Enhanced authentication for secure communications

US 9,692,757 B1
Filed: 05/20/2015
Issued: 06/27/2017
Est. Priority Date: 05/20/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a challenge from an authentication service;

generating a secure shell (SSH) identification string that comprises the obtained challenge;

transmitting the generated SSH identification string to another computer system during an SSH identification string exchange;

receiving, from the other computer system, after an SSH key exchange with the other computer system, an SSH authentication request that comprises a digital signature;

transmitting to the authentication service the digital signature and information usable to determine a set of messages passed between the computer system and the other computer system, at least one message of the set of messages comprising the challenge;

receiving, from the authentication service, a response that indicates whether the digital signature was successfully verified as having been generated using the challenge; and

authenticating the other computer system based at least in part on the received response.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A server obtains a challenge from another computer system during a negotiation with a client according to a protocol. The server injects the challenge into a message of the protocol to the client. The client uses the challenge in an authentication request. The server submits the authentication request to the other computer system for verification. The other computer system verifies the authentication request using a key registered to the client. The server operates further dependent at least in part on whether verification of the authentication request was successful.

28 Citations

View as Search Results

23 Claims

1. A computer-implemented method, comprising:
- obtaining a challenge from an authentication service;
  
  generating a secure shell (SSH) identification string that comprises the obtained challenge;
  
  transmitting the generated SSH identification string to another computer system during an SSH identification string exchange;
  
  receiving, from the other computer system, after an SSH key exchange with the other computer system, an SSH authentication request that comprises a digital signature;
  
  transmitting to the authentication service the digital signature and information usable to determine a set of messages passed between the computer system and the other computer system, at least one message of the set of messages comprising the challenge;
  
  receiving, from the authentication service, a response that indicates whether the digital signature was successfully verified as having been generated using the challenge; and
  
  authenticating the other computer system based at least in part on the received response.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1, wherein:
    - the response indicates successful verification of the digital signature and includes a token that serves as cryptographic proof that the computer system is authorized to submit at least one request on behalf of the other computer system; and
      
      the method further comprises using the token to make a request to another service on behalf of the other computer system.
  - 3. The computer-implemented method of claim 1, wherein the generated identification string comprises the challenge in a comment field of the generated SSH identification string.
  - 4. The computer-implemented method of claim 1, wherein the challenge comprises a timestamp and message authentication code generated by the authentication service.
  - 5. The computer-implemented method of claim 1, further comprising, as a result of receiving the SSH authentication request, initiating a second SSH key exchange.

6. A system, comprising:
- one or more processors; and
  
  memory to store computer-executable instructions that, if executed, cause the one or more processors to;
  
  obtain a challenge from an authentication service;
  
  generate a secure shell (SSH) identification string that comprises the obtained challenge;
  
  transmit the generated SSH identification string to another computer system during an SSH identification string exchange;
  
  receive, from the other computer system, after an SSH key exchange with the other computer system, an SSH authentication request that comprises a digital signature;
  
  transmit to the authentication service the digital signature and information usable to determine a set of messages passed between the computer system and the other computer system, at least one message of the set of messages comprising the challenge;
  
  receive, from the authentication service, a response that indicates whether the digital signature was successfully verified as having been generated using the challenge; and
  
  authenticate the other computer system based at least in part on the received response.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The system of claim 6, wherein the SSH identification string is configured in accordance with an SSH protocol.
  - 8. The system of claim 6, further comprising the authentication service.
  - 9. The system of claim 8, wherein the authentication service is configured to generate the challenge such that the challenge includes a digital signature generated by the authentication service.
  - 10. The system of claim 9, wherein the authentication service is configured to:
    - verify the authentication request, at least in part, by verifying the digital signature generated by the authentication service; and
      
      provide information, in response to verifying the authentication request, usable by the system to make application programming interface calls on behalf on an entity associated with the other computer system.
  - 11. The system of claim 6, wherein:
    - the SSH authentication request specifies a cryptographic key;
      
      the other computer system is configured to trust the cryptographic key; and
      
      the instructions, if executed, further cause the one or more processors to provide an application programming interface through which trust of the cryptographic key by the other system can be managed through the submission of application programming interface calls.
  - 12. The system of claim 6, wherein the challenge has information usable to determine an interval of time during which the challenge can be used for authentication requests.
  - 13. The system of claim 6, wherein:
    - the SSH identification strings comprises information to negotiate a version of an SSH protocol.
  - 14. The system of claim 6, wherein the instructions, if executed, cause the one or more processors to:
    - obtain the challenge by submitting a first application programming interface call to the authentication service; and
      
      cause the authentication service to verify the authentication request by submitting a second application programming interface call to the authentication service.
  - 15. The system of claim 6, wherein instructions, if executed, further cause the one or more processors to:
    - prior to receipt of the authentication request, determine a first cryptographic key for encrypting communications; and
      
      as a result of receiving the authentication request, determine a second cryptographic key to replace the first cryptographic key.
  - 16. The system of claim 6, wherein:
    - the system further comprises the other computer system; and
      
      the other computer system is configured to;
      
      use a set of parameters in the challenge to determine whether the challenge is valid; and
      
      submit the authentication request on a condition that the challenge is determined to be valid.

17. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of execution by one or more processors of a computer system, cause the computer system to at least:
- obtain a challenge from an authentication service;
  
  generate a secure shell (SSH) identification string that comprises the obtained challenge;
  
  transmit the generated SSH identification string to another computer system during an SSH identification string exchange;
  
  receive, from the other computer system, after an SSH key exchange with the other computer system, an SSH authentication request that comprises a digital signature;
  
  transmit to the authentication service the digital signature and information usable to determine a set of messages passed between the computer system and the other computer system, at least one message of the set of messages comprising the challenge;
  
  receive, from the authentication service, a response that indicates whether the digital signature was successfully verified as having been generated using the challenge; and
  
  authenticate the other computer system based at least in part on the received response.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein is the instructions further cause the computer system to establish a secure shell (SSH) session with the other computer system.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the identification string identifies a version of an SSH protocol.
  - 20. The non-transitory computer-readable storage medium of claim 19, wherein the challenge is in a comment field of the identification string.
  - 21. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further cause the computer system to use a credential provided by the other computer system to submit a request on behalf of an entity associated with the other computer system.
  - 22. The non-transitory computer-readable storage medium of claim 17, wherein the instructions further comprise instructions that, as a result of execution by the one or more processors, cause the computer system to initiate a key exchange as a result of the authentication request having been received.
  - 23. The non-transitory computer-readable storage medium of claim 17, wherein the information usable to determine the set of messages comprises a protocol transcript.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Mikulski, Andrew Paul, Allen, Nicholas Alexander, Roth, Gregory Branchek
Primary Examiner(s)
Chen, Shin-Hon

Application Number

US14/717,937
Time in Patent Office

769 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/0884   by delegation of authentica...

H04L 63/123   received data contents, e.g...

H04L 63/166   at the transport layer

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

H04L 9/3247   involving digital signatures

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Enhanced authentication for secure communications

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced authentication for secure communications

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links