Characteristics of security associations

US 9,503,438 B2
Filed: 07/12/2013
Issued: 11/22/2016
Est. Priority Date: 07/13/2012
Status: Expired due to Fees

First Claim

Patent Images

1. A method of authenticating a user of a wireless transmit/receive unit (WTRU), the method comprising, at the WTRU:

obtaining, from an access control entity, an assurance level associated with a user authentication strength that is required to access a resource controlled by the access control entity;

generating an assertion based on the assurance level that is obtained, the assertion comprising an indication of a freshness of an authentication of the user, and an indication of a strength of the authentication of the user, the indication of the freshness based on a time that the authentication of the user occurred; and

based on the assertion as compared to the user authentication assurance level that is required, receiving access to the resource via the WTRU.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication of a user or a wireless transmit/receive unit may be based on an obtained measure of authentication strength, which may referred to as an assurance level. For example, a user, via a WTRU, may request access to a service controlled by an access control entity (ACE). The user may be authenticated with a user authenticator and assertion function (UAAF), producing a result. A user assertion may be provided that includes the user authentication result, a user assurance level, and/or a user freshness level. The WTRU may be authenticated with a device authenticator and assertion function (DAAF), producing an associated result. A device assertion may be provided that may include the device authentication result, a device assurance level, and/or a device freshness level. The assertions may be bound together to receive access to a service or resource.

36 Citations

View as Search Results

31 Claims

1. A method of authenticating a user of a wireless transmit/receive unit (WTRU), the method comprising, at the WTRU:
- obtaining, from an access control entity, an assurance level associated with a user authentication strength that is required to access a resource controlled by the access control entity;
  
  generating an assertion based on the assurance level that is obtained, the assertion comprising an indication of a freshness of an authentication of the user, and an indication of a strength of the authentication of the user, the indication of the freshness based on a time that the authentication of the user occurred; and
  
  based on the assertion as compared to the user authentication assurance level that is required, receiving access to the resource via the WTRU.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as recited in claim 1, the method further comprising:
    - obtaining a measure of a strength of a WTRU authentication; and
      
      generating the assertion further based on the WTRU authentication strength measure.
  - 3. The method as recited in claim 2, wherein the assertion comprises an indication of a freshness of the WTRU authentication.
  - 4. The method as recited in claim 1, wherein the assertion comprises a plurality of user authentication factors.
  - 5. The method as recited in claim 2, wherein the assertion comprises a plurality of WTRU authentication factors.
  - 6. The method as recited in claim 1, wherein the assertion is a negative assertion and the received access, based on the negative assertion, is a limited access.

7. In a system comprising a wireless transmit/receive unit (WTRU) and an access control entity (ACE) which communicate via a network, a method of authenticating a user of the WTRU and the WTRU, the method comprising:
- requesting access to a service controlled by the ACE;
  
  providing a user assertion, to the ACE, associated with the user, wherein the user assertion indicates a result of an authentication between the user and a user authenticator and assertion function (UAAF), and wherein the user assertion comprises a user authentication assurance level;
  
  providing a device assertion, to the ACE, associated with a device identity of the WTRU, wherein the device assertion indicates a result of an authentication between the WTRU and a device authenticator and assertion function (DAAF), and wherein the device assertion comprises a device authentication assurance level;
  
  binding the user assertion with the device assertion to create a bounded assertion; and
  
  sending the bounded assertion to the ACE to receive access to the service.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 8. The method as recited in claim 7, wherein the user assertion further comprises an indication of a user authentication freshness level.
  - 9. The method as recited in claim 7, wherein the device assertion further comprises an indication of a device authentication freshness level.
  - 10. The method as recited in claim 7, wherein the bounded assertion comprises a combined result of the user authentication assurance level and the device authentication assurance level.
  - 11. The method as recited in claim 7, wherein the user assertion comprises a negative user assertion, and wherein the negative user assertion indicates that the result of the authentication between the user and the UAAF is negative, the method further comprising:
    - in response to the negative user assertion, receiving a limited access or no access to the service.
  - 12. The method as recited in claim 7, wherein the device assertion comprises a negative device assertion, wherein the negative device assertion indicates that the result of the authentication between the WTRU and the DAAF is negative, the method further comprising:
    - in response to the negative device assertion, receiving a limited access or no access to the service.
  - 13. The method as recited in claim 7, wherein the bounded assertion comprises a negative bounded assertion, and wherein the negative bounded assertion indicates that at least one of the results of the authentication between the user and the UAAF or the authentication between the WTRU and the DAAF is negative, the method further comprising:
    - in response to the negative bounded assertion, receiving a limited access or no access to the service.
  - 14. The method as recited in claim 7, wherein the device assertion comprises a positive device assertion and the user assertion comprises a positive user assertion, and wherein the positive device assertion indicates that the WTRU is authenticated with the DAAF, and wherein the positive user assertion indicates that the user is authenticated with the UAAF, the method further comprising:
    - in response to the bounded assertion, receiving a limitless access to the service.
  - 15. The method as recited in claim 7, the method further comprising:
    - if at least one of the device authentication assurance level, the device authentication freshness level, the user authentication assurance level, and the user authentication freshness level are not within a respective acceptable range, receiving a limited access or no access to the service.
  - 16. The method as recited in claim 7, wherein the UAAF resides on the WTRU and the DAAF resides on a server of the network.
  - 17. The method as recited in claim 7, wherein the UAAF and the DAAF are co-located.
  - 18. The method as recited in claim 7, the method further comprising:
    - if at least one of the device authentication assurance level and the device authentication freshness level are not with a respective acceptable range, re-authenticating the WTRU with the DAAF.
  - 19. The method recited in claim 7, the method further comprising:
    - if at least one of the user authentication assurance level and the user authentication freshness level are not with within a respective acceptable range, re-authenticating the user with the UAAF.
  - 20. The method recited in claim 18, wherein each respective acceptable range is determined by a policy of a service provider that provides the service.
  - 21. The method as recited in claim 19, wherein each respective acceptable range is determined by a policy of a service provider that provides the service.
  - 22. The method recited in claim 7, wherein the UAAF and the DAAF are bound together into a single authenticator and assertion function (AAF).
  - 23. The method as recited in claim 7, wherein the DAAF and the ACE are co-located.
  - 24. The method as recited in claim 7, wherein the result of the authentication between the user and the UAAF is based on at least one of one or more authentication factors, the one or more authentication factors comprising information indicative of knowledge of the user, one or more physiological characteristics of the user, and one or more behavioral characteristics of the user.
  - 25. The method as recited in claim 10, the method further comprising:
    - storing a user authentication freshness level, the user authentication assurance level, the device authentication freshness level, and the device authentication assurance level; and
      
      based on at least one of the stored levels, receiving a limited access to the service.

26. A wireless transmit/receive unit (WTRU) having a user, the WTRU comprising:
- a memory comprising executable instructions; and
  
  a processor in communications with the memory, the instructions, when executed by the processor, cause the processor to effectuate operations comprising;
  
  obtaining, from an access control entity, an assurance level associated with a user authentication strength that is required to access a resource controlled by the access control entity;
  
  generating an assertion based on the assurance level that is obtained, the assertion comprising an indication of a freshness of an authentication of the user, and an indication of a strength of the authentication of the user, the indication of the freshness based on a time that the authentication of the user occurred; and
  
  based on the assertion as compared to the user authentication assurance level that is required, receiving access to the resource via the WTRU.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The WTRU as recited in claim 26, wherein the processor is further configured to execute the instructions to perform operations comprising:
    - obtaining a measure of a strength of a WTRU authentication; and
      
      generating the assertion further based on the WTRU authentication strength measure.
  - 28. The WTRU as recited in claim 27, wherein the assertion comprises an indication of a freshness of the WTRU authentication.
  - 29. The WTRU as recited in claim 26, wherein the assertion comprises a plurality of user authentication factors.
  - 30. The WTRU as recited in claim 27, wherein the assertion comprises a plurality of WTRU authentication factors.
  - 31. The WTRU as recited in claim 26, wherein the assertion is a negative assertion and the received access, based on the negative assertion, is a limited access or no access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Original Assignee
InterDigital Patent Holdings, Inc. (InterDigital, Inc.)
Inventors
Meyerstein, Michael V, Guccione, Louis J, Choyi, Vinod Kumar, Shah, Yogendra C
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/940,794
Publication Number

US 20140201809A1
Time in Patent Office

1,229 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 2463/081   applying self-generating cr...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/205   involving negotiation or de...

H04W 12/068   using credential vaults, e....

Characteristics of security associations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Characteristics of security associations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others