Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

US 9,237,141 B2
Filed: 08/16/2013
Issued: 01/12/2016
Est. Priority Date: 09/22/2012
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a client device, comprising:

receiving, at a registration server, first device credentials from the client device, the first device credentials including a secret generated by a third party that is unique to the client device;

determining, by the registration server, whether the first device credentials are valid;

determining, by the registration server, whether receiving the first device credentials from the client device is an initial registration contact involving the first device credentials or a subsequent registration contact involving the first device credentials;

when it is determined that the first device credentials are valid and that receiving the first device credentials from the client device is an initial registration contact;

generating, by the registration server, second device credentials, wherein the second device credentials are accessible to a synchronization server; and

communicating the second device credentials to the client device;

when it is determined that receiving the first device credentials is a subsequent registration contact involving the first device credentials;

determining whether a user account is already paired with a client device that previously provided the first device credentials to the registration server; and

when it is determined that the user account is already paired with the client device that previously provided the first device credentials, unpairing the user account from the client device that previously provided the first credentials.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device. Authentication techniques include client devices including unique default credentials that, when presented to a remote server, provide limited access to the server. The client device may obtain assigned credentials that, when presented to the remote server, provide less limited access to the server.

132 Citations

View as Search Results

18 Claims

1. A method of authenticating a client device, comprising:
- receiving, at a registration server, first device credentials from the client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determining, by the registration server, whether the first device credentials are valid;
  
  determining, by the registration server, whether receiving the first device credentials from the client device is an initial registration contact involving the first device credentials or a subsequent registration contact involving the first device credentials;
  
  when it is determined that the first device credentials are valid and that receiving the first device credentials from the client device is an initial registration contact;
  
  generating, by the registration server, second device credentials, wherein the second device credentials are accessible to a synchronization server; and
  
  communicating the second device credentials to the client device;
  
  when it is determined that receiving the first device credentials is a subsequent registration contact involving the first device credentials;
  
  determining whether a user account is already paired with a client device that previously provided the first device credentials to the registration server; and
  
  when it is determined that the user account is already paired with the client device that previously provided the first device credentials, unpairing the user account from the client device that previously provided the first credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - determining, by the registration server, whether a rate at which first device credentials have been received from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been received from the client device exceeds the preset rate, denying the client device access to the registration server.
  - 3. The method of claim 1, further comprising:
    - receiving, by the synchronization server, the second device credentials from the client device;
      
      determining, by the synchronization server, whether the received second device credentials are valid; and
      
      when it is determined that the second device credentials are valid, granting, by the synchronization server, the client device access to secured resources.
  - 4. The method of claim 3, wherein determining whether the received second device credentials are valid includes:
    - comparing the received second device credentials to previously stored second device credentials; and
      
      determining that the received second device credentials are valid when the received second device credentials match the previously stored second device credentials.
  - 5. The method of claim 3, wherein determining whether the received second device credentials are valid includes:
    - determining whether the received second device credentials match recently assigned second device credentials; and
      
      when the received second device credentials match the recently assigned second device credentials, determining that the received second device credentials are valid.
  - 6. The method of claim 5, wherein determining whether the received second device credentials are valid further includes:
    - when the received second device credentials do not match the recently assigned second device credentials;
      
      determining whether the received second device credentials match previously assigned second device credentials, the previously assigned second device credentials having been assigned to the client device prior to the recently assigned second device credentials;
      
      when the received second device credentials do not match the previously assigned second device credentials, determining that the received second device credentials are invalid; and
      
      when the received second device credentials match the previously assigned second device credentials;
      
      sending the recently assigned second device credentials to the client device; and
      
      determining that the received second device credentials are valid.
  - 7. The method of claim 5, wherein determining whether the received second device credentials are valid includes:
    - extracting an assigned secret from the received second device credentials;
      
      hashing the assigned secret resulting in a received hashed secret;
      
      determining whether the received hashed secret matches a pre-stored hash of recently assigned second device credentials; and
      
      when the received hashed secret matches the pre-stored hash of the recently assigned second device credentials, determining that the received second device credentials are valid.
  - 8. The method of claim 7, wherein determining whether the second device credentials are valid further includes:
    - when the received hashed secret does not match the pre-stored hash of the recently assigned second device credentials;
      
      determining whether the received hashed secret matches a pre-stored hash of previously assigned second device credentials, the previously assigned second device credentials having been assigned to the client device prior to the recently assigned second device credentials;
      
      when the received hashed secret does not match the pre-stored hash of the previously assigned second device credentials, determining that the received second device credentials are invalid; and
      
      when the received hashed secret matches the pre-stored hash of the previously assigned second device credentials, determining that the received second device credentials are valid.
  - 9. The method of claim 8, further comprising:
    - when the received hashed secret matches the pre-stored hash of the previously assigned second device credentials;
      
      decrypting an encrypted version of the recently assigned credentials resulting in a decrypted version of the recently assigned credentials, the encrypted and decrypted versions of the recently assigned credentials being stored on at least one storage device associated with the synchronization server;
      
      sending the decrypted version of the recently assigned credentials to the client device; and
      
      after sending the decrypted version of the recently assigned credentials to the client device, deleting the decrypted version of the recently assigned credentials from the at least one storage device associated with the synchronization server.

10. A registration server comprising:
- one or more processors; and
  
  one or more memory devices comprising instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising;
  
  receiving, at the registration server, first device credentials from the client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determining, by the registration server, whether the first device credentials are valid;
  
  determining, by the registration server, whether receiving the first device credentials from the client device is an initial registration contact involving the first device credentials or a subsequent registration contact involving the first device credentials;
  
  when it is determined that the first device credentials are valid and that receiving the first device credentials from the client device is an initial registration contact;
  
  generating, by the registration server, second device credentials, wherein the second device credentials are accessible to a synchronization server; and
  
  communicating the second device credentials to the client device;
  
  when it is determined that receiving the first device credentials is a subsequent registration contact involving the first device credentials;
  
  determining whether a user account is already paired with a client device that previously provided the first device credentials to the registration server; and
  
  when it is determined that the user account is already paired with the client device that previously provided the first device credentials, unpairing the user account from the client device that previously provided the first credentials.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The registration server of claim 10, wherein the one or more memory devices comprise additional instructions that, when executed by the one or more processors, cause the one or more processor to perform additional operations comprising:
    - determining, by the registration server, whether a rate at which first device credentials have been received from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been received from the client device exceeds the preset rate, denying the client device access to the registration server.
  - 12. The registration server of claim 10, wherein the one or more memory devices comprise additional instructions that, when executed by the one or more processors, cause the one or more processor to perform additional operations comprising:
    - receiving, by the synchronization server, the second device credentials from the client device;
      
      determining, by the synchronization server, whether the received second device credentials are valid; and
      
      when it is determined that the second device credentials are valid, granting, by the synchronization server, the client device access to secured resources.
  - 13. The registration server of claim 12, wherein determining whether the received second device credentials are valid includes:
    - comparing the received second device credentials to previously stored second device credentials; and
      
      determining that the received second device credentials are valid when the received second device credentials match the previously stored second device credentials.
  - 14. The registration server of claim 12, wherein determining whether the received second device credentials are valid includes:
    - determining whether the received second device credentials match recently assigned second device credentials; and
      
      when the received second device credentials match the recently assigned second device credentials, determining that the received second device credentials are valid.
  - 15. The registration server of claim 14, wherein determining whether the received second device credentials are valid further includes:
    - when the received second device credentials do not match the recently assigned second device credentials;
      
      determining whether the received second device credentials match previously assigned second device credentials, the previously assigned second device credentials having been assigned to the client device prior to the recently assigned second device credentials;
      
      when the received second device credentials do not match the previously assigned second device credentials, determining that the received second device credentials are invalid; and
      
      when the received second device credentials match the previously assigned second device credentials;
      
      sending the recently assigned second device credentials to the client device; and
      
      determining that the received second device credentials are valid.
  - 16. The registration server of claim 14, wherein determining whether the received second device credentials are valid includes:
    - extracting an assigned secret from the received second device credentials;
      
      hashing the assigned secret resulting in a received hashed secret;
      
      determining whether the received hashed secret matches a pre-stored hash of recently assigned second device credentials; and
      
      when the received hashed secret matches the pre-stored hash of the recently assigned second device credentials, determining that the received second device credentials are valid.
  - 17. The registration server of claim 16, wherein determining whether the second device credentials are valid further includes:
    - when the received hashed secret does not match the pre-stored hash of the recently assigned second device credentials;
      
      determining whether the received hashed secret matches a pre-stored hash of previously assigned second device credentials, the previously assigned second device credentials having been assigned to the client device prior to the recently assigned second device credentials;
      
      when the received hashed secret does not match the pre-stored hash of the previously assigned second device credentials, determining that the received second device credentials are invalid; and
      
      when the received hashed secret matches the pre-stored hash of the previously assigned second device credentials, determining that the received second device credentials are valid.
  - 18. The registration server of claim 17, wherein the one or more memory devices comprise additional instructions that, when executed by the one or more processors, cause the one or more processor to perform additional operations comprising:
    - when the received hashed secret matches the pre-stored hash of the previously assigned second device credentials;
      
      decrypting an encrypted version of the recently assigned credentials resulting in a decrypted version of the recently assigned credentials, the encrypted and decrypted versions of the recently assigned credentials being stored on at least one storage device associated with the synchronization server;
      
      sending the decrypted version of the recently assigned credentials to the client device; and
      
      after sending the decrypted version of the recently assigned credentials to the client device, deleting the decrypted version of the recently assigned credentials from the at least one storage device associated with the synchronization server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Logue, Jay D., Supramaniam, Senthilvasan, Hardison, Osborne B., Luxenberg, Jared A.
Primary Examiner(s)
Gergiso, Techane

Application Number

US13/969,172
Publication Number

US 20140089671A1
Time in Patent Office

879 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links