Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

US 9,584,520 B2
Filed: 12/30/2015
Issued: 02/28/2017
Est. Priority Date: 09/22/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a storage device that stores device credentials for client devices; and

a remote server configured to;

receive first device credentials from a client device, the first device credentials including a secret generated by a third party that is unique to the client device;

determine whether the first device credentials are valid;

when it is determined that the first device credentials are valid;

generate second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the remote server; and

communicate the second device credentials to the client device;

receive the second device credentials from the client device;

determine whether the second device credentials are valid, wherein determining whether the second device credentials are valid includes one or more operations including;

comparing the received second device credentials with recently generated second device credentials, andcomparing the received second device credentials with previously generated second device credentials that were generated prior to the recently generated second device credentials; and

when it is determined that the second device credentials are valid, grant the client device access to secured resources at the remote server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, systems, methods, and related computer program products for synchronizing distributed states amongst a plurality of entities and authenticating devices to access information and/or services provided by a remote server. Synchronization techniques include client devices and remote servers storing buckets of information. The client device sends a subscription request to the remote serve identifying a bucket of information and, when that bucket changes, the remote server sends the change to the client device. Authentication techniques include client devices including unique default credentials that, when presented to a remote server, provide limited access to the server. The client device may obtain assigned credentials that, when presented to the remote server, provide less limited access to the server.

97 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a storage device that stores device credentials for client devices; and
  
  a remote server configured to;
  
  receive first device credentials from a client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determine whether the first device credentials are valid;
  
  when it is determined that the first device credentials are valid;
  
  generate second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the remote server; and
  
  communicate the second device credentials to the client device;
  
  receive the second device credentials from the client device;
  
  determine whether the second device credentials are valid, wherein determining whether the second device credentials are valid includes one or more operations including;
  
  comparing the received second device credentials with recently generated second device credentials, andcomparing the received second device credentials with previously generated second device credentials that were generated prior to the recently generated second device credentials; and
  
  when it is determined that the second device credentials are valid, grant the client device access to secured resources at the remote server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the remote server is further configured to:
    - determine whether a connection with the client device is secure; and
      
      when it is determined that the connection with the client device is not secure, deny the client device access to the remote server.
  - 3. The system of claim 1, wherein the remote server is further configured to:
    - determine whether a rate at which first device credentials have been received from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been received from the client device exceeds the preset rate, deny the client device access to the remote server.
  - 4. The system of claim 1, wherein the remote server is further configured to:
    - determine whether the contact from the client device is an initial contact or a subsequent contact;
      
      when it is determined that the contact is an initial contact;
      
      generate the second device credentials; and
      
      communicate the second device credentials to the client device; and
      
      when it is determined that the contact is a subsequent contact;
      
      determine whether the client device is paired with a user account;
      
      when it is determined that the client device is not paired with a user account, send the second device credentials to the client device; and
      
      when it is determined that the client device is paired with a user account, unpair the client device from the user account.
  - 5. The system of claim 1, wherein:
    - the first device credentials include a default identifier that uniquely identifies the client device and a default secret that is a unique string or data sequence associated with the client device;
      
      the storage device stores first device credentials for each client device; and
      
      determining whether the first device credentials are valid includes the remote server;
      
      using the default identifier of the received first device credentials to identify the default secret stored at the storage element that corresponds to the client device; and
      
      comparing the received default secret to the identified default secret, wherein the first device credentials are considered valid when the received default secret matches the identified default secret.
  - 6. The system of claim 1, wherein:
    - the first device credentials include a default identifier that uniquely identifies the client device and a default secret that is a unique string or data sequence associated with the client device;
      
      the default identifier includes a key identifier that identifies an encryption algorithm used to generate the default secret;
      
      the default secret is an encrypted version of the default identifier, the encrypted version of the default identifier being encrypted using the encryption algorithm identified by the key identifier; and
      
      determining whether the first device credentials are valid includes the remote server;
      
      encrypting the received default identifier using the encryption algorithm identified by the received key identifier resulting in an encrypted default identifier; and
      
      comparing the received default secret to the encrypted default identifier, wherein the first device credentials are considered valid when the received default secret matches the encrypted default identifier.
  - 7. The system of claim 1, wherein the remote server is further configured to:
    - determine whether the second device credentials are expired; and
      
      when it is determined that the second device credentials are expired;
      
      generate new second device credentials; and
      
      send the new second device credentials to the client device.
  - 8. The system of claim 1, wherein the remote server is further configured to:
    - receive, from the client device, device credentials selected from the group consisting of the first device credentials and the second device credentials;
      
      determine whether the received device credentials are valid;
      
      receive log information from the client device; and
      
      categorize the received log information based on;
      
      whether the first device credentials were received or whether the second device credentials were received or whether both the first device credentials and the second device credentials were received; and
      
      the validity of the received device credentials.

9. A method of granting access for a remote server to a client device, the method comprising:
- receiving, by the remote server, first device credentials from the client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determining, by the remote server, whether the first device credentials are valid;
  
  when it is determined that the first device credentials are valid;
  
  generating, by the remote server, second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the remote server; and
  
  communicating, by the remote server, the second device credentials to the client device;
  
  receiving, by the remote server, the second device credentials from the client device;
  
  determining, by the remote server, whether the second device credentials are valid, wherein determining whether the second device credentials are valid includes one or more operations including;
  
  comparing, by the remote server, the received second device credentials with recently generated second device credentials, andcomparing, by the remote server, the received second device credentials with previously generated second device credentials that were generated prior to the recently generated second device credentials; and
  
  when it is determined that the second device credentials are valid, granting, by the remote server, the client device access to secured resources at the remote server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising:
    - determining, by the remote server, whether a connection with the client device is secure; and
      
      when it is determined that the connection with the client device is not secure, denying, by the remote server, the client device access to the remote server.
  - 11. The method of claim 9, further comprising:
    - determining, by the remote server, whether a rate at which first device credentials have been received from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been received from the client device exceeds the preset rate, denying, by the remote server, the client device access to the remote server.
  - 12. The method of claim 9, further comprising:
    - determining, by the remote server, whether the contact from the client device is an initial contact or a subsequent contact;
      
      when it is determined that the contact is an initial contact;
      
      generating, by the remote server, the second device credentials; and
      
      communicating, by the remote server, the second device credentials to the client device; and
      
      when it is determined that the contact is a subsequent contact;
      
      determining, by the remote server, whether the client device is paired with a user account;
      
      when it is determined that the client device is not paired with a user account, sending, by the remote server, the second device credentials to the client device; and
      
      when it is determined that the client device is paired with a user account, unpairing, by the remote server, the client device from the user account.
  - 13. The method of claim 9, wherein:
    - the first device credentials include a default identifier that uniquely identifies the client device and a default secret that is a unique string or data sequence associated with the client device;
      
      the storage device stores first device credentials for each client device; and
      
      determining whether the first device credentials are valid includes the remote server;
      
      using, by the remote server, the default identifier of the received first device credentials to identify the default secret stored at the storage element that corresponds to the client device; and
      
      comparing, by the remote server, the received default secret to the identified default secret, wherein the first device credentials are considered valid when the received default secret matches the identified default secret.
  - 14. The method of claim 9, wherein:
    - the first device credentials include a default identifier that uniquely identifies the client device and a default secret that is a unique string or data sequence associated with the client device;
      
      the default identifier includes a key identifier that identifies an encryption algorithm used to generate the default secret;
      
      the default secret is an encrypted version of the default identifier, the encrypted version of the default identifier being encrypted using the encryption algorithm identified by the key identifier; and
      
      determining whether the first device credentials are valid comprises;
      
      encrypting, by the remote server, the received default identifier using the encryption algorithm identified by the received key identifier resulting in an encrypted default identifier; and
      
      comparing, by the remote server, the received default secret to the encrypted default identifier, wherein the first device credentials are considered valid when the received default secret matches the encrypted default identifier.
  - 15. The method of claim 9, further comprising:
    - determining, by the remote server, whether the second device credentials are expired; and
      
      when it is determined that the second device credentials are expired;
      
      generating, by the remote server, new second device credentials; and
      
      sending, by the remote server, the new second device credentials to the client device.
  - 16. The method of claim 9, further comprising:
    - receiving, by the remote server and from the client device, device credentials selected from the group consisting of the first device credentials and the second device credentials;
      
      determining, by the remote server, whether the received device credentials are valid;
      
      receiving, by the remote server, log information from the client device; and
      
      categorizing, by the remote server, the received log information based on;
      
      whether the first device credentials were received or whether the second device credentials were received or whether both the first device credentials and the second device credentials were received; and
      
      the validity of the received device credentials.

17. A non-transitory storage medium comprising instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- receiving, by a remote server, first device credentials from a client device, the first device credentials including a secret generated by a third party that is unique to the client device;
  
  determining, by the remote server, whether the first device credentials are valid;
  
  when it is determined that the first device credentials are valid;
  
  generating, by the remote server, second device credentials, the second device credentials operable to authenticate the client device to communicate with one or more components of the remote server; and
  
  communicating, by the remote server, the second device credentials to the client device;
  
  receiving, by the remote server, the second device credentials from the client device;
  
  determining, by the remote server, whether the second device credentials are valid, wherein determining whether the second device credentials are valid includes one or more operations including;
  
  comparing, by the remote server, the received second device credentials with recently generated second device credentials, andcomparing, by the remote server, the received second device credentials with previously generated second device credentials that were generated prior to the recently generated second device credentials; and
  
  when it is determined that the second device credentials are valid, granting, by the remote server, the client device access to secured resources at the remote server.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory storage medium of claim 17, further comprising additional instructions that, when executed by the one or more processors, cause the one or more processors to perform additional operations comprising:
    - determining, by the remote server, whether a connection with the client device is secure; and
      
      when it is determined that the connection with the client device is not secure, denying, by the remote server, the client device access to the remote server.
  - 19. The non-transitory storage medium of claim 17, further comprising additional instructions that, when executed by the one or more processors, cause the one or more processors to perform additional operations comprising:
    - determining, by the remote server, whether a rate at which first device credentials have been received from the client device exceeds a preset rate; and
      
      when it is determined that the rate at which first device credentials have been received from the client device exceeds the preset rate, denying, by the remote server, the client device access to the remote server.
  - 20. The non-transitory storage medium of claim 17, further comprising additional instructions that, when executed by the one or more processors, cause the one or more processors to perform additional operations comprising:
    - determining, by the remote server, whether the contact from the client device is an initial contact or a subsequent contact;
      
      when it is determined that the contact is an initial contact;
      
      generating, by the remote server, the second device credentials; and
      
      communicating, by the remote server, the second device credentials to the client device; and
      
      when it is determined that the contact is a subsequent contact;
      
      determining, by the remote server, whether the client device is paired with a user account;
      
      when it is determined that the client device is not paired with a user account, sending, by the remote server, the second device credentials to the client device; and
      
      when it is determined that the client device is paired with a user account, unpairing, by the remote server, the client device from the user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Logue, Jay D., Supramaniam, Senthilvasan, Hardison, Osborne B., Luxenberg, Jared
Primary Examiner(s)
Gergiso, Techane

Application Number

US14/984,609
Publication Number

US 20160119354A1
Time in Patent Office

426 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

H04L 63/0428   wherein the data content is...

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-tiered authentication methods for facilitating communications amongst smart home devices and cloud-based servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links