MOBILE DEVICE AUTHENTICATION

US 20150058947A1
Filed: 08/23/2013
Published: 02/26/2015
Est. Priority Date: 08/23/2013
Status: Active Grant

First Claim

Patent Images

1. A system for mobile device authentication, the system comprising:

a public-facing server configured to interface with a mobile device; and

a secure server configured to interface with the public-facing server via a perimeter network; and

an authorization station configured to interface with the secure server via a control system network, the authorization station comprising processing circuitry configured to;

establish authorization limits for the mobile device;

generate an authentication key associated with the authorization limits;

provide the authentication key and an identifier of the mobile device to the secure server;

generate an authorization code comprising an encoded version of the authentication key and an address of the public-facing server; and

provide the authorization code to the mobile device to establish authentication for the mobile device to receive data from the control system network as constrained by the authorization limits.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One aspect of the invention is a system for mobile device authentication. The system includes a public-facing server configured to interface with a mobile device. The system also includes a secure server configured to interface with the public-facing server and an authorization station. The authorization station includes processing circuitry configured to establish authorization limits for the mobile device and generate an authentication key associated with the authorization limits. The processing circuitry is further configured to provide the authentication key and an identifier of the mobile device to the secure server, and generate an authorization code including an encoded version of the authentication key and an address of the public-facing server. The processing circuitry is also configured to provide the authorization code to the mobile device to establish authentication for the mobile device to receive data from a control system network as constrained by the authorization limits.

21 Citations

View as Search Results

20 Claims

1. A system for mobile device authentication, the system comprising:
- a public-facing server configured to interface with a mobile device; and
  
  a secure server configured to interface with the public-facing server via a perimeter network; and
  
  an authorization station configured to interface with the secure server via a control system network, the authorization station comprising processing circuitry configured to;
  
  establish authorization limits for the mobile device;
  
  generate an authentication key associated with the authorization limits;
  
  provide the authentication key and an identifier of the mobile device to the secure server;
  
  generate an authorization code comprising an encoded version of the authentication key and an address of the public-facing server; and
  
  provide the authorization code to the mobile device to establish authentication for the mobile device to receive data from the control system network as constrained by the authorization limits.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system according to claim 1, wherein the public-facing server is further configured to:
    - receive a request from the mobile device, perform an initial authentication check of the request, forward the request to the secure server based on determining that the request passes the initial authentication check of the request, and return the data to the mobile device.
  - 3. The system according to claim 2, wherein the secure server is further configured to:
    - receive the request from the public-facing server, perform a final authentication check of the request, access the control system network to retrieve the data, and return the data to the public-facing server.
  - 4. The system according to claim 1, wherein the authorization code is provided to the mobile device by one or more of:
    - a wireless link and a visual indication detectable by a camera of the mobile device.
  - 5. The system according to claim 1, wherein the authorization limits comprise one or more of:
    - access to plant summary data, access to device maintenance data, access to plant documentation, access to specific sets of control system set points, ability to change at least one of the control system set points, and access to maintenance logs.
  - 6. The system according to claim 1, wherein the authorization limits are further constrained by one or more of:
    - a timeout period, a physical location of the mobile device, detected unusual activity, and local access to keep-alive messages.
  - 7. The system according to claim 1, wherein the secure server is further configured to revoke access to the mobile device based on one or more of:
    - a timeout period expiring, a device identification failure, a user account authentication failure, an area of access, a role of access, and a control system state.
  - 8. The system according to claim 1, wherein the secure server further comprises a rules engine, and the processing circuitry of the authorization station is further configured to establish rules for the rules engine to revoke access to the mobile device based on one or more of:
    - control system data and request history of the mobile device.

9. A method for mobile device authentication, the method comprising:
- establishing, by processing circuitry of an authorization station, authorization limits for a mobile device, wherein the authorization station interfaces with a secure server via a control system network, the secure server interfaces with a public-facing server via a perimeter network, and the public-facing server interfaces with the mobile device;
  
  generating, by the processing circuitry, an authentication key associated with the authorization limits;
  
  providing the authentication key and an identifier of the mobile device to the secure server;
  
  generating an authorization code comprising an encoded version of the authentication key and an address of the public-facing server; and
  
  providing the authorization code to the mobile device to establish authentication for the mobile device to receive data from the control system network as constrained by the authorization limits.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method according to claim 9, further comprising:
    - receiving a request at the public-facing server from the mobile device;
      
      performing an initial authentication check of the request;
      
      forwarding the request to the secure server based on determining that the request passes the initial authentication check of the request;
      
      performing a final authentication check of the request by the secure server;
      
      accessing the control system network to retrieve the data;
      
      returning the data from the secure server to the public-facing server; and
      
      returning the data from the public-facing server to the mobile device.
  - 11. The method according to claim 9, wherein the authorization code is provided to the mobile device by one or more of:
    - a wireless link and a visual indication detectable by a camera of the mobile device.
  - 12. The method according to claim 9, wherein the authorization limits comprise one or more of:
    - access to plant summary data, access to device maintenance data, access to plant documentation, access to specific sets of control system set points, ability to change at least one of the control system set points, and access to maintenance logs.
  - 13. The method according to claim 9, wherein the authorization limits are further constrained by one or more of:
    - a timeout period, a physical location of the mobile device, detected unusual activity, and local access to keep-alive messages.
  - 14. The method according to claim 9, further comprising:
    - revoking access to the mobile device based on one or more of;
      
      a timeout period expiring, a device identification failure, a user account authentication failure, an area of access, a role of access, and a control system state.
  - 15. The method according to claim 9, wherein the secure server further comprises a rules engine, and the method further comprises establishing rules for the rules engine to revoke access to the mobile device based on one or more of:
    - control system data and request history of the mobile device.

16. A computer program product for mobile device authentication, the computer program product including a non-transitory computer readable medium storing instructions for causing processing circuitry to implement a method, the method comprising:
- establishing authorization limits for a mobile device;
  
  generating an authentication key associated with the authorization limits;
  
  providing the authentication key and an identifier of the mobile device to a secure server;
  
  generating an authorization code comprising an encoded version of the authentication key and an address of a public-facing server; and
  
  providing the authorization code to the mobile device to establish authentication for the mobile device to receive data from a control system network as constrained by the authorization limits.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product according to claim 16, wherein the authorization code is provided to the mobile device by one or more of:
    - a wireless link and a visual indication detectable by a camera of the mobile device.
  - 18. The computer program product according to claim 16, wherein the authorization limits comprise one or more of:
    - access to plant summary data, access to device maintenance data, access to plant documentation, access to specific sets of control system set points, ability to change at least one of the control system set points, and access to maintenance logs.
  - 19. The computer program product according to claim 16, wherein the authorization limits are further constrained by one or more of:
    - a timeout period, a physical location of the mobile device, detected unusual activity, and local access to keep-alive messages.
  - 20. The computer program product according to claim 16, wherein the secure server further comprises a rules engine, and the method further comprises establishing rules for the rules engine to revoke access to the mobile device based on one or more of:
    - a timeout period expiring, a device identification failure, a user account authentication failure, an area of access, a role of access, a control system state, control system data and request history of the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (General Electric Company)
Original Assignee
General Electric Company
Inventors
John, Justin Varkey, Grubbs, Robert William

Granted Patent

US 9,560,523 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

G05B 19/0425   Safety, monitoring

G05B 19/418   Total factory control, i.e....

G05B 2219/23067   Control, human or man machi...

G05B 2219/36133   MMI, HMI: man machine inter...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0209   Architectural arrangements,...

H04L 63/062   for key distribution, e.g. ...

H04L 63/104   Grouping of entities

H04L 63/108   when the policy decisions a...

H04L 67/12   specially adapted for propr...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/77   Graphical identity

H04W 4/021   Services related to particu...

MOBILE DEVICE AUTHENTICATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MOBILE DEVICE AUTHENTICATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links