Authentication server and method for granting tokens

US 8,898,453 B2
Filed: 04/29/2010
Issued: 11/25/2014
Est. Priority Date: 04/29/2010
Status: Active Grant

First Claim

Patent Images

1. An authentication server comprising:

a receiver;

a transmitter;

a memory having stored thereon a secret shared with a service server from which a service is provided; and

a hardware processor configured to;

receive, at the receiver, a request from a mobile electronic device through a relay server to negotiate a session key, the relay server being separate from the authentication server and being a trusted entity not requiring authentication by the authentication server;

negotiate the session key with the mobile electronic device through the relay server, wherein the session key is generated by the mobile device;

while using the session key to encrypt and decrypt communications with the mobile electronic device through the relay server;

generate a token in response to receipt, at the receiver, of a request from the relay server, the request originating from the mobile electronic device, the token being generated by the authentication server based on a reliance on the relay server to ensure that the mobile electronic device has authorization to access the service, the token being generated in absence of authentication of the mobile electronic device and the relay server by the authentication server when the request for the token is received; and

cause the transmitter to transmit the token to the mobile electronic device through the relay server, the token being generated using the shared secret and the token including an indication that the mobile electronic device is authorized to access the service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication server and method are provided for generating tokens for use by a mobile electronic device for accessing a service. Communications between the device and the authentication server are through a relay. A memory stores a secret shared with a service server from which the service is provided. A processor is configured to generate the token using the shared secret and based on a reliance on the relay to ensure that the device has authorization to access the service. One or more computer readable medium having computer readable instructions stored thereon that cause the device to obtain proof of authorization to access the service is also provided. The instructions implement a method comprising: outputting via a wireless connection to a relay a request addressed to an authentication server for a token and receiving the token from the authentication server via the relay.

Citations

15 Claims

1. An authentication server comprising:
- a receiver;
  
  a transmitter;
  
  a memory having stored thereon a secret shared with a service server from which a service is provided; and
  
  a hardware processor configured to;
  
  receive, at the receiver, a request from a mobile electronic device through a relay server to negotiate a session key, the relay server being separate from the authentication server and being a trusted entity not requiring authentication by the authentication server;
  
  negotiate the session key with the mobile electronic device through the relay server, wherein the session key is generated by the mobile device;
  
  while using the session key to encrypt and decrypt communications with the mobile electronic device through the relay server;
  
  generate a token in response to receipt, at the receiver, of a request from the relay server, the request originating from the mobile electronic device, the token being generated by the authentication server based on a reliance on the relay server to ensure that the mobile electronic device has authorization to access the service, the token being generated in absence of authentication of the mobile electronic device and the relay server by the authentication server when the request for the token is received; and
  
  cause the transmitter to transmit the token to the mobile electronic device through the relay server, the token being generated using the shared secret and the token including an indication that the mobile electronic device is authorized to access the service.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The authentication server of claim 1, wherein the processor is configured to generate the token based on a reliance on the relay server to authenticate the mobile electronic device.
  - 3. The authentication server of claim 1, wherein the authentication server is connected to the relay server by a direct connection and the request is received over the direct connection and the token is transmitted over the direct connection.
  - 4. The authentication server of claim 1, wherein the processor is further configured to verify that a device identifier carried in the request matches a source address of a message containing the request.
  - 5. The authentication server of claim 1, wherein the processor is configured to generate the token authorizing the mobile electronic device to access a browsing proxy.

6. A method of issuing a token for use by a mobile electronic device for authorization to access a service provided from a service server, the method comprising:
- receiving a request, by an authentication server, from the mobile electronic device through a relay server to negotiate a session key, the relay server being separate from the authentication server and being a trusted entity not requiring authentication by the authentication server;
  
  negotiate the session key with the mobile electronic device through the relay server, wherein the session key is generated by the mobile electronic device;
  
  while using the session key to encrypt and decrypt communications between the authentication server and the mobile electronic device through the relay server;
  
  receiving, at the authentication server, a request for the token from the mobile electronic device through the relay server;
  
  generating the token, by the authentication server, based on a reliance on the relay server to ensure that the mobile electronic device is authorized to access the service, the token being generated in absence of authentication of the mobile electronic device and the relay server by the authentication server when the request for the token is received; and
  
  transmitting the token to the mobile electronic device through the relay server, the token being generated using a secret shared between the authentication server and the service server and the token including an indication that the mobile electronic device is authorized to access the service.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6, wherein generating the token is further based on a reliance on the relay server to authenticate the mobile electronic device.
  - 8. The method of claim 6, further comprising verifying that a device identifier carried in the request matches a source address of a message containing the request.
  - 9. The method of claim 6, further comprising obtaining a device identifier for the mobile electronic device from the request and including the device identifier in the token.
  - 10. The method of claim 6, wherein generating the token comprises generating a token for accessing a browsing proxy.

11. One or more non-transitory computer readable medium having computer readable instructions stored thereon that when executed by a processor on a mobile electronic device cause the mobile electronic device to obtain proof of authorization to access a service provided from a service server by a method comprising:
- outputting, to an authentication server through a relay server, a request to negotiate a session key with the authentication server, the relay server being separate from the authentication server and being a trusted entity not requiring authentication by the authentication server;
  
  negotiating the session key with the authentication server through the relay server, wherein the session key is generated by the mobile electronic device;
  
  while using the session key to encrypt and decrypt communications with the authentication server through the relay server;
  
  outputting, to the relay server, a request addressed to the authentication server for a token to be used as indication that the mobile electronic device is authorized to access the service; and
  
  receiving the token from the authentication server via the relay server, in absence of authentication of the mobile electronic device by the authentication server;
  
  wherein the token is generated by the authentication server, based on a reliance on the relay server to ensure that the mobile electronic device is authorized to access the service, the token being generated in absence of authentication of the relay server by the authentication server when the request for the token is received at the authentication server; and
  
  the token being generated using a secret shared between the authentication server and the service server.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The one or more computer readable medium of claim 11, wherein negotiating the session key comprises:
    - receiving a public key from the authentication server through the relay server;
      
      generating the session key; and
      
      transmitting the session key to the authentication server through the relay server using the public key.
  - 13. The one or more computer readable medium of claim 11, wherein the method further comprises accessing the service through a direct connection using the token as proof of authorization for the mobile electronic device to access the service.
  - 14. The one or more computer readable medium of claim 11, wherein the method further comprises requesting a new token from the authentication server through the relay server prior to an expiry of the token received.
  - 15. The one or more computer readable medium of claim 11, wherein the token is for accessing a browsing proxy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Preiss, Bruno Richard, Manolesco, Andreea
Primary Examiner(s)
Holder, Bradley
Assistant Examiner(s)
MOHAMMADI, FAHIMEH M

Application Number

US12/770,060
Publication Number

US 20110271099A1
Time in Patent Office

1,671 Days
Field of Search

713/150, 713155-156, 713/169, 380/229, 380/232, 380247-250, 705/67, 709225-226, 709/229, 726 4- 5, 726/7, 726 9- 10, 726 18- 19
US Class Current

713/155
CPC Class Codes

H04L 63/061 for key exchange, e.g. in p...

H04L 63/0807 using tickets, e.g. Kerbero...

Authentication server and method for granting tokens

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication server and method for granting tokens

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links