Efficient and secure authentication of computing systems

US 7,549,048 B2
Filed: 03/19/2004
Issued: 06/16/2009
Est. Priority Date: 03/19/2004
Status: Active Grant

First Claim

Patent Images

1. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:

an act of the client computing system receiving a first server request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce;

an act of the client computing system sending a first response to the server computing system and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms received from the server computing system and that are also deployed at the client computing system;

an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce;

an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key and including a server challenge, a mutually deployed authentication method and a trust anchor;

an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content including the mutually deployed authentication mechanism the server challenge and the trust anchor; and

an act of sending a second response to the second server request, the second response including encrypted response data that is responsive to the unencrypted authentication content, including at least one of a client challenge, a hashed message authentication code that corresponds to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.

110 Citations

View as Search Results

22 Claims

1. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:
- an act of the client computing system receiving a first server request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce;
  
  an act of the client computing system sending a first response to the server computing system and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms received from the server computing system and that are also deployed at the client computing system;
  
  an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce;
  
  an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key and including a server challenge, a mutually deployed authentication method and a trust anchor;
  
  an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content including the mutually deployed authentication mechanism the server challenge and the trust anchor; and
  
  an act of sending a second response to the second server request, the second response including encrypted response data that is responsive to the unencrypted authentication content, including at least one of a client challenge, a hashed message authentication code that corresponds to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 13, 19, 20, 21, 22)
- - 2. The method as recited in claim 1, wherein the first server request includes a previous packet ID corresponding to a previous session existing between the client and the server computing systems.
  - 3. The method as recited in claim 1, wherein the authentication mechanisms deployed at the server computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 4. The method as recited in claim 1, wherein the authentication mechanisms deployed at the client computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 5. The method as recited in claim 1, wherein the first response includes a plurality of public keys.
  - 6. The method as recited in claim 1, wherein the act of receiving the second server request comprises receiving encrypted authentication content corresponding to an authentication method selected from among:
    - boot-strapping a client with an existing user-name and password, boot-strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 7. The method as recited in claim 6, wherein the second server request includes a previous packet ID.
  - 8. The method as recited in claim 6, wherein the act of sending the second response includes sending encrypted responsive data for an authentication method selected from among:
    - boot-strapping a client with an existing user-name and password, boot strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 9. The method as recite in claim 7, wherein the second response includes the previous packet ID.
  - 13. The method as recited in claim 1, wherein the authentication mechanisms deployed at the client computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 19. The method recited in claim 1, wherein the first response also includes a plurality of security associations and wherein the second request includes one of the plurality of security associations selected from the plurality of security associations.
  - 20. The method recited in claim 1, wherein the second response includes the client challenge.
  - 21. The method recited in claim 1, wherein the second response includes the hashed message authentication code.
  - 22. The method recited in claim 1, wherein the second response includes the client authentication signature.

10. In a server computing system, a method for participating in authentication with a client computing system, the method comprising:
- an act of the server computing system sending a first request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce;
  
  an act of the server computing system receiving a first client response to the first request and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms deployed by the server and that are also deployed at the client computing system;
  
  an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce;
  
  an act of sending a second request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key, the encrypted authentication content including a server challenge, a mutually deployed authentication mechanism and a trust anchor; and
  
  an act of receiving a second client response, the second client response including encrypted response data that is responsive to the encrypted authentication content and that includes at least one of a client challenge, a hashed message authentication code corresponding to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism.
- View Dependent Claims (11, 12, 14, 15, 16, 17, 18)
- - 11. The method as recited in claim 10, wherein the first request includes a previous packet ID corresponding to a previous session existing between the client and the server computing system.
  - 12. The method as recited in claim 10, wherein the authentication mechanisms deployed at the server computing system include one more authentication mechanisms selected from among MS-CHAP v2, Authentication with MD5, Authentication with Generic Token Card, Authentication with Kerberos, Authentication with X.509, and Authentication with WS-Security.
  - 14. The method as recited in claim 10, wherein the first client response includes a plurality of public keys.
  - 15. The method as recited in claim 10, wherein the act of sending a second request comprises sending encrypted authentication content corresponding to an authentication method selected from among:
    - boot-strapping a client with an existing user-name and password, boot-strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 16. The method as recited in claim 15, wherein the second request includes a previous packet ID.
  - 17. The method as recited in claim 15, wherein the act of receiving a second client response includes receiving encrypted responsive data for an authentication method selected from among:
    - boot-strapping a client with an existing user-name and password, boot strapping a client with an X.509 certificate, authenticating with an X.509 certificate, and boot-strapping a new client with a Kerberos token.
  - 18. The method as recited in claim 17, wherein the second client response includes the previous packet ID.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Moore, Timothy M., Simon, Daniel R., Freeman, Trevor William, Aboba, Bernard D.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US10/804,591
Publication Number

US 20050210252A1
Time in Patent Office

1,915 Days
Field of Search

726 5- 10, 713/171
US Class Current

713/171
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0428   wherein the data content is...

H04L 63/0838   using one-time-passwords

H04L 63/0846   using time-dependent-passwo...

H04L 63/166   at the transport layer

H04L 63/205   involving negotiation or de...

Efficient and secure authentication of computing systems

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

110 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Efficient and secure authentication of computing systems

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

110 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links