Web authentication using client platform root of trust

US 9,887,997 B2
Filed: 12/28/2011
Issued: 02/06/2018
Est. Priority Date: 12/28/2011
Status: Active Grant

First Claim

Patent Images

1. A device for device-specific web authentication, the device comprising:

at least one processor arranged to;

request a website to be accessed; and

access the website in response to a website access initiation from an authorization module on a server; and

a secure execution environment arranged to;

store a device-stored uniform resource identifier representing an address of the website to be accessed;

send the device-stored uniform resource identifier to the authorization module;

receive a server-stored uniform resource identifier representing the address of the website to be accessed from the authorization module;

compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make a validity determination valid if they match and invalid otherwise;

send the validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination;

send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website; and

receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for performing web authentication using a client platform root of trust are disclosed herein. Website and user validity and integrity may be authenticated based on the user device'"'"'s attempt to access the website. A user device may securely access the website once the user device is successfully authenticated with a server. In an embodiment, the user device may perform an authentication of the website to ensure the website is a valid entity.

16 Citations

20 Claims

1. A device for device-specific web authentication, the device comprising:
- at least one processor arranged to;
  
  request a website to be accessed; and
  
  access the website in response to a website access initiation from an authorization module on a server; and
  
  a secure execution environment arranged to;
  
  store a device-stored uniform resource identifier representing an address of the website to be accessed;
  
  send the device-stored uniform resource identifier to the authorization module;
  
  receive a server-stored uniform resource identifier representing the address of the website to be accessed from the authorization module;
  
  compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make a validity determination valid if they match and invalid otherwise;
  
  send the validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination;
  
  send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website; and
  
  receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, wherein to send the device-stored uniform resource identifier includes the secure execution environment arranged to send an encryption of the device-stored uniform resource identifier.
  - 3. The device of claim 1, wherein to receive the server-stored uniform resource identifier includes the server execution environment arranged to receive an encryption of the server-stored uniform resource identifier.
  - 4. The device of claim 1, wherein to access the website includes the processor arranged to access account information associated with an account of a user of the device.
  - 5. The device of claim 1, wherein the request includes an indicator to use device-specific authentication, the authorization module sending the server-stored uniform resource identifier based on the indicator.
  - 6. The device of claim 1, wherein the device-stored uniform resource identifier is arranged to provide access to the website for a particular period of time.
  - 7. The device of any one of claim 1, wherein the secure execution environment is arranged to deny access to the website by the processor.

8. A method for web authentication, the method comprising:
- responsive to a request to access a website using a device having a secure execution environment, the device arranged to use a client platform root of trust, sending to a server a device-stored web address of the website stored at the secure execution environment, the device-stored web address being specific to the device;
  
  receiving at the secure execution environment on the device, a server-stored web address of the website as stored at the server, the server-stored web address being specific to the device;
  
  determining, via the secure execution environment, whether the server-stored web address is valid, including comparing the server-stored web address to the device-stored web address and making a validity determination valid if they match and invalid otherwise;
  
  initiating access to the website if the server-stored web address is valid and if the server determines that the device-stored web address is valid;
  
  sending to the server a request to configure the device to securely access the website including sending credentials of a user having an account associated with the website;
  
  receiving at the secure execution environment the device-stored web address after the server has determined that the credentials are valid and that the device is associated with the user; and
  
  storing the device-stored web address at the secure execution environment.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method of claim 8, wherein accessing the website includes accessing account information associated with an account of a user.
  - 10. The method of claim 8, wherein the server-stored web address is valid if the server-stored web address matches the device-stored web address.
  - 11. The method of claim 8, wherein sending the device-stored web address includes sending an encryption of the device-stored web address.
  - 12. The method of claim 8, wherein receiving the server-stored web address includes receiving an encryption of the server-stored web address.
  - 13. The method of claim 8, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being received based on the indicator.
  - 14. The method of claim 8, wherein the access to the website is provided by the server for a period of time.
  - 15. The method of claim 8, further comprising denying, via the secure execution environment, access to the website if the server-stored web address is invalid.
  - 16. At least one non-transitory machine-readable medium comprising a plurality of instructions that, in response to being executed on a computing device, cause the computing device to perform the method according to claim 8.
  - 17. An apparatus including at least one processor arranged to perform the method according to claim 8.

18. An authorization module for device-specific web authentication, the authorization module arranged to:
- receive a provisioning request to access a website from a device having a secure execution environment, the provisioning request to configure the device to securely access the website, and the provisioning request including credentials of a user having an account associated with the website;
  
  perform a validation of whether the credentials are valid and that the device is associated with the user and, in response to a positive validation send a uniform resource identifier to be stored in the secure execution environment of the device as a device-stored uniform resource identifier, and representing an address of the website;
  
  thereafter, receive the device-stored uniform resource identifier from the device, the device-stored uniform resource identifier being stored in the secure execution environment and representing an address of the website;
  
  send a server-stored uniform resource identifier to the secure execution environment, the server-stored uniform resource identifier representing the address of the website; and
  
  provide access to the website in response to a determination that the device-stored uniform resource identifier is valid and in response to a comparison of the server-stored web address to the device-stored web address to produce a determination by the secure execution environment that the server-stored uniform resource identifier is valid;
  
  wherein the determination that the device-stored uniform resource identifier is valid is provided by the authorization module being arranged to compare the device-stored uniform resource identifier to the server-stored uniform resource identifier and find it valid if they match and invalid otherwise.
- View Dependent Claims (19)
- - 19. The authorization module of claim 18, wherein the website includes account information associated with an account of a user.

20. A method for web authentication to control access to a web site, the method comprising:
- receiving at a server a device-stored web address of the website stored at a secure environment, the device-stored web address being a web address specific to the device, the device arranged to use a client platform root of trust;
  
  sending from the server to the secure execution environment on the device a server-stored web address of the website stored at the server;
  
  determining, via the server, whether the device-stored web address is valid;
  
  providing access to the website if the device-stored web address is valid and if the secure execution environment of the device determines that the server-stored web address is valid based on a comparison between the server-stored web address to the device-stored web address;
  
  receiving at the server a request to configure the device to securely access the website including receiving credentials of a user having an account associated with the website;
  
  determining whether the credentials are valid and whether the device is associated with the user;
  
  generating the device-stored web address if the credentials are valid and if the device is associated with the user; and
  
  sending to the secure execution environment the device-stored web address, wherein the device-stored web address is stored at the secure execution environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Prakash, Gyan, Poornachandran, Rajesh
Primary Examiner(s)
Brown, Anthony
Assistant Examiner(s)
Corum, Jr., William

Application Number

US13/992,811
Publication Number

US 20140289831A1
Time in Patent Office

2,232 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 2221/2129   Authenticate client device ...

H04L 63/0876   based on the identity of th...

H04L 63/168   above the transport layer

H04L 9/3228   One-time or temporary data,...

Web authentication using client platform root of trust

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Web authentication using client platform root of trust

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links