SECURE AUTHENTICATION FOR CLIENT APPLICATION ACCESS TO PROTECTED RESOURCES

US 20120144202A1
Filed: 12/06/2010
Published: 06/07/2012
Est. Priority Date: 12/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method implemented at a network device, comprising:

receiving a request for an access token, for accessing a protected resource, from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device;

performing authentication of the client identifier and the device identifier; and

returning a valid access token to the client application, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authorization server receives a request for an access token, for accessing a protected resource, from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device. The authorization server performs authentication of the client identifier and the device identifier. The authorization server returns a valid access token to the client application, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.

Citations

24 Claims

1. A method implemented at a network device, comprising:
- receiving a request for an access token, for accessing a protected resource, from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device;
  
  performing authentication of the client identifier and the device identifier; and
  
  returning a valid access token to the client application, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the device identifier comprises one of:
    - an International Mobile Subscriber Identity (IMSI), an International Mobile Equipment Identities (IMEI), a Mobile Equipment Identifier (MEID), an Electronic Serial Number (ESN), a Mobile Station International Subscriber Directory Number (MSISDN), a Medium Access Control (MAC) address, or an Internet Protocol Multimedia Subsystem Private Identifier (IMPI).
  - 3. The method of claim 1, further comprising:
    - sending a query, that includes the device identifier, to a database to retrieve Authentication and Key Agreement (AKA) parameters for use in authenticating the device;
      
      receiving the AKA parameters from the database; and
      
      using the AKA parameters to authenticate the device.
  - 4. The method of claim 1, wherein returning a valid access token to the client application is further based on the authentication of the device using the AKA parameters.
  - 5. The method of claim 3, further comprising:
    - identifying the device as rogue if the authentication of the device fails.
  - 6. The method of claim 1, wherein the request for an access token further includes a signature generated at the device using a client secret key shared between the device and the authorization server, and further comprising:
    - sending a query, that includes the client identifier, to a database to retrieve the client secret key;
      
      receiving the client secret key from the database; and
      
      attempting to validate the signature using the client secret key to authenticate the client application.
  - 7. The method of claim 6, wherein, if the attempt to validate the signature using the client secret key is not successful, then the authentication of the client application fails.
  - 8. The method of claim 1, further comprising:
    - directing a user associated with the device to an authorization page;
      
      receiving the user'"'"'s log-in and a denial or grant of access to the protected resource via the authorization page.
  - 9. The method of claim 8, wherein, if a denial of access to the protected resource is received via the authorization page, the client application is denied access to the protected resource.
  - 10. The method of claim 8, further comprising:
    - returning a valid access token to the client application that permits access to the protected resource based on whether a grant of access to the protected resource is received via the authorization page.

11. A network device, comprising:
- a communication interface connected to an external network;
  
  a memory configured to store instructions;
  
  a processing unit configured to execute the instructions stored in the memory to;
  
  receive, via the communication interface, a request for an access token for accessing a protected resource from a client application executing on a device, wherein the request includes a client identifier that uniquely identifies the client application and a device identifier that uniquely identifies the device,perform authentication of the client identifier and the device identifier; and
  
  return a valid access token to the client application via the communication interface, based on the authentication of the client identifier and the device identifier, to enable the client application access to the protected resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The network device of claim 11, wherein the device identifier comprises one of:
    - an International Mobile Subscriber Identity (IMSI), an International Mobile Equipment Identities (IMEI), a Mobile Equipment Identifier (MEID), an Electronic Serial Number (ESN), a Mobile Station International Subscriber Directory Number (MSISDN), a Medium Access Control (MAC) address, or an Internet Protocol Multimedia Subsystem Private Identifier (IMPI)
  - 13. The server of claim 11, wherein the processing unit is further configured to:
    - send, via the communication interface, a query, that includes the device identifier, to a database to retrieve Authentication and Key Agreement (AKA) parameters for use in authenticating the device,receive, via the communication interface, the AKA parameters from the database; and
      
      use the AKA parameters to authenticate the device.
  - 14. The server of claim 11, wherein returning the valid access token to the client application is further based on the authentication of the device using the AKA parameters.
  - 15. The server of claim 13, further comprising:
    - identifying the device as rogue if the authentication of the device fails.
  - 16. The server of claim 11, wherein the request for an access token further includes a signature generated at the device using a client secret key shared between the device and the authorization server, and wherein the processing unit is further configured to:
    - send a query, that includes the client identifier, to a database to retrieve the client secret key,receive the client secret key from the database, andattempt to validate the signature using the client secret key to authenticate the client application.
  - 17. The server of claim 16, wherein, if the attempt to validate the signature using the client secret key is not successful, then the authentication of the client application fails.
  - 18. The server of claim 11, wherein the processing unit is further configured to:
    - direct a user associated with the device to an authorization page, and receive the user'"'"'s log-in and a denial or grant of access to the protected resource via the authorization page.
  - 19. The server of claim 11, wherein, if a denial of access to the protected resource is received via the authorization page, the client application is denied access to the protected resource.
  - 20. The server of claim 18, wherein the processing unit is further configured to:
    - return a valid access token to the client application that permits access to the protected resource based on whether a grant of access to the protected resource is received via the authorization page.

21. A device, comprising:
- a communication interface;
  
  a memory configured to store a client application installed on the device;
  
  a device application configured to;
  
  store a client identifier that identifies the client application, andstore a device identifier that identifies the device;
  
  a processing unit configured to;
  
  execute the client application,initiate the sending of a request for an access token, for accessing a protected resource, from the client application to an authorization server via the communication interface, wherein the request includes the client identifier and the device identifier,receive a valid access token for the client application from the authorization server via the communication interface,initiate the sending of a request for data from the client application to the protected resource via the communication interface, wherein the request includes the access token for accessing the protected resource, andreceive the requested data from the protected resource via the communication interface in response to the request.
- View Dependent Claims (22, 23, 24)
- - 22. The device of claim 21, wherein the device comprises a cellular radiotelephone, a smart phone, a personal digital assistant (PDA), a set-top box (STB), an analog terminal adaptor (ATA), a Voice over Internet Protocol (VoIP) device, a laptop computer, a palmtop computer, a gaming device, a media player device, a tablet computer, or a digital camera.
  - 23. The device of claim 21, wherein the device application is implemented by a Universal Integrated Circuit Card (UICC), a removable user identity card (R-UIM), a subscriber identity module (SIM), a universal subscriber identity module (USIM), or an Internet Protocol (IP) multimedia services identity module (ISIM).
  - 24. The device of claim 21, wherein the device identifier comprises at least one of:
    - an International Mobile Subscriber Identity (IMSI), an International Mobile Equipment Identities (IMEI), a Mobile Equipment Identifier (MEID), an Electronic Serial Number (ESN), a Mobile Station International Subscriber Directory Number (MSISDN), a Medium Access Control (MAC) address, or an Internet Protocol Multimedia Subsystem Private Identifier (IMPI);

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Counterman, Raymond C.

Granted Patent

US 8,868,915 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/176
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/44   Program or device authentic...

G06F 21/6281   at program execution time, ...

G06F 2221/2129   Authenticate client device ...

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0876   based on the identity of th...

H04L 63/1466   Active attacks involving in...

H04L 9/3228   One-time or temporary data,...

SECURE AUTHENTICATION FOR CLIENT APPLICATION ACCESS TO PROTECTED RESOURCES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE AUTHENTICATION FOR CLIENT APPLICATION ACCESS TO PROTECTED RESOURCES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links