SYSTEMS AND METHODS FOR SECURING NETWORK COMMUNICATIONS

US 20130080769A1
Filed: 03/23/2012
Published: 03/28/2013
Est. Priority Date: 03/23/2011
Status: Active Grant

First Claim

Patent Images

1. In a system comprising a user equipment (UE), a service provider, and an identity provider, a method for establishing secure communications between the service provider and the UE, the method comprising:

establishing, at the UE, a secure channel between the UE and the service provider;

sending, to the identity provider, authentication parameters for performing an authentication of the UE with the identity provider;

determining, at the UE, an authentication assertion that indicates a successful authentication of the UE; and

verifying, at the UE, that the service provider with which the secure channel has been established is an intended service provider for performing authentication for access to services, wherein the service provider is verified using at least one parameter generated during the authentication of the UE with the identity provider or during the establishment of the secure channel.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Secure communications may be established amongst network entities for performing authentication and/or verification of the network entities. For example, a user equipment (UE) may establish a secure channel with an identity provider, capable of issuing user identities for authentication of the user/UE. The UE may also establish a secure channel with a service provider, capable of providing services to the UE via a network. The identity provider may even establish a secure channel with the service provider for performing secure communications. The establishment of each of these secure channels may enable each network entity to authenticate to the other network entities. The secure channels may also enable the UE to verify that the service provider with which it has established the secure channel is an intended service provider for accessing services.

Citations

25 Claims

1. In a system comprising a user equipment (UE), a service provider, and an identity provider, a method for establishing secure communications between the service provider and the UE, the method comprising:
- establishing, at the UE, a secure channel between the UE and the service provider;
  
  sending, to the identity provider, authentication parameters for performing an authentication of the UE with the identity provider;
  
  determining, at the UE, an authentication assertion that indicates a successful authentication of the UE; and
  
  verifying, at the UE, that the service provider with which the secure channel has been established is an intended service provider for performing authentication for access to services, wherein the service provider is verified using at least one parameter generated during the authentication of the UE with the identity provider or during the establishment of the secure channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, further comprising binding the authentication of the UE to the establishment of the secure channel.
  - 3. The method of claim 2, wherein the authentication of the UE comprises a Session Initiation Protocol Digest (SIP-Digest) authentication, and wherein the binding of the authentication of the UE to the establishment of the secure channel comprises binding the SIP-Digest authentication to the establishment of the secure channel.
  - 4. The method of claim 2, wherein the binding of the authentication of the UE to the establishment of the secure channel is performed using information included in the authentication assertion, and wherein the information is associated with the establishment of the secure channel between the UE and the service provider.
  - 5. The method of claim 2, wherein the binding of the authentication of the UE to the establishment of the secure channel enables the UE to verify that the service provider with which the secure channel has been established is the intended service provider.
  - 6. The method of claim 1, further comprising determining an authentication of the service provider at the UE.
  - 7. The method of claim 6, further comprising binding the authentication of the service provider to the establishment of the secure channel between the UE and the service provider.
  - 8. The method of claim 7, wherein the binding of the authentication of the service provider to the establishment of the secure channel enables authentication of the service provider to be determined by the UE being able to verify that the service provider with which the secure channel has been established is the intended service provider.
  - 9. The method of claim 6, wherein the determining the authentication of the service provider comprises receiving a service provider authentication assertion from an external identity provider.
  - 10. The method of claim 1, wherein the identity provider comprises a local identity provider.
  - 11. The method of claim 10, wherein the determining of the authentication assertion comprises generating the authentication assertion using the local identity provider.
  - 12. The method of claim 10, wherein the local identity provider is associated with a pre-established shared key generated from the authentication of the UE, and wherein the pre-established shared key is used to establish the secure channel between the UE and the service provider.
  - 13. The method of claim 10, wherein the service provider is associated with a cloud-hosted virtual machine, and wherein the establishing the secure channel between the UE and the service provider further comprises establishing the secure channel between the local identity provider and the service provider associated with the cloud-hosted virtual machine to enable access to services provided by the cloud-hosted virtual machine.
  - 14. The method of claim 1, wherein the identity provider comprises an external identity provider, and wherein the determining of the authentication assertion comprises receiving the authentication assertion from the external identity provider.
  - 15. The method of claim 1, further comprising establishing a secure channel between the UE and the identity provider.
  - 16. The method of claim 15, wherein the secure channel between the UE and the identity provider and the secure channel between the UE and the service provider are each established using a respective shared key.
  - 17. The method of claim 15, wherein the authentication of the UE is performed using at least one parameter associated with the establishment of the secure channel between the UE and the identity provider.
  - 18. The method of claim 1, wherein the at least one parameter generated during the authentication comprises the authentication assertion, and wherein the at least one parameter generated during establishment of the secure channel comprises an encrypted seed value, a binding response derived from key material extracted from a secure transport-layer security (TLS) tunnel between the UE and the service provider, or a nonce used for establishment of the secure channel.
  - 19. The method of claim 1, wherein the service provider is verified as the intended service provider by validating information received from the service provider via the secure channel between the UE and the service provider.

20. A user equipment (UE) configured to establish secure communications with a service provider, the UE comprising:
- a memory having computer-executable instructions stored thereon; and
  
  a processor configured to execute the computer executable instructions to perform the following;
  
  establish a secure channel between the UE and the service provider;
  
  send authentication parameters to an identity provider for performing an authentication of the UE with the identity provider;
  
  determine an authentication assertion that indicates a successful authentication of the UE; and
  
  verify that the service provider with which the secure channel has been established is an intended service provider for performing authentication for services, wherein the service provider is verified using at least one parameter generated during the authentication of the UE with the identity provider or during the establishment of the secure channel.
- View Dependent Claims (21, 22, 23)
- - 21. The UE of claim 20, wherein the processor is further configured to bind the authentication of the UE with the establishment of the secure channel.
  - 22. The UE of claim 20, wherein the processor is further configured to:
    - determine an authentication of the service provider; and
      
      bind the authentication of the service provider to the establishment of the secure channel between the UE and the service provider.
  - 23. The UE of claim 20, wherein the identity provider comprises a local identity provider residing on the UE, wherein the local identity provider is associated with a pre-established shared key generated from the authentication of the UE, and wherein the pre-established shared key is used to establish the secure channel between the UE and the service provider.

24. In a system comprising a user equipment (UE), a service provider, and an identity provider, a method for establishing secure communications between the service provider and the UE, the method comprising:
- establishing, at the service provider, a secure channel between the identity provider and the service provider;
  
  receiving key information via the secure channel between the identity provider and the service provider;
  
  establishing, at the service provider, a secure channel between the service provider and the UE using the received key information;
  
  receiving, at the service provider, an authentication assertion indicating an authentication of the UE; and
  
  verifying, at the service provider, the authentication assertion using information received via at least one of the secure channel between the identity provider and the service provider or the secure channel between the service provider and the UE.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising sending an indication to the UE that the service provider is an intended service provider for performing authentication for services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Cha, Inhyok, Guccione, Louis J., Schmidt, Andreas, Leicher, Andreas, Shah, Yogendra C.

Granted Patent

US 8,850,545 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/42   using separate channels for...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 2221/2107   File encryption

G06F 2221/2149   Restricted operating enviro...

H04L 63/0272   Virtual private networks

H04L 63/062   for key distribution, e.g. ...

H04L 63/0869   for achieving mutual authen...

H04L 63/168   above the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 9/0819   Key transport or distributi...

H04L 9/3271   using challenge-response

H04W 12/02   Protecting privacy or anony...

H04W 12/0431   Key distribution or pre-dis...

H04W 12/06   Authentication

SYSTEMS AND METHODS FOR SECURING NETWORK COMMUNICATIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURING NETWORK COMMUNICATIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links