Transparent client authentication
First Claim
1. A method for registering an application at a client computer to a service at a server for later re-authentication, the method comprising:
- sending from the servers to the application at the client, a service identifier;
receiving at the server, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application;
receiving at the server, from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key;
storing at the server the registration nonce, the application-service identifier and the application-service key;
computing at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and
determining the application is authentic if the expected proof of possession corresponds to the received proof of possession.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method for authenticating an application (client) to a server or service. During a registration phase, an application that requests access to a service can receive a service identifier, which it can authenticate. The application can generate and send to the server or service an application-service key that is based upon the authenticated service identifier and a secret application key; a service-application identifier that can be based upon the authenticated service identifier and an application identifier; and a registration nonce, all of which can be stored at the server. During the authentication phase, the client can send to the server the application-service identifier, which the server can use to lookup the stored registration data. The server can send the registration nonce to the client, which can compute a proof of possession of the service-application key and send to the server. The server can compute its own version of this key and compare it to the received key. If they correspond, then the client is authenticated.
17 Citations
18 Claims
-
1. A method for registering an application at a client computer to a service at a server for later re-authentication, the method comprising:
-
sending from the servers to the application at the client, a service identifier; receiving at the server, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application; receiving at the server, from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key; storing at the server the registration nonce, the application-service identifier and the application-service key; computing at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and determining the application is authentic if the expected proof of possession corresponds to the received proof of possession. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system comprising:
- at least one memory to store data and instructions; and
at least one processor configured to access the memory and, when executing the instructions, to;generate a service identifier uniquely identifying a service provided by the system; sends to an application at a client, the service identifier; receive, from the application at the client, an application-service identifier, wherein the application-service identifier is generated at the client based upon the service identifier and an application identifier of the application; receive from the application at the client, a registration nonce and an application-service key, wherein the application-service key is based upon the registration nonce, the service identifier and a secret application key; store the registration nonce, the application-service identifier and the application-service key; compute at the server an expected proof of possession of the secret application key and receiving from the client a proof of possession; and determine the application is authentic if the expected proof of possession corresponds to the received proof of possession. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- at least one memory to store data and instructions; and
Specification