Computer system for authenticating a computing device
First Claim
1. A method for an authentication service to establish a communications session between two computing devices connected to a network, the method comprising:
- receiving, at the authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration,wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity;
authenticating the first registered computing device; and
after the first registered computing device is authenticated by the authentication service, sending from the authentication service to the first registered computing device (1) a network address, associated with the identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device, (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device,wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information.
3 Assignments
0 Petitions
Accused Products
Abstract
A computer architecture for enterprise device applications provides a real-time, bi-directional communication layer for device communication. An identity-based communications layer provides for secure, end-to-end telemetry and control communications by enabling mutual authentication and encryption between the devices and the enterprise. A unique identity is assigned to each device, user and application to provide security services. A communications session is established between two devices using an authentication service that authenticates the device that is initiating the establishment of the communications session with another device. After authenticating the initiating device, the authentication service provides to the initiating device the network address of the other device and an authentication credential for use in the communications session between the initiating device and the other device.
-
Citations
72 Claims
-
1. A method for an authentication service to establish a communications session between two computing devices connected to a network, the method comprising:
-
receiving, at the authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; authenticating the first registered computing device; and
after the first registered computing device is authenticated by the authentication service, sending from the authentication service to the first registered computing device (1) a network address, associated with the identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device, (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device,wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A method for an authentication service to establish a communications session between two computing devices connected to a network, the method comprising:
-
receiving, at the authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; authenticating the first registered computing device; determining whether the first registered computing device is permitted to establish a communications session with the second registered computing device; and after the first registered computing device is authenticated by the authentication service and is permitted to establish communications session with the second registered computing device, sending from the authentication service to the first registered computing device (1) a network address associated with an identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device, (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device, wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (45, 46, 47, 48, 49, 50)
-
-
51. A non-transitory computer-readable medium having embodied thereon a computer program configured to establish a communications session between two computing devices connected to a network by an authentication service, the medium comprising one or more code segments configured to:
-
receive, at the authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; authenticate the first registered computing device; and
after the first registered computing device is authenticated by the authentication service, send from the authentication service to the first registered computing device (1) a network address associated with an identify of the second registered computing device for use in completing establishment of the communications session with the second registered computing device, (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device,wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59)
-
-
60. A non-transitory computer-readable medium having embodied thereon a computer program configured to establish a communications session between two computing devices connected to a network by an authentication service, the medium comprising one or more code segments configured to:
-
receive a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; authenticate the first registered computing device; determine whether the first registered computing device is permitted to establish a communications session with the second registered computing device, and after the first registered computing device is authenticated by the authentication service and is permitted to establish a communication session with the second registered computing device, send from the authentication service to the first registered computing device (1) a network address associated with an identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device and (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device, wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (61)
-
-
62. A system for establishing a communications session between two computing devices connected to a network, the system comprising a processor connected to a storage device and one or more input/output devices, wherein the processor is configured to:
-
receive, at an authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; authenticate the first registered computing device; and after the first registered computing device is authenticated by the authentication service, send from the authentication service to the first registered computing device (1) a network address associated with an identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device and (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device, wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (63, 64, 65, 66, 67, 68, 69, 70)
-
-
71. A system for establishing a communications session between two computing devices connected to a network, the system comprising a processor connected to a storage device and one or more input/output devices, wherein the processor is configured to:
-
receive, at an authentication service, a request from a first registered computing device to establish a communications session with a second registered computing device, wherein prior to receiving the request and registering the two computing devices, the authentication service receives an imprinting request for an identity from each of the computing devices, and associates an identity to each of the computing devices, the identity identifying the corresponding computing device and being independent of a network address associated with the computing device, and in response to the imprinting request the authentication service sends to the first registered computing device the identity, and further sends to the first registered computing device a first long-term authentication credential that encapsulates a first secret shared between the authentication service and the first registered computing device and a first short-term authentication credential that encapsulates a second secret shared between the authentication service and the first registered computing device and is valid for a limited duration, wherein the identity comprises a physical identity that is associated with a singular physical entity and a virtual identity that represents a non-physical entity; determine whether the first registered computing device is permitted to establish a communications session with the second registered computing device, and after the first registered computing device is authenticated by the authentication service and is permitted to establish a communications session with the second registered computing device, send from the authentication service to the first registered computing device (1) a network address associated with an identity of the second registered computing device for use in completing establishment of the communications session with the second registered computing device and (2) authentication information for use in mutual authentication of the first registered computing device and the second registered computing device, and (3) sending policy information to the first registered computing device, wherein the policy information is encrypted using the short-term authentication credential associated with the first computing device and sending the encrypted policy information. - View Dependent Claims (72)
-
Specification