Hardware identity in multi-factor authentication at the application layer

US 8,898,450 B2
Filed: 06/13/2012
Issued: 11/25/2014
Est. Priority Date: 06/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a client device for a data transaction between the client device and a server, the method comprising:

in the client device, sending a request message to the server in accordance with a protocol at the application layer of a computer communication model;

in the client device, receiving a response message in accordance with the protocol from the server that is responsive to the request message and that indicates that the request is denied for lack of authorization;

in the client device, sending an authorization request to the server in accordance with the protocol and in response to the response message;

in the client device, receiving an authorization challenge message from the server in accordance with the protocol wherein the authorization challenge message requests data representing one or more parts of a digital fingerprint of the client device;

in the client device, sending a challenge response message to the server in accordance with the protocol wherein the challenge response message includes data representing the one or more parts of a digital fingerprint of the client device; and

in the client device, receiving a grant message from the server in accordance with the protocol only if the one or more parts of a digital fingerprint of the client device match predetermined data stored within the server representing the one or more parts of a digital fingerprint of an authorized client device;

wherein the grant message represents a granting of the request of the request message by the server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Device authentication is implemented at the application layer of a computer communication model to add a factor to user authentication without requiring any action by the user. User space applications, such as web browsers, e-mail readers, and such, can remain completely unaffected. Instead, the additional authentication factor is provided at the application layer, typically in an operating system, where protocols such as HTTP(s), FTP(s), POP, SMTP, SNMP and DNS are implemented. Authentication is performed by a challenge/response transaction and the client device'"'"'s digital fingerprint is compared to a whitelist of digital fingerprints of authorized client devices.

Citations

5 Claims

1. A method for authenticating a client device for a data transaction between the client device and a server, the method comprising:
- in the client device, sending a request message to the server in accordance with a protocol at the application layer of a computer communication model;
  
  in the client device, receiving a response message in accordance with the protocol from the server that is responsive to the request message and that indicates that the request is denied for lack of authorization;
  
  in the client device, sending an authorization request to the server in accordance with the protocol and in response to the response message;
  
  in the client device, receiving an authorization challenge message from the server in accordance with the protocol wherein the authorization challenge message requests data representing one or more parts of a digital fingerprint of the client device;
  
  in the client device, sending a challenge response message to the server in accordance with the protocol wherein the challenge response message includes data representing the one or more parts of a digital fingerprint of the client device; and
  
  in the client device, receiving a grant message from the server in accordance with the protocol only if the one or more parts of a digital fingerprint of the client device match predetermined data stored within the server representing the one or more parts of a digital fingerprint of an authorized client device;
  
  wherein the grant message represents a granting of the request of the request message by the server.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising:
    - in the client device, receiving a denial message from the server in accordance with the protocol only if the one or more parts of a digital fingerprint of the client device do not match predetermined data stored within the server representing the one or more parts of a digital fingerprint of an authorized client device;
      
      wherein the denial message represents a denial of the request of the request message by the server.
  - 3. The method of claim 1 wherein the protocol at the application layer of a computer communication model is selected from a group consisting of DNS, EAP, FTP(s), HIP, HTTP(s), IMAP, Kerberos, LDAP, MS-CHAP, MS-CHAPv2, NNTP, NTLM, PEAP, POP, RADIUS, RPC, SIP, SMTP, SNMP(v3), SRP, SSH, Telnet, TFTP, TLS, DS, DM, DRM, MMS and SMS.

4. A computer system comprising:
- at least one processor;
  
  a computer readable medium that is operatively coupled to the processor;
  
  network access circuitry that is operatively coupled to the processor; and
  
  application layer server protocol logic (i) that executes at least in part in the processor from the computer readable medium and (ii) that, when executed, causes the computer system to authenticate a client device for a data transaction between the client device and the computer system by at least;
  
  receiving a request message from the client device in accordance with a protocol at the application layer of a computer communication model;
  
  sending a response message in accordance with the protocol to the client device that is responsive to the request message and that indicates that the request is denied for lack of authorization;
  
  thereafter, receiving an authorization request from the client device in accordance with the protocol;
  
  sending an authorization challenge message to the client device in accordance with the protocol wherein the authorization challenge message requests data representing one or more parts of a digital fingerprint of the client device;
  
  receiving a challenge response message from the client device in accordance with the protocol wherein the challenge response message includes data representing the one or more parts of a digital fingerprint of the client device;
  
  determining whether the one or more parts of a digital fingerprint of the client device match predetermined data stored within the computer system representing the one or more parts of a digital fingerprint of an authorized client device; and
  
  sending a grant message to the client device in accordance with the protocol only if the application layer server protocol logic determines that the one or more parts of a digital fingerprint of the client device match the predetermined data stored within the computer system representing the one or more parts of a digital fingerprint of an authorized client device;
  
  wherein the grant message represents a granting of the request of the request message by the computer system.
- View Dependent Claims (5)
- - 5. The computer system of claim 4 wherein the application layer server protocol logic causes the computer system to authenticate the client device for a data transaction between the client device and the computer system by at least also:
    - sending a denial message to the client device in accordance with the protocol only if the computer determines that the one or more parts of a digital fingerprint of the client device do not match predetermined data stored within the computer system representing the one or more parts of a digital fingerprint of an authorized client device;
      
      wherein the denial message represents a denial of the request of the request message by the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cryptosoft Limited
Original Assignee
DeviceAuthority Inc. (f/k/a NetAuthority, Inc.) (Device Authority Ltd.)
Inventors
Harjanto, Dono, Davis, Bradley Craig
Primary Examiner(s)
Le, David

Application Number

US13/517,584
Publication Number

US 20120317622A1
Time in Patent Office

895 Days
Field of Search

None
US Class Current

713/152
CPC Class Codes

G06F 21/44   Program or device authentic...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

Hardware identity in multi-factor authentication at the application layer

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware identity in multi-factor authentication at the application layer

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links