Device-level authentication with unique device identifiers
First Claim
1. A method comprising:
- receiving, by a provisioning server device, a manufacturer security certificate from a client device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
receiving, by the provisioning server device over the secure connection, device data that characterizes the client device;
transmitting, by the provisioning server device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device;
randomly generating, by the provisioning server device, a representation of a unique client device identifier, wherein the unique client device identifier is associated with the client device and is configured to support, for the client device, secure access to the pre-validated server devices;
transmitting, by the provisioning server device over the secure connection, the unique client device identifier, wherein reception of the unique client device identifier causes the client device to store the unique client device identifier in a tamper-resistant secure memory element of the client device; and
based on the representation of the unique client device identifier, registering, by the provisioning server device, the client device, wherein the registration associates the representation of the unique client device identifier with policies that allow the client device to securely access, by way of the secure communication parameters, protected information available to the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and a particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device, and wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the one or more pre-validated server devices.
1 Assignment
0 Petitions
Accused Products
Abstract
An embodiment may include transmitting a manufacturer security certificate to a provisioning server device, and establishing, with the provisioning server device, a secure connection based on the manufacturer security certificate. The embodiment may also involve transmitting, over the secure connection, device data that characterizes the client device, and receiving, over the secure connection, a server security certificate. The embodiment may further include obtaining a unique client device identifier, where the unique client device identifier is stored in a secure memory element of the client device. The embodiment may additionally include, possibly based on the server security certificate and the unique client device identifier, accessing protected information available to a particular pre-validated server device.
81 Citations
18 Claims
-
1. A method comprising:
-
receiving, by a provisioning server device, a manufacturer security certificate from a client device, wherein the manufacturer security certificate is associated with a manufacturer of the client device; establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate; receiving, by the provisioning server device over the secure connection, device data that characterizes the client device; transmitting, by the provisioning server device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device; randomly generating, by the provisioning server device, a representation of a unique client device identifier, wherein the unique client device identifier is associated with the client device and is configured to support, for the client device, secure access to the pre-validated server devices; transmitting, by the provisioning server device over the secure connection, the unique client device identifier, wherein reception of the unique client device identifier causes the client device to store the unique client device identifier in a tamper-resistant secure memory element of the client device; and based on the representation of the unique client device identifier, registering, by the provisioning server device, the client device, wherein the registration associates the representation of the unique client device identifier with policies that allow the client device to securely access, by way of the secure communication parameters, protected information available to the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and a particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device, and wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the one or more pre-validated server devices. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a provisioning server device, cause the provisioning server device to perform operations comprising:
-
receiving, by the provisioning server device, a manufacturer security certificate from a client device, wherein the manufacturer security certificate is associated with a manufacturer of the client device; establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate; receiving, by the provisioning server device over the secure connection, device data that characterizes the client device; transmitting, by the provisioning server device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device; randomly generating, by the provisioning server device, a representation of a unique client device identifier, wherein the unique client device identifier is associated with the client device and is configured to support, for the client device, secure access to the pre-validated server devices; transmitting, by the provisioning server device over the secure connection, the unique client device identifier, wherein reception of the unique client device identifier causes the client device to store the unique client device identifier in a tamper-resistant secure memory element of the client device; and based on the representation of the unique client device identifier, registering, by the provisioning server device, the client device, wherein the registration associates the representation of the unique client device identifier with policies that allow the client device to securely access, by way of the secure communication parameters, protected information available to the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and a particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device, and wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the one or more pre-validated server devices. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A provisioning server device comprising:
-
a processor; memory; and program instructions, stored in the memory, that upon execution by the processor cause the provisioning server device to perform operations comprising; receiving, by the provisioning server device, a manufacturer security certificate from a client device, wherein the manufacturer security certificate is associated with a manufacturer of the client device; establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate; receiving, by the provisioning server device over the secure connection, device data that characterizes the client device; transmitting, by the provisioning server device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device; randomly generating, by the provisioning server device, a representation of a unique client device identifier, wherein the unique client device identifier is associated with the client device and is configured to support, for the client device, secure access to the pre-validated server devices; transmitting, by the provisioning server device over the secure connection, the unique client device identifier, wherein reception of the unique client device identifier causes the client device to store the unique client device identifier in a tamper-resistant secure memory element of the client device; and based on the representation of the unique client device identifier, registering, by the provisioning server device, the client device, wherein the registration associates the representation of the unique client device identifier with policies that allow the client device to securely access, by way of the secure communication parameters, protected information available to the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and a particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device, and wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the one or more pre-validated server devices. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification