Transparent client authentication

US 8,402,519 B2
Filed: 09/17/2009
Issued: 03/19/2013
Est. Priority Date: 10/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method for re-authenticating a previously-registered application for later re-authentication, comprising:

sending from a server to the application a service identifier;

receiving at the server an application-service identifier based upon the service identifier and an application identifier;

sending to the application a registration nonce received at the server from the application during registration;

receiving from the application proof of possession of a secret application key based upon the application-service identifier, the registration nonce, and an application-service key;

computing an expected value of the proof of possession of the secret application key and comparing the computed expected value with the received proof of possession of the secret application key; and

if the expected proof of possession of the secret application key corresponds to the received proof of possession of the secret application key, then determining that the application is authentic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating an application (client) to a server or service. During a registration phase, an application that requests access to a service can receive a service identifier, which it can authenticate. The application can generate and send to the server or service an application-service key that is based upon the authenticated service identifier and a secret application key; a service-application identifier that can be based upon the authenticated service identifier and an application identifier; and a registration nonce, all of which can be stored at the server. During the authentication phase, the client can send to the server the application-service identifier, which the server can use to lookup the stored registration data. The server can send the registration nonce to the client, which can compute a proof of possession of the service-application key and send to the server. The server can compute its own version of this key and compare it to the received key. If they correspond, then the client is authenticated.

12 Citations

View as Search Results

19 Claims

1. A method for re-authenticating a previously-registered application for later re-authentication, comprising:
- sending from a server to the application a service identifier;
  
  receiving at the server an application-service identifier based upon the service identifier and an application identifier;
  
  sending to the application a registration nonce received at the server from the application during registration;
  
  receiving from the application proof of possession of a secret application key based upon the application-service identifier, the registration nonce, and an application-service key;
  
  computing an expected value of the proof of possession of the secret application key and comparing the computed expected value with the received proof of possession of the secret application key; and
  
  if the expected proof of possession of the secret application key corresponds to the received proof of possession of the secret application key, then determining that the application is authentic.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising receiving, by the server, an application nonce, wherein the proof of possession of the secret application key is further based upon the application nonce.
  - 3. The method of claim 2, wherein the proof of possession of the secret application key comprises a message authentication code generated from the application nonce, the registration nonce, the application-service identifier, and the application-service key.
  - 4. The method of claim 1, wherein the application-service key is based upon the registration nonce, the service identifier, and the secret application key.
  - 5. The method of claim 1, wherein the application is installed on a computer.
  - 6. The method of claim 1, wherein the application is an executing application.

7. A system for re-authenticating a previously-registered application for later re-authentication, comprising:
- a communications module in communication with an application forsending to the application a service identifier;
  
  receiving from the application an application-service identifier that is based upon the service identifier, a registration nonce, and an application identifier; and
  
  receiving from the application a proof of possession of the secret application key based upon the application-service identifier, the registration nonce, and an application-service key;
  
  a lookup module;
  
  a memory in communication with the lookup module, the memory storing the application-service identifier, the registration nonce, and the application-service key; and
  
  an authentication module in communication with the communications module and the lookup module, the authentication module;
  
  computing an expected value of the proof of possession of the secret application key based upon the application-service identifier, the registration nonce, and the application-service key received from the lookup module; and
  
  comparing the computed expected value with the received proof of possession of the secret application key to determine if the application is authentic.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 8. The system of claim 7, wherein the application-service identifier is a message authentication code generated from the application identifier and the service identifier.
  - 9. The system of claim 7, wherein the application-service identifier is a message digest.
  - 10. The system of claim 7, wherein the application-service key is a message authentication code generated from the service identifier, the registration nonce, and the secret application key.
  - 11. The system of claim 7, wherein the application-service key is further based upon the registration nonce.
  - 12. The system of claim 7, wherein the application-service key is a message authentication code generated from the service identifier, the secret application key, and the registration nonce.
  - 13. The system of claim 7, wherein the application is installed on a computer.
  - 14. The system of claim 7, wherein the application is an executing application.
  - 15. The system of claim 7, wherein the communications module, the lookup module, the memory, and the authentication module are implemented in an embedded system.
  - 16. The system of claim 7, wherein the communications module receives an application nonce and wherein the proof of possession of the secret application key is further based upon the application nonce.
  - 17. The system of claim 7, wherein:
    - the lookup module looks up the registration nonce received at the server from the application during registration and the communications module sends the registration nonce to the application,the proof of possession of the secret application key is further based upon the registration nonce.
  - 18. The system of claim 16, wherein the proof of possession of the secret application key is a message authentication code generated from the application nonce, the application-service identifier, the registration nonce, and the application-service key.
  - 19. The system of claim 7, wherein the application-service key is based upon the registration nonce, the service identifier and the secret application key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Hallam-Baker, Phillip Martin
Primary Examiner(s)
SHAW, PETER C

Application Number

US12/561,647
Publication Number

US 20100100946A1
Time in Patent Office

1,279 Days
Field of Search

726/5, 380/284
US Class Current

726/5
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

Transparent client authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

12 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent client authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

12 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links