Method and apparatus for pervasive authentication domains

US 7,487,537 B2
Filed: 10/14/2003
Issued: 02/03/2009
Est. Priority Date: 10/14/2003
Status: Expired due to Fees

First Claim

Patent Images

1. method of sharing security credentials between devices of a user comprising:

ascertaining at least one personal authentication gateway device of the user from at least one pervasive device of the user, the at least one pervasive device comprising at least one automatic token client application and the at least one personal authentication gateway device comprising at least one token server application;

sending at least one token request from the at least one pervasive device to the at least one personal authentication gateway device, wherein the token request comprises;

a Slave-ID field identifying the pervasive device, a Domain-ID field identifying a pervasive authentication domain, a Nonce-128bit field identifying a random value generate by the pervasive device to protect against Token Request reply attacks, and a Type field, and further wherein the Nonce-128bit field, the Slave-ID field, and the Type field are encrypted using a Triple-DES symmetric cryptographic encryption algorithm; and

receiving a token response at the at least one pervasive device from the at least one personal authentication gateway device only if the at least one pervasive device has been authorized via configuring the at least one personal authentication gateway device to recognize the at least one pervasive device as a registered member of the pervasive authentication domain, wherein the token response comprises;

said Slave-ID field and said Nonce-128bit field from the Token request, a Type field, and a Tokens and Checksum field containing authentication tokens and checksums for integrity, and further wherein the Nonce-128bit field, the Slave ID field, the Type field, and the Tokens and Checksum field are encrypted with triple-DES encryption;

wherein when the security credentials are provided to the at least one authentication gateway device, the at least one pervasive device that has been authorized is enabled to retrieve the at least one authentication token;

wherein the at least one pervasive device is a digital watch adapted with a user interfaces for entering the security credentials, and configured to use a TCP/IP protocol for wireless communication with the personal authentication gateway device; and

wherein the security credentials will expire after a period of 10 minutes from receipt.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for enabling a Pervasive Authentication Domain. A Pervasive Authentication Domain allows many registered Pervasive Devices to obtain authentication credentials from a single Personal Authentication Gateway and to use these credentials on behalf of users to enable additional capabilities for the devices. It provides an arrangement for a user to store credentials in one device (the Personal Authentication Gateway), and then make use of those credentials from many authorized Pervasive Devices without re-entering the credentials. It provides a convenient way for a user to share credentials among many devices, particularly when it is not convenient to enter credentials as in a smart wristwatch environment. It further provides an arrangement for disabling access to credentials to devices that appear to be far from the Personal Authentication Gateway as measured by metrics such as communications signal strengths.

19 Citations

View as Search Results

10 Claims

1. method of sharing security credentials between devices of a user comprising:
- ascertaining at least one personal authentication gateway device of the user from at least one pervasive device of the user, the at least one pervasive device comprising at least one automatic token client application and the at least one personal authentication gateway device comprising at least one token server application;
  
  sending at least one token request from the at least one pervasive device to the at least one personal authentication gateway device, wherein the token request comprises;
  
  a Slave-ID field identifying the pervasive device, a Domain-ID field identifying a pervasive authentication domain, a Nonce-128bit field identifying a random value generate by the pervasive device to protect against Token Request reply attacks, and a Type field, and further wherein the Nonce-128bit field, the Slave-ID field, and the Type field are encrypted using a Triple-DES symmetric cryptographic encryption algorithm; and
  
  receiving a token response at the at least one pervasive device from the at least one personal authentication gateway device only if the at least one pervasive device has been authorized via configuring the at least one personal authentication gateway device to recognize the at least one pervasive device as a registered member of the pervasive authentication domain, wherein the token response comprises;
  
  said Slave-ID field and said Nonce-128bit field from the Token request, a Type field, and a Tokens and Checksum field containing authentication tokens and checksums for integrity, and further wherein the Nonce-128bit field, the Slave ID field, the Type field, and the Tokens and Checksum field are encrypted with triple-DES encryption;
  
  wherein when the security credentials are provided to the at least one authentication gateway device, the at least one pervasive device that has been authorized is enabled to retrieve the at least one authentication token;
  
  wherein the at least one pervasive device is a digital watch adapted with a user interfaces for entering the security credentials, and configured to use a TCP/IP protocol for wireless communication with the personal authentication gateway device; and
  
  wherein the security credentials will expire after a period of 10 minutes from receipt.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein said ascertaining step comprises looking up a personal authentication gateway address in configuration settings.
  - 3. The method according to claim 1, wherein the at least one token request comprises a pervasive device identification, a message type, and a protection arrangement for fields of the at least one token request, the protection arrangement being adapted to ensure integrity and confidentiality.
  - 4. The method according to claim 1, wherein said receiving step comprises storing received credentials for use by other applications.

5. An apparatus for sharing security credentials between devices of a user, said apparatus comprising:
- a processor which executesa discoverer which finds at least one personal authentication gateway device of the user from at least one pervasive device of the user, the at least one pervasive device comprising at least one automatic token client application and the at least one personal authentication gateway device comprising at least one token server application;
  
  a token requestor which sends at least one token request from the at least one pervasive device to the at least one personal authentication gateway device, wherein the token request comprises;
  
  a Slave-ID field identifying the pervasive device, a Domain-ID field identifying a pervasive authentication domain, a Nonce-128bit field identifying a random value generate by the pervasive device to protect against Token Request reply attacks, and a Type field, and further wherein the Nonce-128bit field, the Slave-ID field, and the Type field are encrypted using a Triple-DES symmetric cryptographic encryption algorithm;
  
  a token responder which accepts at least one token request and sends at least one token response with at least one authentication token to the at least one pervasive device only if the at least one pervasive device has been authorized via configuring the at least one personal authentication gateway device to recognize the at least one pervasive device as a registered member of a the pervasive authentication domain, wherein the token response comprises;
  
  said Slave-ID field and said Nonce-128bit field from the Token request, a Type field, and a Tokens and Checksum field containing authentication tokens and checksums for integrity, and further wherein the Nonce-128bit field, the Slave ID field, the Type field, and the Tokens and Checksum field are encrypted with triple-DES encryption to ensure that only the Automatic Token Client can read the Token Response;
  
  wherein when the security credentials are provided to the at least one authentication gateway device, the at least one pervasive device that has been authorized is enabled to retrieve the at least one authentication token, wherein the at least one pervasive device is a digital watch adapted with a user interfaces for entering the security credentials, and configured to use a TCP/IP protocol for wireless communication with the personal authentication gateway device; and
  
  wherein the security credentials are designed to expire after a period of 10 minutes from receipt.
- View Dependent Claims (6, 7, 8, 9)
- - 6. The apparatus according to claim 5, wherein the at least one token request comprises a pervasive device identification, the message type, at least one authentication token, and a protection arrangement for fields of the at least one token request, the protection arrangement being adapted to ensure integrity and confidentiality.
  - 7. The apparatus according to claim 6, wherein said protection arrangement comprises Triple-DES encryption using a long key.
  - 8. The apparatus according to claim 7, wherein said long key is a secure hash comprised of a master secret known only to the personal authentication gateway, a pervasive device identification, and a pervasive authentication domain identification.
  - 9. The apparatus according to claim 7, wherein said long key is distributed to the at least one pervasive device during authorization.

10. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for sharing security credentials between devices of a user, said method comprising the steps of:
- ascertaining at least one personal authentication gateway device of the user from at least one pervasive device of the user, the at least one pervasive device comprising at least one automatic token client application and the at least one personal authentication gateway device comprising at least one token server application;
  
  sending at least one token request from the at least one pervasive device to the at least one personal authentication gateway device, wherein the token request comprises;
  
  a Slave-ID field identifying the pervasive device, a Domain-ID field identifying a pervasive authentication domain, a Nonce-128bit field identifying a random value generate by the pervasive device to protect against Token Request reply attacks, and a Type field, and further wherein the Nonce-128bit field, the Slave-ID field, and the Type field are encrypted using a Triple-DES symmetric cryptographic encryption algorithm;
  
  receiving a token response at the pervasive device from the at least one personal authentication gateway only if the at least one pervasive device has been authorized via configuring the at least one personal authentication gateway device to recognize the at least one pervasive device as a registered member of the pervasive authentication domain, wherein the token response comprises;
  
  said Slave-ID field and said Nonce-128bit field from the Token request, a Type field, and a Tokens and Checksum field containing authentication tokens and checksums for integrity, and further wherein the Nonce-128bit field, the Slave ID field, the Type field, and the Tokens and Checksum field are encrypted with triple-DES encryption to ensure that only the Automatic Token Client can read the Token Response;
  
  wherein when the security credentials are provided to the at least one authentication gateway device, the at least one pervasive device that has been authorized is enabled to retrieve at least one authentication token;
  
  wherein the at least one pervasive device is a digital watch adapted with a user interfaces for entering the security credentials, and configured to use a TCP/IP protocol for wireless communication with the personal authentication gateway device; and
  
  wherein the security credentials are designed to expire after a period of 10 minutes from receipt.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Sailer, Reiner, Giles, James R.
Primary Examiner(s)
Kincaid; Kristine
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US10/685,846
Publication Number

US 20050081044A1
Time in Patent Office

1,939 Days
Field of Search

726/2, 726 4- 7, 726/10, 713/168, 713/170, 713/182, 380/270
US Class Current

726/5
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

Method and apparatus for pervasive authentication domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for pervasive authentication domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links