WEB AUTHENTICATION USING CLIENT PLATFORM ROOT OF TRUST

US 20140289831A1
Filed: 12/28/2011
Published: 09/25/2014
Est. Priority Date: 12/28/2011
Status: Active Grant

First Claim

Patent Images

1. A device for device-specific web authentication, the device comprising:

at least one processor arranged to;

request a website; and

access the website in response to an website access initiation from an authorization module on a server; and

a secure execution environment arranged to;

store a device-stored uniform resource identifier;

send the device-stored uniform resource identifier to the authorization module;

receive a server-stored uniform resource identifier from the authorization module; and

send a validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for performing web authentication using a client platform root of trust are disclosed herein. Website and user validity and integrity may be authenticated based on the user device'"'"'s attempt to access the website. A user device may securely access the website once the user device is successfully authenticated with a server. In an embodiment, the user device may perform an authentication of the website to ensure the website is a valid entity.

33 Citations

View as Search Results

36 Claims

1. A device for device-specific web authentication, the device comprising:
- at least one processor arranged to;
  
  request a website; and
  
  access the website in response to an website access initiation from an authorization module on a server; and
  
  a secure execution environment arranged to;
  
  store a device-stored uniform resource identifier;
  
  send the device-stored uniform resource identifier to the authorization module;
  
  receive a server-stored uniform resource identifier from the authorization module; and
  
  send a validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The device of claim 1, wherein to send the device-stored uniform resource identifier includes the secure execution environment arranged to send an encryption of the device-stored uniform resource identifier.
  - 3. The device of claim 1, wherein the validation of the server-stored uniform resource identifier includes the server execution environment arranged to compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make the validity determination valid if they match and invalid otherwise.
  - 4. The device of claim 1, wherein to receive the server-stored uniform resource identifier includes the server execution environment arranged to receive an encryption of the server-stored uniform resource identifier.
  - 5. The device of claim 1, wherein to access the website includes the processor arranged to access account information associated with an account of a user of the device.
  - 6. The device of claim 1, wherein the secure execution environment is further arranged to:
    - send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website; and
      
      receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.
  - 7. The device of claim 1, wherein the request includes an indicator to use device-specific authentication, the authorization module sending the server-stored uniform resource identifier based on the indicator.
  - 8. The device of claim 1, wherein the device-stored uniform resource identifier is arranged to provide access to the website for a particular period of time.
  - 9. The device of claim 1, wherein the secure execution environment is arranged to deny access to the website by the processor.

10. A method for web authentication, the method comprising:
- responsive to a request to access a website using a device having a secure execution environment, the device arranged to use a client platform root of trust, sending to a server a device-stored web address stored at the secure execution environment, the device-stored web address being specific to the device;
  
  receiving at the secure execution environment on the device, a server-stored web address stored at the server, the server-stored web address being specific to the device;
  
  determining, via the secure execution environment, whether the server-stored web address is valid; and
  
  initiating access to the website if the server-stored web address is valid and if the server determines that the device-stored web address is valid.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 11. The method of claim 10, wherein accessing the website includes accessing account information associated with an account of a user.
  - 12. The method of claim 10, wherein the server-stored web address is valid if the server-stored web address matches the device-stored web address.
  - 13. The method of claim 10, wherein sending the device-stored web address includes sending an encryption of the device-stored web address.
  - 14. The method of claim 10, wherein receiving the server-stored web address includes receiving an encryption of the server-stored web address.
  - 15. The method of claim 10, further comprising:
    - sending to the server a request to configure the device to securely access the website including sending credentials of a user having an account associated with the website;
      
      receiving at the secure execution environment the device-stored web address after the server has determined that the credentials are valid and that the device is associated with the user; and
      
      storing the device-stored web address at the secure execution environment.
  - 16. The method of claim 10, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being received based on the indicator.
  - 17. The method of claim 10, wherein the access to the website is provided by the server for a period of time.
  - 18. The method of claim 10, further comprising denying, via the secure execution environment, access to the website if the server-stored web address is invalid.
  - 19. At least one machine-readable medium comprising a plurality of instructions that, in response to being executed on a computing device, cause the computing device to perform the method according to claim 10.
  - 20. An apparatus including at least one processor arranged to perform the method according to claim 10.

21. An authorization module for device-specific web authentication, the authorization module arranged to:
- receive a request to access a website from a device having a secure execution environment;
  
  receive a device-stored uniform resource identifier from the device, the device-stored uniform resource identifier being stored in the secure execution environment;
  
  send a server-stored uniform resource identifier to the secure execution environment; and
  
  provide access to the website in response to a determination that the device-stored uniform resource identifier is valid and in response to a determination by the secure execution environment that the server-stored uniform resource identifier is valid.
- View Dependent Claims (22, 23)
- - 22. The authorization module of claim 21, wherein the website includes account information associated with an account of a user.
  - 23. The authorization module of claim 21, wherein the determination that the device-stored uniform resource identifier is valid includes the authorization module arranged to compare the device-stored uniform resource identifier to the server-stored uniform resource identifier and find it valid if they match and invalid otherwise.

24-29. -29. (canceled)

30. A method for web authentication, the method comprising:
- receiving at a server a device-stored web address stored at the secure environment, the device-stored web address being a web address specific to the device, the device arranged to use a client platform root of trust;
  
  sending from the server to the secure execution environment on the device a server-stored web address stored at the server;
  
  determining, via the server, whether the device-stored web address is valid; and
  
  providing access to the website if the device-stored web address is valid and if the secure execution environment of the device determines that the server-stored web address is valid.
- View Dependent Claims (35)
- - 35. The method of claim 30, further comprising:
    - receiving at the server a request to configure the device to securely access the website including receiving credentials of a user having an account associated with the website;
      
      determining whether the credentials are valid and whether the device is associated with the user;
      
      generating the device-stored web address if the credentials are valid and if the device is associated with the user; and
      
      sending to the secure execution environment the device-stored web address, wherein the device-stored web address is stored at the secure execution environment.

31-34. -34. (canceled)

36-40. -40. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Prakash, Gyan, Poornachandran, Rajesh

Granted Patent

US 9,887,997 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 2221/2129   Authenticate client device ...

H04L 63/0876   based on the identity of th...

H04L 63/168   above the transport layer

H04L 9/3228   One-time or temporary data,...

WEB AUTHENTICATION USING CLIENT PLATFORM ROOT OF TRUST

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

WEB AUTHENTICATION USING CLIENT PLATFORM ROOT OF TRUST

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links