Method And Apparatus For Trusted Federated Identity

US 20120072979A1
Filed: 02/09/2011
Published: 03/22/2012
Est. Priority Date: 02/09/2010
Status: Active Grant

First Claim

Patent Images

20-1. The method of claim 29, wherein the trusted computing environment is one of a universal integrated circuit card (UICC), a subscriber identity module (SIM), a machine to machine (M2M) device, a smart card, or a java card, a global platform smartcard, or secure integrated chip card (ICC).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trusted computing environment, such as a smartcard, UICC, Java card, global platform, or the like may be used as a local host trust center and a proxy for a single-sign on (SSO) provider. This may be referred to as a local SSO provider (OP). This may be done, for example, to keep authentication traffic local and to prevent over the air communications, which may burden an operator network. To establish the OP proxy in the trusted environment, the trusted environment may bind to the SSO provider in a number of ways. For example, the SSO provider may interoperate with UICC-based UE authentication or GBA. In this way, user equipment may leverage the trusted environment in order to provide increased security and reduce over the air communications and authentication burden on the OP or operator network.

272 Citations

47 Claims

20-1. The method of claim 29, wherein the trusted computing environment is one of a universal integrated circuit card (UICC), a subscriber identity module (SIM), a machine to machine (M2M) device, a smart card, or a java card, a global platform smartcard, or secure integrated chip card (ICC).

25. A method for protecting a user environment and/or the local assertion entity (LAE) to authenticate a user for a relying party (RP) in an open management security protocol, the method comprising:
- receiving an indication from the RP via a user interface that the RP wishes to authenticate the user, the RP being capable of communicating with a trusted provider of single sign-on (SSO) credentials;
  
  receiving user credentials from the user through the user interface;
  
  authenticating the user with the received user credentials for the RP to perform at least some functions of the trusted provider of SSO credentials locally to limit communications outside the user environment during the authentication process; and
  
  transmitting an authentication response via the user interface to the RP.
- View Dependent Claims (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 27, 28, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 1. A user environment for enabling an open management security protocol to enable a relying party (RP) to authenticate a user, the user environment comprising:
    - a user interface that communicates with the RP using a single sign-on security protocol to request access to a service provided by the RP on behalf of a user, and wherein the RP communicates with a trusted provider of single sign-on credentials to initiate an authentication of the user; and
      
      a processor that authenticates the user within the user environment for the trusted provider, the processor configured to perform at least some functions of the trusted provider of single sign-on credentials locally to limit communications outside the user environment during the authentication process.
  - 2. The user environment of claim 1, wherein the user interface receives an indication from the RP that the RP wishes to authenticate the user.
  - 3. The user environment of claim 1, wherein the user interface receives a redirection message from the RP, the redirection message instructing the user interface to authenticate the user.
  - 4. The user environment of claim 1, wherein the user interface receives user credentials from the user.
  - 5. The user environment of claim 1, wherein the processor is a trusted computing environment.
  - 6. The user environment of claim 5, wherein the user interface is protected in whole or part by the trusted computing environment
  - 7. The user environment of claim 5, wherein the trusted computing environment transmits an authentication response to the RP when the user has been authenticated.
  - 8. The user environment of claim 5, wherein the trusted computing environment is one of a Universal Integrated Circuit Card (UICC), a subscriber identity module (SIM), a machine to machine (M2M) device, a smart card, a java card, a GlobalPlatform smart card, or a secure integrated chip card (ICC).
  - 9. The user environment of claim 5, wherein the trusted computing environment is implemented using a secure web server.
  - 10. The user environment of claim 5, wherein the trusted computing environment shares a secret with an OpenID provider.
  - 11. The user environment of claim 5, wherein the trusted computing environment calculates a signature and provides the signature to the RP via the user interface to allow the RP to verify the credentials of the trusted computing environment.
  - 12. The user environment of claim 5, wherein the trusted computing environment calculates a signature and provides the signature to the OP via the user interface to allow the OP to verify the credentials of the trusted computing environment.
  - 13. The user environment of claim 10, wherein the trusted computing environment calculates a signature based on the secret and provides the signature to the RP via the user interface to allow the RP to verify the credentials of the trusted computing environment.
  - 14. The user environment of claim 10, wherein the trusted computing environment calculates a signature based on the secret and provides the signature to the OP via the user interface to allow the OP to verify the credentials of the trusted computing environment.
  - 15. The user environment of claim 5, wherein the trusted computing environment establishes a shared secret with the OP via the user interface.
  - 16. The user environment of claim 15, wherein the user interface receives an authentication request from the RP that includes an association handle and provides the association handle to the trusted computing environment.
  - 17. The user environment of claim 15, wherein the user interface receives a redirect message from the trusted computing environment that includes an association handle and provides the association handle to the RP.
  - 18. The user environment of claim 16, wherein the trusted computing environment generates a signature based upon the shared secret and generates an authentication response that includes the signature and the association handle.
  - 19. The user environment of claim 18, wherein the user interface provides the authentication response generated by the trusted computing environment to the RP.
  - 20. The user environment of claim 1, wherein the integrated circuit generates a signature and receives a signature assertion message from the OP.
  - 21. The user environment of claim 20, wherein the integrated circuit transmits a signature response message to the RP.
  - 22. The user environment of claim 1, wherein the user interface and the integrated circuit are on the same device.
  - 23. The user environment of claim 1, wherein the user interface and the integrated circuit are on separate devices.
  - 24. The method of claim 1, wherein authenticating the user is performed by verifying the user through a password or PIN code, a biometric identity, a token or combinations thereof.
  - 26. The method of claim 25, wherein the LAE is within a trusted computing environment.
  - 27. The method of claim 26, wherein the indication is a redirection message.
  - 28. The method of claim 27, wherein the redirection message instructs the user interface to use the trusted computing environment to authenticate the user.
  - 29. The method of claim 27, wherein authenticating the user is performed via a trusted computing environment.
  - 31. The method of claim 26, wherein the authentication response is transmitted when the user has been authenticated.
  - 32. The method of claim 26, wherein authenticating the user with the trusted computing environment, occurs through the use of a secure web server such as a smart card web server (SCWS).
  - 33. The method of claim 26, further comprising sharing a secret with an open management security provider associated with a mobile network operator (MNO).
  - 34. The method of claim 26, further comprising sharing a secret with an OpenID provider associated with a mobile network operator (MNO).
  - 35. The method of claim 29, further comprising calculating a signature and providing the signature to the RP via the user interface to allow the RP to verify the credentials of the trusted computing environment.
  - 36. The method of claim 35, further comprising establishing a shared secret with the RP via the user interface.
  - 37. The method of claim 36, further comprising receiving an association handle from the RP.
  - 38. The method of claim 37, further comprising generating a signature based upon the shared secret and generating an authentication response that includes the signature and the association handle.
  - 39. The method of claim 38, further comprising receiving a signature assertion message from the RP.
  - 40. The method of claim 39, further comprising transmitting a signature response message to the RP.
  - 41. The method of claim 29, further comprising calculating a signature and providing the signature to the OP via the user interface to allow the OP to verify the credentials of the trusted computing environment.
  - 42. The method of claim 41, further comprising establishing a shared secret with the OP via the user interface.
  - 43. The method of claim 36, further comprising receiving an association handle from the trusted computing environment and transmitting the association handle to the OP.
  - 44. The method of claim 43, further comprising generating a signature based upon the shared secret and generating an authentication response that includes the signature and the association handle.
  - 45. The method of claim 44, further comprising receiving a signature assertion message from the OP.
  - 46. The method of claim 45, further comprising transmitting a signature response message to the OP.
  - 47. The method of claim 25, wherein authenticating the user is performed by verifying the user through a password or PIN code, a biometric identity, a token or combinations thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Cha, Inhyok, Schmidt, Andreas, Leicher, Andreas, Shah, Yogendra C., Guccione, Louis J., Howry, Dolores F.

Granted Patent

US 8,533,803 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/35   communicating wirelessly

G06F 2221/2115   Third party

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04W 12/069   using certificates or pre-s...

Method And Apparatus For Trusted Federated Identity

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

272 Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Method And Apparatus For Trusted Federated Identity

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

272 Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links