Two-way authentication using a combined code

US 7,814,538 B2
Filed: 12/13/2005
Issued: 10/12/2010
Est. Priority Date: 12/13/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A device comprising:

one or more device-readable storage media encoded with device executable instructions for performing a method comprising;

identifying in a combined code at least two sets of data for authentication, the combined code being received out-of-band and comprising a combined code hash of the at least two sets of data from which an encoding scheme of the at least two sets of data can be determined;

sending a connection request to a target service;

receiving a certificate from the target service for establishing a secure channel;

validating the certificate with a first set of data included in the combined code, the first set of data including a first hash of a public key associated with the certificate; and

when the certificate is validated, identifying in the combined code a second set of data that includes a credential for authentication, and providing the credential to the target service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication process using a combined code as a shared secret between a client and target service is provided. The combined code is provided out-of-band and includes data to perform two-way authentication for both the client and the target service. The target service may provide the client with a certificate to establish a secure channel. The client may use the data in the combined code to validate the target service. When the target service is validated, the client may provide credentials in the combined code to the target service for authentication. In one example implementation, the combined code includes a hash of a public key. The client may compute another hash of another public key in the certificate provided by the target service and validate the service by comparing the hash in the combined code and the computed hash.

Citations

18 Claims

1. A device comprising:
- one or more device-readable storage media encoded with device executable instructions for performing a method comprising;
  
  identifying in a combined code at least two sets of data for authentication, the combined code being received out-of-band and comprising a combined code hash of the at least two sets of data from which an encoding scheme of the at least two sets of data can be determined;
  
  sending a connection request to a target service;
  
  receiving a certificate from the target service for establishing a secure channel;
  
  validating the certificate with a first set of data included in the combined code, the first set of data including a first hash of a public key associated with the certificate; and
  
  when the certificate is validated, identifying in the combined code a second set of data that includes a credential for authentication, and providing the credential to the target service.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The device as recited in claim 1, wherein the one or more device-readable storage media comprises executable instructions for performing a method further comprising:
    - identifying the public key included in the certificate;
      
      computing a second hash of the public key in the certificate; and
      
      when the first hash and second hash match, determining that the certificate is valid.
  - 3. The device as recited in claim 1, wherein the combined code is received out-of-band via at least one of entering the combined code through a user-interface, a bar code scanner, radio frequency identification (RFID) reader, wired data connection, wireless data connection, or optical data communication.
  - 4. The device as recited in claim 1, wherein the one or more device-readable storage media comprises executable instructions for performing a method further comprising:
    - determining an indicator in the combined code; and
      
      parsing the combined code to identify the at least two sets of data based, at least in part, on the indicator.
  - 5. The device as recited in claim 1, wherein the target service is included in at least one of a network device, a computer device, a network appliance, a wireless access point, a printer, a router, a scanner, a phone, or a camera.

6. A server device comprising:
- at least one memory; and
  
  at least one processing unit configured to;
  
  offer services to a client through a network connection;
  
  provide a combined code containing data for the client to authenticate the server device and a certificate to establish a secure channel with the client, the data comprising a hash of a public key included in the certificate, the combined code being provided to the client out-of-band, the combined code also containing a first credential and a combined code hash of the combined code to enable the client to determine an encoding scheme of at least the hash of the public key, the certificate including data verifiable by the data in the combined code;
  
  receive a second credential from the client via an established secure channel; and
  
  authenticate the client by comparing the second credential with the first credential.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
- - 7. The device as recited in claim 6, wherein the combined code provided to the client is included in at least one of a physical label on the device, a message, an email, a radio frequency identification (RFID) tag, a magnetic data strip, optical communications, or a data connection.
  - 8. The device as recited in claim 7, wherein the combined code is displayed on the label as at least one of plain text, human-readable symbols, machine-readable data, bar code, or Braille.
  - 9. The device as recited in claim 6, wherein the first credential in the combined code is only valid for a limited number of uses.
  - 10. The device as recited in claim 6, wherein the at least one processing unit is further configured to require the client to provide a valid credential within a limited number of attempts.
  - 11. The device as recited in claim 6, wherein the certificate is provided to the client using Hyper-Text Transport Protocol (HTTP) communications.
  - 12. The device as recited in claim 6, wherein the secure channel is established using Transport Layer Security (TLS) protocols.
  - 13. The device as recited in claim 6, wherein the device is at least one of a network device, a computer device, a network appliance, a wireless access point, a printer, a router, a scanner, a phone, or a camera.

14. A computer-implemented system for establishing a connection between a client and a target service comprising:
- at least one processing unit configured to;
  
  incorporate data in a combined code for the client and the target service to perform mutual authentication;
  
  provide the combined code to the client out-of-band;
  
  enable the client to authenticate the target service using the data in the combined code, the data including a first hash of a public key in the combined code and a combined code hash of the combined code to enable the client to determine an encoding format of the first hash of the public key; and
  
  enable the client to identify a credential in the combined code and provide the credential to the target service for authentication.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The computer-implemented system as recited in claim 14, the at least one processing unit further configured to:
    - provide a certificate to the client to establish a secure channel with the target service;
      
      identify the public key in the certificate;
      
      compute a second hash of the public key in the certificate; and
      
      authenticate the target service by comparing the first hash and the second hash.
  - 16. The computer-implemented system as recited in claim 15, the at least one processing unit further configured to mark the certificate as trusted and store the certificate in a trusted certificate store when the target service is authenticated.
  - 17. The computer-implemented system as recited in claim 14, the at least one processing unit further configured to identify a typographical error in a user input of a hash part of the combined code.
  - 18. The computer-implemented system as recited in claim 14, the at least one processing unit further configured to:
    - encode the combined code using a coding format; and
      
      determine the coding format based on the first character of the combined code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kuehnel, Thomas W., Chan, Shannon J.
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
SIMS, JING F

Application Number

US11/300,631
Publication Number

US 20070136800A1
Time in Patent Office

1,764 Days
Field of Search

713/181, 713/183, 713/184, 713/168, 713/202, 726/5, 726 9- 10, 726 18- 19
US Class Current

726/10
CPC Class Codes

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0869   for achieving mutual authen...

H04L 63/1466   Active attacks involving in...

H04L 63/18   using different networks or...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3263   involving certificates, e.g...

Two-way authentication using a combined code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Two-way authentication using a combined code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links