Application authentication system and method

US 8,713,705 B2
Filed: 02/26/2010
Issued: 04/29/2014
Est. Priority Date: 08/03/2009
Status: Active Grant

First Claim

Patent Images

1. A method for validating executable program code operating on at least one computing device, the method comprising:

executing first program instructions on a first computing device, wherein the first program instructions include a request for access to at least one sensitive resource pertaining to a second computing device;

transmitting from the first computing device to the second computing device an authentication request for access to the at least one sensitive resource pertaining to the second computing device;

generating, in real-time, by the second computing device, in response to the authentication request required for access to the at least one sensitive resource and received from the first computing device, an authentication challenge comprising a non-predetermined set of instructions performing an operation in response to the authentication request;

executing, by the second computing device, the authentication challenge, and generating an expected authentication response of the second computing device from said execution by the second computing device;

transmitting the authentication challenge from the second computing device to the first computing device;

executing, by the first computing device, the authentication challenge, and generating a pre-validated authentication response from said execution by the first computing device;

receiving from the first computing device by the second computing device the pre-validated authentication challenge;

performing validation by determining whether the pre-validated authentication response is a validated authentication response by comparing the pre-validated authentication response to the expected authentication response; and

granting the first computing device access to the at least one sensitive resource pertaining to the second computing device if the pre-validated authentication response is determined to be a validated authentication response.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for validating executable program code operating on at least one computing device. Program instructions that include a request for access to sensitive information are executed on a first computing device. An authentication request for access to the electronic information is sent from the first computing device to a second computing device. In response to the authorization request, a challenge is sent from the second computing device to the first computing device. The first computing device executes the challenge and generates an authentication response that includes at least one memory object associated with the program instructions. The response is sent to the second computing device from the first computing device, and the second computing device generates and sends a verification to the first computing device confirming that at least some of the first program instructions have not been altered or tampered with, and further grants the first computing device access to at least some of the electronic information.

Citations

24 Claims

1. A method for validating executable program code operating on at least one computing device, the method comprising:
- executing first program instructions on a first computing device, wherein the first program instructions include a request for access to at least one sensitive resource pertaining to a second computing device;
  
  transmitting from the first computing device to the second computing device an authentication request for access to the at least one sensitive resource pertaining to the second computing device;
  
  generating, in real-time, by the second computing device, in response to the authentication request required for access to the at least one sensitive resource and received from the first computing device, an authentication challenge comprising a non-predetermined set of instructions performing an operation in response to the authentication request;
  
  executing, by the second computing device, the authentication challenge, and generating an expected authentication response of the second computing device from said execution by the second computing device;
  
  transmitting the authentication challenge from the second computing device to the first computing device;
  
  executing, by the first computing device, the authentication challenge, and generating a pre-validated authentication response from said execution by the first computing device;
  
  receiving from the first computing device by the second computing device the pre-validated authentication challenge;
  
  performing validation by determining whether the pre-validated authentication response is a validated authentication response by comparing the pre-validated authentication response to the expected authentication response; and
  
  granting the first computing device access to the at least one sensitive resource pertaining to the second computing device if the pre-validated authentication response is determined to be a validated authentication response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the determination of a validated authentication response indicates that at least a portion of the first program instructions on the first computing device have not been impermissibly altered.
  - 3. The method of claim 2, wherein any one of:
    - (i) the authentication request includes an application identifier provided by the first program instructions, and (ii) any one of;
      
      (a) the expected authentication challenge and (b) the pre-validated authentication challenge, is particular to the respective application identifier thereof.
  - 4. The method of claim 1, wherein the performing of validation represents an outcome of a comparison between the at least a portion of the first program instructions and a previously stored representation of the at least a portion of the first program instructions.
  - 5. The method of claim 1, further comprising any one of:
    - transmitting to the second computing device, from the first computing device, a second authentication request for access to any one of said at least one sensitive resource or another sensitive resource pertaining to any one of said second computing device or another computing device; and
      
      transmitting from the first computing device to the second computing device a second pre-validated authentication challenge differing from said pre-validated authentication challenge and being generated in response to the second authentication request.
  - 6. The method of claim 1, wherein any one of (i) the authentication challenge being executed by the first computing device;
    - and (ii) the second computing device being generated at least partially randomly.
  - 7. The method of claim 1, further comprising:
    - receiving from the second computing device a request for at least one user authentication credential prior to receiving said pre-validated authentication response at said second computing device.
  - 8. The method of claim 1, wherein the authentication challenge is generated as a function of previously generated application authentication challenges.
  - 9. The method of claim 8, wherein the at least one sensitive resource comprises any one of a memory object, an information access, a data access, an Internet web service, a resident resource and a non-resident resource.
  - 10. The method of claim 1, wherein the first program instructions are resident in an operating system of the first computing device.

11. A method for validating executable program code operating on a first computing device, the method comprising:
- executing first program instructions, wherein the first program instructions include a request for access to at least one sensitive resource pertaining to a second computing device;
  
  transmitting to the second computing device an authentication request for access to the at least one sensitive resource pertaining to the second computing device;
  
  wherein the second computing device;
  
  (i) generates, in real-time, in response to the authentication request required for access to the at least one sensitive resource and received from the first computing device, an authentication challenge comprising a non-predetermined set of instructions performing an operation in response to the authentication request; and
  
  (ii) executes the authentication challenge, and generates an expected authentication response of the second computing device from said execution;
  
  receiving the authentication challenge from to the second computing device;
  
  executing the authentication challenge and generating a pre-validated authentication response from said execution;
  
  transmitting to the second computing device the pre-validated authentication challenge; and
  
  wherein the second computing device;
  
  (i) performs validation by determining whether the pre-validated authentication response is a validated authentication response by comparing the pre-validated authentication response to the expected authentication response; and
  
  (ii) grants the first computing device access to the at least one sensitive resource pertaining to the second computing device if the pre-validated authentication response is determined to be a validated authentication response.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the determination of a validated authentication response indicates that at least a portion of the first program instructions have not been impermissibly altered.
  - 13. The method of claim 12, wherein any one of:
    - (i) the authentication request includes an application identifier provided by the first program instructions, and (ii) any one of;
      
      (a) the expected authentication challenge and (b) the pre-validated authentication challenge, is particular to the respective application identifier thereof.
  - 14. The method of claim 11, wherein the performing of validation represents an outcome of a comparison between the at least a portion of the first program instructions and a previously stored representation of the at least a portion of the first program instructions.
  - 15. The method of claim 11, further comprising:
    - transmitting to the second computing device a second authentication request for access to any one of said at least one sensitive resource or another sensitive resource pertaining to any one of said second computing device or another computing device; and
      
      transmitting to the second computing device a second pre-validated authentication challenge differing from said pre-validated authentication challenge and being generated in response to the second authentication request.
  - 16. The method of claim 11, wherein any one of (i) the authentication challenge being executed by the first computing device;
    - and (ii) the second computing device being generated at least partially randomly.
  - 17. The method of claim 11, further comprising:
    - transmitting to the second computing device a request for at least one user authentication credential prior to transmitting said pre-validating authentication response to said second computing device.
  - 18. The method of claim 11, wherein the authentication challenge is generated as a function of previously generated application authentication challenges.
  - 19. The method of claim 18, wherein the at least one sensitive resource comprises any one of a memory object, an information access, a data access, an Internet web service, a resident resource and a non-resident resource.
  - 20. The method of claim 11, wherein the first program instructions are resident in an operating system of the first computing device.

21. A method for validating by a second computing device executable program code operating on a first computing device, the method of the second computing device comprising:
- wherein in response to first program instructions executing on a first computing device, wherein the first program instructions include a request for access to at least one sensitive resource pertaining to the second computing device, receiving from the first computing device an authentication request for access to the at least one sensitive resource pertaining to the second computing device;
  
  generating, in real-time, in response to the authentication request required for access to the at least one sensitive resource and received from the first computing device, an authentication challenge comprising a non-predetermined set of instructions performing an operation in response to the authentication request;
  
  executing the authentication challenge, and generating an expected authentication response from said execution;
  
  transmitting the authentication challenge to the first computing device;
  
  wherein, by the first computing device, the authentication challenge is executed, and a pre-validated authentication response is generated from said execution;
  
  receiving from the first computing device the pre-validated authentication challenge;
  
  performing validation by determining whether the pre-validated authentication response is a validated authentication response by comparing the pre-validated authentication response to the expected authentication response; and
  
  granting the first computing device access to the at least one sensitive resource if the pre-validated authentication response is determined to be a validated authentication response.
- View Dependent Claims (22, 23)
- - 22. The method of claim 21, wherein at least one identifier and parameter of the authentication request are selected randomly to provide the authentication challenge.
  - 23. The method of claim 21, wherein any authentication request and any authentication challenges is updated on the first computing device by periodically connecting to the second computing device.

24. A system for validating executable program code operating on at least one computing device, the system comprising:
- a first computing device; and
  
  a second computing device,and further comprising;
  
  executing first program instructions on the first computing device, wherein the first program instructions include a request for access to at least one sensitive resource pertaining to a second computing device;
  
  transmitting from the first computing device to the second computing device an authentication request for access to the at least one sensitive resource pertaining to the second computing device;
  
  generating, in real-time, by the second computing device, in response to the authentication request required for access to the at least one sensitive resource and received from the first computing device, an authentication challenge comprising a non-predetermined set of instructions performing an operation in response to the authentication request;
  
  executing, by the second computing device, the authentication challenge, and generating an expected authentication response of the second computing device from said execution by the second computing device;
  
  transmitting the authentication challenge from the second computing device to the first computing device;
  
  executing, by the first computing device, the authentication challenge, and generating a pre-validated authentication response from said execution by the first computing device;
  
  receiving from the first computing device by the second computing device the pre-validated authentication challenge;
  
  performing validation by determining whether the pre-validated authentication response is a validated authentication response by comparing the pre-validated authentication response to the expected authentication response; and
  
  granting the first computing device access to the at least one sensitive resource pertaining to the second computing device if the pre-validated authentication response is determined to be a validated authentication response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Eisst Limited
Original Assignee
Eisst Limited
Inventors
Ronchi, Corrado, Zakhidov, Shukhrat
Primary Examiner(s)
SHAW, PETER C

Application Number

US12/713,475
Publication Number

US 20110030040A1
Time in Patent Office

1,523 Days
Field of Search

726 2- 5, 726/7, 726/21, 726 26- 29
US Class Current

726/29
CPC Class Codes

G06F 21/126   Interacting with the operat...

G06F 21/30   Authentication, i.e. establ...

G06F 21/305   by remotely controlling dev...

G06F 21/31   User authentication

G06F 21/44   Program or device authentic...

G06F 21/445   by mutual authentication, e...

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

G06F 2221/2103   Challenge-response

H04L 63/0869   for achieving mutual authen...

H04L 63/1441   Countermeasures against mal...

Application authentication system and method

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Application authentication system and method

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links