Network user authentication system and method

US 8,181,262 B2
Filed: 07/20/2006
Issued: 05/15/2012
Est. Priority Date: 07/20/2005
Status: Active Grant

First Claim

Patent Images

1. A network user authentication system for authenticating user devices located in a building, comprising:

a secure component physically connected to the building, wherein the secure component can be used to authenticate user devices located in the building;

a security server;

at least one network linking the security server to the secure component;

the security server being configured to determine a physical connection identification (ID) for the secure component and to associate the physical connection ID with a network service subscriber using the user device;

a service provider network edge site and at least one connecting line providing communication between the edge site and the building, the secure component comprising the connecting line from the edge site to the building; and

a building gateway module in the building linked to the connecting line, the building gateway module being configured to provide an interface between the connecting line and user devices in the building,wherein the edge site comprises an edge site server configured to provide authentication service to a plurality of buildings in a neighborhood, wherein the edge site server has dedicated connecting lines providing dedicated communications with a plurality of buildings in a local community, the edge site server having a processor module configured to store a plurality of unique digital certificates and to link each digital certificate with a respective dedicated line connected to the building with which said digital certificate is associated, andwherein the edge site server is a Telco server and is configured to authenticate a trusted path comprising one or more network nodes between a user device and a web server over a public network, andwherein the web server transmits content to the user device along the trusted path, and wherein the content is encrypted using multiple layers of encryption, wherein each layer of encryption is associated with a network element along the trusted network path, each layer comprising a decryption destination point indicator that indicates which network element should decrypt that layer of encryption.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a network user authentication system, a network user is identified for authentication purposes using the unique identifier for a dedicated physical communication line associated with the building in which the network user is located or a digital certificate which is associated with a secure component or communication line physically attached to a building. An authentication server initially verifies the identification of the dedicated communication line to be associated with a network service subscriber or issues a unique digital certificate to be associated with the dedicated communication line for authentication purposes. The digital certificate may be stored in a building gateway or in an edge site module which is connected to the secure components of a plurality of buildings and stores unique digital certificates for each building.

195 Citations

38 Claims

1. A network user authentication system for authenticating user devices located in a building, comprising:
- a secure component physically connected to the building, wherein the secure component can be used to authenticate user devices located in the building;
  
  a security server;
  
  at least one network linking the security server to the secure component;
  
  the security server being configured to determine a physical connection identification (ID) for the secure component and to associate the physical connection ID with a network service subscriber using the user device;
  
  a service provider network edge site and at least one connecting line providing communication between the edge site and the building, the secure component comprising the connecting line from the edge site to the building; and
  
  a building gateway module in the building linked to the connecting line, the building gateway module being configured to provide an interface between the connecting line and user devices in the building,wherein the edge site comprises an edge site server configured to provide authentication service to a plurality of buildings in a neighborhood, wherein the edge site server has dedicated connecting lines providing dedicated communications with a plurality of buildings in a local community, the edge site server having a processor module configured to store a plurality of unique digital certificates and to link each digital certificate with a respective dedicated line connected to the building with which said digital certificate is associated, andwherein the edge site server is a Telco server and is configured to authenticate a trusted path comprising one or more network nodes between a user device and a web server over a public network, andwherein the web server transmits content to the user device along the trusted path, and wherein the content is encrypted using multiple layers of encryption, wherein each layer of encryption is associated with a network element along the trusted network path, each layer comprising a decryption destination point indicator that indicates which network element should decrypt that layer of encryption.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system as claimed in claim 1, wherein said secure component is a dedicated line connected to the building.
  - 3. The system as claimed in claim 2, wherein the line is a broadband telecommunication line having one end connected to the building.
  - 4. The system as claimed in claim 2, wherein the line is a digital subscriber line (DSL).
  - 5. The system as claimed in claim 2, wherein the line is a fiber line.
  - 6. The system as claimed in claim 2, wherein the line is a dedicated wireless link to the building.
  - 7. The system as claimed in claim 1, wherein the security server is a stand-alone server linked to the secure component over at least one network.
  - 8. The system as claimed in claim 1, wherein said user devices comprise at least one personal computer.
  - 9. The system as claimed in claim 8, wherein said user devices further comprise at least one set top box.
  - 10. The system as claimed in claim 8, wherein said user devices further comprise at least one wireless communication device.
  - 11. The system as claimed in claim 10, wherein the wireless device is selected from the group consisting of a mobile phone, a personal digital assistant, and a wireless computer.
  - 12. The system as claimed in claim 1, further comprising a plurality of user devices in each building linked to said gateway module and configured for secure network communications using the unique digital certificate associated with the dedicated line connecting the respective building to the edge site server.
  - 13. The system as claimed in claim 1, wherein said gateway module has a first hardware security element associated with said unique digital certificate.
  - 14. The system as claimed in claim 13, wherein said hardware security element is selected from the group consisting of a universal serial bus (USB) dongle, a smart card, a SIM chip, and a trusted platform module (TPM).
  - 15. The system as claimed in claim 13, wherein the user device has a second hardware security element cryptographically synchronized with the first hardware security element in said gateway module.
  - 16. The system as claimed in claim 1, wherein said gateway module has at least one hardware security element associated with said unique digital certificate and each user device has a hardware security element cryptographically synchronized with a hardware security element in said gateway module.
  - 17. The system as claimed in claim 16, wherein at least one of said user devices is a wireless device having a security element comprising a first subscriber identity module (SIM) chip and the gateway module has a second SIM chip configured to communicate with said first SIM chip for authenticated wireless communication purposes.
  - 18. The system as claimed in claim 1, further comprising a session-based watermarking module associated with said user device and configured to insert a unique watermark payload into all content files received by said user device over a public network.
  - 19. The system as claimed in claim 18, wherein said session-based watermarking module is further configured to cryptographically sign the watermark payload with a user private key associated with a unique digital certificate.

20. A network user authentication system for authenticating a user devices in a building, comprising:
- a secure component physically connected to a building and associated with a first user device, wherein the secure component comprises a dedicated line connected to the building;
  
  an authentication server;
  
  at least one network linking the authentication server to the secure component;
  
  the authentication server having a trusted path certification module configured to create a client ID associated with the user device, to identify the secure component, and to associate a unique digital certificate with the secure component, and a data storage module for storing the client ID and associated digital certificate; and
  
  the authentication server further comprising a verification module for using the client ID and associated digital certificate for secure communications between the user device and other user devices over a public network, andwherein the authentication server is a Telco server and is configured to authenticate a trusted path comprising one or more network nodes between the first user device and a second user device over the public network, andwherein the first user device transmits content to the second user device along the trusted path, and wherein the content is encrypted using multiple layers of encryption, wherein each layer of encryption is associated with a network element along the trusted network path, each layer comprising a decryption destination point indicator that indicates which network element should decrypt that layer of encryption.
- View Dependent Claims (21, 22)
- - 21. The system as claimed in claim 20, wherein the unique digital certificate associated with the secure component comprises an X.509 based digital certificate.
  - 22. The system as claimed in claim 20, further comprising a control unit associated with said secure component having a processor module and a data storage module, the authentication server further comprises a certificate transfer module configured to transmit the digital certificate to the control unit, the processor module being configured to store said digital certificate in said data storage module and to use said digital certificate for secure communications between said user device and other web servers over a public network.

23. A method for authenticating network users for secure communication over a public network, comprising:
- associating a unique digital certificate with a physical connection, the digital certificate comprising a physical connection identification (physical connection ID) of a secure component physically attached to a building, storing the unique digital certificate in a data storage area associated with the physical connection, and using the unique digital certificate for verification purposes in network communications with prospective network partners over a public network;
  
  receiving a request for building authentication from a user device in the building at an authentication server through the secure component and at least one private network, wherein the authentication server is a Telco server;
  
  determining a subscriber identification (subscriber ID) for a user of the user device;
  
  verifying the physical connection ID of the secure component;
  
  storing a record of the subscriber ID and associated physical connection ID;
  
  determining a current physical connection ID of the secure component used by a connecting subscriber at each request for service received from the connecting subscriber;
  
  comparing the current physical connection ID with a previously stored physical connection ID for the same subscriber ID for verification purposes; and
  
  supplying the service only if the verification is successful, wherein content associated with the service is transmitted along a trusted communication path, and the content is encrypted using multiple layers of encryption, wherein each layer of encryption is associated with a network element along the trusted network path, each layer comprising a decryption destination point indicator that indicates which network element should decrypt that layer of encryption.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The method as claimed in claim 23, further comprising determining the physical connection identification from information available in a network data structure.
  - 25. The method as claimed in claim 23, further comprising associating a first hardware security element in the secure component with the unique digital certificate, and cryptographically synchronizing a hardware security element in at least one user device in the building with the first hardware security element.
  - 26. The method as claimed in claim 23, further comprising inserting a unique watermark payload associated with the building into content files received by a user device in the building over a network.
  - 27. The method as claimed in claim 26, further comprising verifying the geographic location of the building using a location sensor at said secure component for determining the geographic coordinates of said secure component.
  - 28. The method as claimed in claim 27, wherein the geographic location of the building is verified each time a user device in the building initiates secure communications with a prospective network partner over a public network.

29. A network user authentication system, comprising:
- a secure component physically connected to a building and associated with at least one user device in the building;
  
  a control unit associated with said secure component, the control unit having a processor module and a data storage module associated with the processor module;
  
  an authentication server;
  
  at least one network linking the authentication server to the control unit;
  
  the authentication server being configured to associate a unique digital certificate with the secure component and to transmit the unique digital certificate to the control unit associated with the secure component; and
  
  the processor module being configured to store the unique digital certificate in said data storage module and to use the digital certificate for secure communications between the user device and other web servers over a public network,wherein the control unit comprises an edge site server configured to provide authentication service to a plurality of buildings in a neighborhood, the edge site server having a plurality of dedicated lines each connected to a respective one of the buildings, the processor module being configured to store a plurality of unique digital certificates in said data storage module and to link each digital certificate with a respective dedicated line connected to the building with which said digital certificate is associated, andwherein the edge site server is a Telco server and is configured to authenticate a trusted path comprising one or more network nodes between the user device and a web server over the public network, andwherein the web server transmits content to the user device along the trusted path, and wherein the content is encrypted using multiple layers of encryption, wherein each layer of encryption is associated with a network element along the trusted network path, each layer comprising a decryption destination point indicator that indicates which network element should decrypt that layer of encryption.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 30. The system as claimed in claim 29, wherein the authentication server is a utility company server.
  - 31. The system as claimed in claim 29, wherein the authentication server is a utility company server linked to said edge site server.
  - 32. The system as claimed in claim 29, further comprising a utility company server linked to the edge site server over a utility company network, the authentication server comprising a separate server linked to the utility company server for communication with said edge site server.
  - 33. The system as claimed in claim 29, further comprising a gateway module in the building connected to said dedicated line, the gateway module being linked to the user device.
  - 34. The system as claimed in claim 33, further comprising a plurality of additional user devices in said building, said processor module being configured to communicate with said additional user devices in said building.
  - 35. The system as claimed in claim 29, wherein the secure component is a secure box physically connected to a structural component of the building, and the control unit is contained in said secure box, the processor module being configured for communication with said user device.
  - 36. The system as claimed in claim 35, wherein the control unit further comprises a location sensor connected to said processor module for providing geographic location coordinates, said processor module being configured to transmit said geographic location coordinates to said authentication server, and said authentication server being configured to use said geographic location coordinates to validate the building location.
  - 37. The system as claimed in claim 29, wherein said control unit further comprises a first hardware security element cryptographically synchronized with said digital certificate.
  - 38. The system as claimed in claim 37, wherein the user device has a second hardware security element cryptographically synchronized with said first hardware security element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verimatrix Incorporated (Verimatrix SA)
Original Assignee
Verimatrix Incorporated (Verimatrix SA)
Inventors
Cooper, Robin Ross, Kulakowski, Robert T.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
PLECHA, THADDEUS J

Application Number

US11/489,779
Publication Number

US 20070022469A1
Time in Patent Office

2,126 Days
Field of Search

726/12, 726/28, 725/25, 725 30- 31, 709/225
US Class Current

726/28
CPC Class Codes

H04K 1/00   Secret communication

H04L 12/2898   Subscriber equipments DSL m...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/608   Watermarking

H04L 2209/80   Wireless network architectu...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/107   wherein the security polici...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

H04N 21/25875   involving end-user authenti...

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

Network user authentication system and method

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

195 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Network user authentication system and method

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links