PERFORMING CLIENT AUTHENTICATION USING CERTIFICATE STORE ON MOBILE DEVICE

US 20140108810A1
Filed: 10/16/2012
Published: 04/17/2014
Est. Priority Date: 10/16/2012
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user requesting access to a computing resource, the method comprising:

receiving, over a first network connection, a request from a client device to access an application;

generating, by operation of a processor, a nonce to encode in a barcode graphic;

sending, over the first network connection, the barcode graphic to the client device;

receiving, over a second network connection, a response which includes a digital signature signing the nonce; and

upon determining the digital signature is valid, granting the client device access to the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for authenticating users to a computing application. A relying application transmits a login page to a user requesting access to the application. The login page may include a QR code (or other barcode) displayed to the user. The QR code may encode a nonce along with a URL address indicating where a response to the login challenge should be sent. In response, the user scans the barcode with an app on a mobile device (e.g., using a camera on a smart phone) to recover both the nonce and the URL address. The mobile device may also include a certificate store containing a private key named in a PKI certificate. The app signs the nonce using the private key and sends the signed nonce in to the URL in a response message.

Citations

25 Claims

1. A method for authenticating a user requesting access to a computing resource, the method comprising:
- receiving, over a first network connection, a request from a client device to access an application;
  
  generating, by operation of a processor, a nonce to encode in a barcode graphic;
  
  sending, over the first network connection, the barcode graphic to the client device;
  
  receiving, over a second network connection, a response which includes a digital signature signing the nonce; and
  
  upon determining the digital signature is valid, granting the client device access to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the barcode graphic is a QR code.
  - 3. The method of claim 1, wherein the barcode graphic further encodes a network address for the client device to send the response.
  - 4. The method of claim 3, wherein a mobile device generates the response by:
    - scanning the barcode graphic to recover the nonce and the network address;
      
      accessing a private key from a certificate store on the mobile device; and
      
      signing, with the private key, the recovered nonce.
  - 5. The method of claim 1, wherein determining the digital signature is valid comprises determining that the digital signature was generated using a private key corresponding to a public key listed in a digital certificate.
  - 6. The method of claim 5, wherein determining the digital signature is valid further comprises, validating the digital certificate.
  - 7. The method of claim 1, wherein the client device renders the barcode graphic on a display to be scanned by a mobile device.

8. A computer-readable storage medium storing instructions, which, when executed on a processor, performs an operation for authenticating a user requesting access to a computing resource, the operation comprising:
- receiving, over a first network connection, a request from a client device to access an application, generating, by operation of the processor, a nonce to encode in a barcode graphic;
  
  sending, over the first network connection, the barcode graphic to the client device;
  
  receiving, over a second network connection, a response which includes a digital signature signing the nonce; and
  
  upon determining the digital signature is valid, granting the client device access to the application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage medium of claim 8, wherein the barcode graphic is a QR code.
  - 10. The computer-readable storage medium of claim 8, wherein the barcode graphic further encodes a network address for the client device to send the response.
  - 11. The computer-readable storage medium of claim 10, wherein a mobile device generates the response by:
    - scanning the barcode graphic to recover the nonce and the network address;
      
      accessing a private key from a certificate store on the mobile device; and
      
      signing, with the private key, the recovered nonce.
  - 12. The computer-readable storage medium of claim 8, wherein determining the digital signature is valid comprises determining that the digital signature was generated using a private key corresponding to a public key listed in a digital certificate.
  - 13. The computer-readable storage medium of claim 12, wherein determining the digital signature is valid further comprises, validating the digital certificate.
  - 14. The computer-readable storage medium of claim 8, wherein the client device renders the barcode graphic on a display to be scanned by a mobile device.

15. A system, comprising:
- a processor anda memory hosting an application, which, when executed on the processor, performs an operation for authenticating a user requesting access to a computing resource, the operation comprising;
  
  receiving, over a first network connection, a request from a client device to access the application,generating, by operation of a processor, a nonce to encode in a barcode graphic,sending, over the first network connection, the barcode graphic to the client device,receiving, over a second network connection, a response which includes a digital signature signing the nonce, andupon determining the digital signature is valid, granting the client device access to the application.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the barcode graphic is a QR code.
  - 17. The system of claim 15, wherein the barcode graphic further encodes a network address for the client device to send the response.
  - 18. The system of claim 17, wherein a mobile device generates the response by:
    - scanning the barcode graphic to recover the nonce and the network address;
      
      accessing a private key from a certificate store on the mobile device; and
      
      signing, with the private key, the recovered nonce.
  - 19. The system of claim 15, wherein determining the digital signature is valid comprises determining that the digital signature was generated using a private key corresponding to a public key listed in a digital certificate.
  - 20. The system of claim 19, wherein determining the digital signature is valid further comprises, validating the digital certificate.
  - 21. The system of claim 15, wherein the client device renders the barcode graphic on a display to be scanned by a mobile device.

22. A method for accessing a computing resource hosted by a network accessible computing system, the method comprising:
- receiving, on a first computing device, an authentication challenge, wherein the authentication challenge is received in response to a request to access the computing resource, and wherein the authentication challenge is encoded in a barcode graphic displayed on the first computing devicescanning, with a second computing device, the barcode graphic to recover a nonce and a network address;
  
  signing the recovered nonce with the a private key retrieved from a certificate store on the second computing device; and
  
  posting, from the second computing device, to the network address, a response to the authentication challenge, wherein the response includes at least a signed copy of the nonce.
- View Dependent Claims (23, 24)
- - 23. The method of claim 22, wherein the second computing device is a handheld mobile telephone and wherein the response further includes a digital certificate and public key corresponding to the private key used to sign the nonce.
  - 24. The method of claim 22, wherein the barcode graphic is a QR code.

25. A computer-readable storage medium storing instructions, which, when executed on a processor on a mobile device, performs an operation for responding to an authentication challenge, the operation comprising:
- scanning a barcode graphic displayed on a logon page of an application to recover a nonce and a network address;
  
  signing the recovered nonce with the a private key stored on the mobile device; and
  
  posting, to the network address, a response to the authentication challenge, wherein the response includes at least a signed copy of the nonce.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Limited (Gen Digital Inc.)
Inventors
CHENNA, Srinivas

Granted Patent

US 9,083,531 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/179
CPC Class Codes

H04L 2209/34   Encoding or coding, e.g. Hu...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 9/00   Cryptographic mechanisms or...

H04L 9/321   involving a third party or ...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04W 12/06   Authentication

H04W 12/10   Integrity

H04W 12/77   Graphical identity

PERFORMING CLIENT AUTHENTICATION USING CERTIFICATE STORE ON MOBILE DEVICE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

PERFORMING CLIENT AUTHENTICATION USING CERTIFICATE STORE ON MOBILE DEVICE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links