Efficient and secure authentication of computing systems
First Claim
1. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:
- an act of the client computing system receiving a first server request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce;
an act of the client computing system sending a first response to the server computing system and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms received from the server computing system and that are also deployed at the client computing system;
an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce;
an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key and including a server challenge, a mutually deployed authentication method and a trust anchor;
an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content including the mutually deployed authentication mechanism the server challenge and the trust anchor; and
an act of sending a second response to the second server request, the second response including encrypted response data that is responsive to the unencrypted authentication content, including at least one of a client challenge, a hashed message authentication code that corresponds to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism.
4 Assignments
0 Petitions
Accused Products
Abstract
The principles of the present invention relate to systems, methods, and computer program products for more efficiently and securely authenticating computing systems. In some embodiments, a limited use credential is used to provision more permanent credentials. A client receives a limited-use (e.g., a single-use) credential and submits the limited-use credential over a secure link to a server. The server provisions an additional credential (for subsequent authentication) and sends the additional credential to the client over the secure link. In other embodiments, computing systems automatically negotiate authentication methods using an extensible protocol. A mutually deployed authentication method is selected and secure authentication is facilitated with a tunnel key that is used encrypt (and subsequently decrypt) authentication content transferred between a client and a server. The tunnel key is derived from a shared secret (e.g., a session key) and nonces.
110 Citations
22 Claims
-
1. In a client computing system, a method for participating in authentication with a server computing system, the method comprising:
-
an act of the client computing system receiving a first server request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce; an act of the client computing system sending a first response to the server computing system and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms received from the server computing system and that are also deployed at the client computing system; an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce; an act of receiving a second server request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key and including a server challenge, a mutually deployed authentication method and a trust anchor; an act of decrypting the encrypted authentication content with the tunnel key to reveal unencrypted authentication content, the unencrypted authentication content including the mutually deployed authentication mechanism the server challenge and the trust anchor; and an act of sending a second response to the second server request, the second response including encrypted response data that is responsive to the unencrypted authentication content, including at least one of a client challenge, a hashed message authentication code that corresponds to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 13, 19, 20, 21, 22)
-
-
10. In a server computing system, a method for participating in authentication with a client computing system, the method comprising:
-
an act of the server computing system sending a first request that includes at least a first indication of the authentication mechanisms deployed at the server computing system and a server nonce; an act of the server computing system receiving a first client response to the first request and that includes a client public key, a client nonce and a selected set of the authentication mechanisms that were included in the first indication of the authentication mechanisms deployed by the server and that are also deployed at the client computing system; an act of identifying a tunnel key that can be used to encrypt content transferred between the client computing system and the server computing system, the tunnel key comprising a hash of a concatenation of a session key together with the server nonce and the client nonce; an act of sending a second request that includes encrypted authentication content, the encrypted authentication content being encrypted with the tunnel key, the encrypted authentication content including a server challenge, a mutually deployed authentication mechanism and a trust anchor; and an act of receiving a second client response, the second client response including encrypted response data that is responsive to the encrypted authentication content and that includes at least one of a client challenge, a hashed message authentication code corresponding to the server challenge, or a client authentication signature, the encrypted response data being used for authenticating the client computing system with the server computing system according to the mutually deployed authentication mechanism. - View Dependent Claims (11, 12, 14, 15, 16, 17, 18)
-
Specification