier;

receiving at the server an application-service identifier based upon the service identifier and an application identifier;

receiving at the server from the application an application-service key based upon the service identifier and a secret application key; and

storing at the server the application-service identifier and the application-service key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating an application (client) to a server or service. During a registration phase, an application that requests access to a service can receive a service identifier, which it can authenticate. The application can generate and send to the server or service an application-service key that is based upon the authenticated service identifier and a secret application key; a service-application identifier that can be based upon the authenticated service identifier and an application identifier; and a registration nonce, all of which can be stored at the server. During the authentication phase, the client can send to the server the application-service identifier, which the server can use to lookup the stored registration data. The server can send the registration nonce to the client, which can compute a proof of possession of the service-application key and send to the server. The server can compute its own version of this key and compare it to the received key. If they correspond, then the client is authenticated.

Citations

33 Claims

1. A method for registering an application to a service for later re-authentication comprising:
- sending from the server to the application a service identifier;
  
  receiving at the server an application-service identifier based upon the service identifier and an application identifier;
  
  receiving at the server from the application an application-service key based upon the service identifier and a secret application key; and
  
  storing at the server the application-service identifier and the application-service key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the application-service identifier is a message authentication code generated from the application identifier and the service identifier.
  - 3. The method of claim 1, wherein the application-service identifier is a message digest.
  - 4. The method of claim 1, wherein the application-service key is a message authentication code generated from the service identifier and the secret application key.
  - 5. The method of claim 1, further comprising receiving at the server from the application a registration nonce and storing at the server the registration nonce.
  - 6. The method of claim 5, wherein the application-service key is further based upon the registration nonce.
  - 7. The method of claim 5, wherein the application-service key is a message authentication code generated from the service identifier, the secret application key and the registration nonce.
  - 8. The method of claim 1, wherein an application is a type of application.
  - 9. The method of claim 1, wherein an application is a specific instance of an application installed on a particular computer.
  - 10. The method of claim 1, wherein an application is a specific instance of a running application.

11. A method for re-authenticating a previously-registered application for later re-authentication, comprising:
- sending from the server to the application a service identifier;
  
  receiving at the server an application-service identifier based upon the service identifier and an application identifier;
  
  receiving from the application proof of possession of the secret application key based upon the application-service identifier and the application-service key;
  
  computing an expected value of the proof of possession of the secret application key and comparing it with the received proof of possession of the secret application key; and
  
  if the expected proof of possession of the secret application key corresponds to the received proof of possession of the secret application key, then determining that the application is authentic.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The method of claim 11, further comprising receiving an application nonce and wherein the proof of possession of the secret application key is further based upon the application nonce.
  - 13. The method of claim 11, further comprising looking up a registration nonce received at the server from the application during registration and sending the registration nonce to the application and wherein the proof of possession of the secret application key is further based upon the registration nonce.
  - 14. The method of claim 12, wherein the proof of possession of the secret application key is a message authentication code generated from the application nonce, the application-service identifier and the application-service key.
  - 15. The method of claim 13, wherein the application-service key is based upon the registration nonce, the service identifier and the secret application key.
  - 16. The method of claim 11, wherein an application is a type of application.
  - 17. The method of claim 11, wherein an application is a specific instance of an application installed on a particular computer.
  - 18. The method of claim 11, wherein an application is a specific instance of a running application.

19. A system for re-authenticating a previously-registered application for later re-authentication, comprising:
- a communications module in communication with an application for sending to the application an service identifier, receiving from the application an application-service identifier that is based upon the service identifier and an application identifier and receiving from the application a proof of possession of the secret application key based upon the application-service identifier and an application-service key;
  
  a lookup module;
  
  a memory in communication with the lookup module, the memory storing an application-service identifier and an application-service key; and
  
  an authentication module in communication with the communications module and the lookup module, the authentication module computing an expected value of the proof of possession of the secret application key based upon the application-service identifier and the application-service key received from the lookup module and comparing it with the received proof of possession of the secret application key to determine if the application is authentic.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 20. The system of claim 19, wherein the application-service identifier is a message authentication code generated from the application identifier and the service identifier.
  - 21. The system of claim 19, wherein the application-service identifier is a message digest.
  - 22. The system of claim 19, wherein the application-service key is a message authentication code generated from the service identifier and the secret application key.
  - 23. The system of claim 19, further comprising receiving at the communications module from the application a registration nonce and storing the registration nonce in the memory.
  - 24. The system of claim 23, wherein the application-service key is further based upon the registration nonce.
  - 25. The system of claim 23, wherein the application-service key is a message authentication code generated from the service identifier, the secret application key and the registration nonce.
  - 26. The system of claim 19, wherein an application is a type of application.
  - 27. The system of claim 19, wherein an application is a specific instance of an application installed on a particular computer.
  - 28. The system of claim 19, wherein an application is a specific instance of a running application.
  - 29. The system of claim 19, wherein the communications module, the lookup module, the memory and the authentication module are implemented in an embedded system.
  - 30. The system of claim 19, wherein the communications module receives an application nonce and wherein the proof of possession of the secret application key is further based upon the application nonce.
  - 31. The system of claim 23, wherein the lookup module looks up the registration nonce received at the server from the application during registration and the communications module sends the registration nonce to the application and wherein the proof of possession of the secret application key is further based upon the registration nonce.
  - 32. The system of claim 30, wherein the proof of possession of the secret application key is a message authentication code generated from the application nonce, the application-service identifier and the application-service key.
  - 33. The system of claim 23, wherein the application-service key is based upon the registration nonce, the service identifier and the secret application key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Hallam-Baker, Phillip Martin

Granted Patent

US 8,402,519 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

Transparent Client Authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent Client Authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links