Transparent client authentication

US 9,225,702 B2
Filed: 03/18/2013
Issued: 12/29/2015
Est. Priority Date: 10/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method for registering an application at a client computer to a service at a server for later re-authentication, the method comprising:

sending from the servers to the application at the client, a service identifier;

receiving at the server, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application;

receiving at the server, from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key;

storing at the server the registration nonce, the application-service identifier and the application-service key;

computing at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and

determining the application is authentic if the expected proof of possession corresponds to the received proof of possession.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for authenticating an application (client) to a server or service. During a registration phase, an application that requests access to a service can receive a service identifier, which it can authenticate. The application can generate and send to the server or service an application-service key that is based upon the authenticated service identifier and a secret application key; a service-application identifier that can be based upon the authenticated service identifier and an application identifier; and a registration nonce, all of which can be stored at the server. During the authentication phase, the client can send to the server the application-service identifier, which the server can use to lookup the stored registration data. The server can send the registration nonce to the client, which can compute a proof of possession of the service-application key and send to the server. The server can compute its own version of this key and compare it to the received key. If they correspond, then the client is authenticated.

17 Citations

View as Search Results

18 Claims

1. A method for registering an application at a client computer to a service at a server for later re-authentication, the method comprising:
- sending from the servers to the application at the client, a service identifier;
  
  receiving at the server, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application;
  
  receiving at the server, from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key;
  
  storing at the server the registration nonce, the application-service identifier and the application-service key;
  
  computing at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and
  
  determining the application is authentic if the expected proof of possession corresponds to the received proof of possession.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the application-service identifier is a message authentication code generated from the application identifier and the service identifier.
  - 3. The method of claim 1, wherein the application-service identifier is a message digest.
  - 4. The method of claim 1, wherein the application-service key is a message authentication code generated from the service identifier and the secret application key.
  - 5. The method of claim 1, wherein the application-service key is a message authentication code generated from the service identifier, the secret application key and the registration nonce.
  - 6. The method of claim 1, wherein an application is a type of application.
  - 7. The method of claim 1, wherein an application is a specific instance of an application installed on a particular computer.
  - 8. The method of claim 1, wherein an application is a specific instance of a running application.
  - 9. The method of claim 1, wherein:
    - the service identifier is generated at the server and uniquely identifies the service;
      
      the application-service identifier uniquely identifies a pairing between the application and the service; and
      
      the secret application key is generated at the client for the application.

10. A system comprising:
- at least one memory to store data and instructions; and
  
  at least one processor configured to access the memory and, when executing the instructions, to;
  
  generate a service identifier uniquely identifying a service provided by the system;
  
  sends to an application at a client, the service identifier;
  
  receive, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application;
  
  receive from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key;
  
  store the registration nonce, the application-service identifier and the application-service key;
  
  compute at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and
  
  determine the application is authentic if the expected proof of possession corresponds to the received proof of possession.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the application-service identifier is a message authentication code generated from the application identifier and the service identifier.
  - 12. The system of claim 10, wherein the application-service identifier is a message digest.
  - 13. The system of claim 10, wherein the application service key is a message authentication code generated from the service identifier and the secret application key.
  - 14. The system of claim 10, wherein the application-service key is a message authentication code generated from the service identifier, the secret application key and the registration nonce.
  - 15. The system of claim 10, wherein an application is a type of application.
  - 16. The system of claim 10, wherein an application is a specific instance of an application installed on a particular computer.
  - 17. The system of claim 10, wherein an application is a specific instance of a running application.
  - 18. The system of claim 10, wherein:
    - the service identifier is generated at the server and uniquely identifies the service;
      
      the application-service identifier uniquely identifies a pairing between the application and the service; and
      
      the secret application key is generated at the client for the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VeriSign, Inc.
Original Assignee
VeriSign, Inc.
Inventors
Hallam-Baker, Phillip Martin
Primary Examiner(s)
SHAW, PETER C

Application Number

US13/846,106
Publication Number

US 20130219477A1
Time in Patent Office

1,016 Days
Field of Search

726/5
US Class Current

1/1
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/08   for authentication of entit...

Transparent client authentication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Transparent client authentication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links