MOBILE ENTERPRISE SMARTCARD AUTHENTICATION

US 20130297933A1
Filed: 03/28/2013
Published: 11/07/2013
Est. Priority Date: 03/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method for use in multi-factor authentication to an enterprise network, comprising:

first receiving, at a user'"'"'s mobile device, an identity certificate and digital signature of the user from a smart card connected with a reader interface of the mobile device;

passing the identity certificate and digital signature from the mobile device to a central management server over at least one network; and

second receiving, at the user'"'"'s mobile device, a Virtual Private Network (VPN) certificate to access the enterprise network via a VPN connection in response to the passing.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Utilities that allow for multi-factor authentication into an enterprise network with a smart card using mobiles devices (e.g., smartphones, tablets, etc.), where almost any application (app) or website that accesses enterprise resources can be launched or executed to automatically establish of a VPN connection with the enterprise network free of necessarily having to specially configure the apps or websites to be useable with smart cards, card readers, etc. Virtually any app can be used and take advantage of the multifactor authentication free or substantially free of modification to the app itself as the disclosed utilities may take advantage of the native VPN clients and capabilities provided with the mobile device operating system (OS) (e.g., Android®, iOS). As a result, a much more flexible solution may be provided that allows the use of commercially available apps (e.g., from an “App Store”) as well as, for instance, enterprise developed apps.

78 Citations

View as Search Results

24 Claims

1. A method for use in multi-factor authentication to an enterprise network, comprising:
- first receiving, at a user'"'"'s mobile device, an identity certificate and digital signature of the user from a smart card connected with a reader interface of the mobile device;
  
  passing the identity certificate and digital signature from the mobile device to a central management server over at least one network; and
  
  second receiving, at the user'"'"'s mobile device, a Virtual Private Network (VPN) certificate to access the enterprise network via a VPN connection in response to the passing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - initiating, from the mobile device, the VPN connection using the VPN certificate.
  - 3. The method of claim 2, wherein the initiating comprises:
    - launching, on the user'"'"'s mobile device, an application; and
      
      requesting, in response to the launching, validation of the VPN certificate, wherein the VPN connection is initiated based on a result of the requesting.
  - 4. The method of claim 3, further comprising after the launching:
    - receiving, on the user'"'"'s mobile device, user credentials, wherein the user credentials are included in the VPN certificate validation request.
  - 5. The method of claim 4, wherein the second receiving further includes:
    - receiving a VPN profile associated with the VPN certificate; and
      
      installing the VPN profile on the user'"'"'s mobile device, wherein a type of the received user credentials is specified in the installed VPN profile.
  - 6. The method of claim 5, wherein the received user credentials type comprises a username and a password.
  - 7. The method of claim 5, wherein the installed VPN profile comprises configuration settings for the VPN connection.
  - 8. The method of claim 7, wherein the VPN connection configuration settings comprise at least one of a VPN server, a VPN type, and an on-demand address.
  - 9. The method of claim 2, further comprising:
    - receiving a request to deauthenticate the VPN session.
  - 10. The method of claim 9, wherein the deauthentication request comprises:
    - sensing removal of the smart card from the user'"'"'s mobile device.
  - 11. The method of claim 2, wherein the initiating comprises:
    - sending the VPN certificate to a VPN concentrator, wherein the VPN concentrator validates the VPN certificate with a VPN certificate authority server.
  - 12. The method of claim 1, wherein the VPN certificate is received from a Mobile Device Management (MDM) server.
  - 13. The method of claim 12, wherein the MDM server is disjoint from the central management server.

14. A method for use in multi-factor authentication to an enterprise network, comprising:
- first receiving, at a management server over at least one network, credentials verifying at least one of at least two authentication factors from a user via a mobile device;
  
  first sending, from the management server to a first Certificate Authority (CA) server, a request to validate the credentials verifying at least one of the at least two authentication factors; and
  
  second sending, from the management server, a request for a certificate to access the enterprise network via a VPN connection from a second CA server based on whether the request was validated in the first sending.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, further comprising:
    - third sending, from the management server to an enterprise directory server, a request to validate user permissions associated with the credentials verifying at least one of the at least two authentication factors, wherein the second sending is responsive to successful validation of the first and third sending.
  - 16. The method of claim 14, wherein the second sending comprises sending the VPN connection request from the management server to the second CA server, and wherein the method further comprises:
    - second receiving, at the management server from the second CA server, the VPN certificate; and
      
      transmitting the VPN certificate from the management server to a Mobile Device Management (MDM) server, wherein the VPN certificate is pushed from the MDM server to the mobile device.
  - 17. The method of claim 16, wherein the transmitting further includes:
    - communicating configuration settings for the VPN connection to the MDM server, wherein the MDM server generates a VPN profile including the VPN connection configuration settings and pushes the VPN profile with the VPN certificate to the mobile device.
  - 18. The method of claim 17, wherein the VPN connection configuration settings comprise at least one of a VPN server, a VPN type, and an on-demand address.
  - 19. The method of claim 16, wherein the second CA server associates the VPN certificate with the user in a directory service of the enterprise network.

20. A multi-factor authentication system for allowing access to an enterprise network over a virtual private network (VPN) connection with a mobile device, comprising:
- a client application configured to run on a user'"'"'s mobile device, wherein the client application is executable by a processor of the mobile device to;
  
  first receive an identity certificate of the user from a smart card connected with a reader interface of the mobile device; and
  
  second receive a digital signature of the user; and
  
  a central management server of the enterprise network in communication with the client application over at least one network, wherein the central management server is configured to;
  
  receive the identity certificate and digital signature from the client application via at least one network;
  
  first send a request to a first Certificate Authority (CA) server to validate the identity certificate;
  
  second send a request for a VPN certificate from a second CA server that allows the mobile device to establish a VPN connection into the enterprise network by the mobile device.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20, wherein the central management server is further configured to:
    - send the VPN certificate request to the second CA server;
      
      receive the VPN certificate from the second CA server; and
      
      transmit the VPN certificate to a mobile device management (MDM) server configured to coordinate communication of the VPN certificate to an operating system of the user'"'"'s mobile device.
  - 22. The system of claim 20, wherein the central management server is further configured to send the VPN certificate request to a mobile device management (MDM) server that is configured to request the VPN certificate from the second CA server, receive the VPN certificate, and coordinate communication of the VPN certificate to an operating system of the user'"'"'s mobile device.
  - 23. The system of claim 20, further comprising:
    - an operating system configured to run on the user'"'"'s mobile device, wherein the client application is executable by a processor of the mobile device to;
      
      receive the VPN certificate; and
      
      initiate the VPN connection using the VPN certificate.
  - 24. The system of claim 23, wherein the operating system is further executable by the processor of the mobile device to:
    - request, in response to launching of a user application, validation of the VPN certificate, wherein the VPN connection is initiated based on a result of the validation request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Leidos Innovations Technology, Inc.
Original Assignee
Lockheed Martin Corporation (Martin Marietta Corporation)
Inventors
Fiducia, Kyle J., Thomas, Jordan Faulkner, Schmerge, Pierce Stephen

Granted Patent

US 9,083,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04W 12/069   using certificates or pre-s...

MOBILE ENTERPRISE SMARTCARD AUTHENTICATION

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

78 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

MOBILE ENTERPRISE SMARTCARD AUTHENTICATION

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links