Secure authentication of remote equipment

US 9,998,287 B2
Filed: 03/06/2015
Issued: 06/12/2018
Est. Priority Date: 03/06/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by an authentication system, from a content server, a request to authenticate a network device;

sending, by the authentication system and to the network device, an encrypted challenge message;

receiving, by the authentication system and from the network device, an encrypted response to the encrypted challenge message, wherein the encrypted response comprises a digital signature of the network device, and wherein the encrypted response comprises an identifier of an unauthorized user device requesting to exchange data with the content server via the network device;

verifying, by the authentication system based on the encrypted response, an authenticity of the network device; and

authorizing, by the authentication system and based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized user device via the network device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication server may use secure messaging with a remote device prior to authorizing non-secure communications between the remote device and a content server, thereby preventing unauthorized access to the content server. The secure messaging uses such security features as encryption, signatures with authentication certificates, a realm, and/or a nonce. Once non-secure communication is authorized, the remote device may act as a proxy between the content server and a user device connected to the remote device. The authentication server sends timeout notices to the remote device containing an interval and a key. To continue non-secure communications with the content server, the remote device must respond prior to the expiration of the interval by sending a keep-alive message containing the key to the authentication server.

Citations

19 Claims

1. A method comprising:
- receiving, by an authentication system, from a content server, a request to authenticate a network device;
  
  sending, by the authentication system and to the network device, an encrypted challenge message;
  
  receiving, by the authentication system and from the network device, an encrypted response to the encrypted challenge message, wherein the encrypted response comprises a digital signature of the network device, and wherein the encrypted response comprises an identifier of an unauthorized user device requesting to exchange data with the content server via the network device;
  
  verifying, by the authentication system based on the encrypted response, an authenticity of the network device; and
  
  authorizing, by the authentication system and based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized user device via the network device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - sending, by the authentication system and to the network device, an encrypted timeout notice that comprises an indication of a time interval;
      
      receiving, prior to the expiration of the indicated time interval, by the authentication system and from the network device, an encrypted keep-alive message; and
      
      reauthorizing, by the authentication system, the content server to exchange unencrypted data with the unauthorized user device via the network device.
  - 3. The method of claim 2, wherein:
    - the encrypted challenge message comprises a realm and a nonce;
      
      the method further comprising, withholding authorization, by the authentication system, for the content server to exchange unencrypted data with the unauthorized user device via the network device if the encrypted response does not comprise the realm and the nonce.
  - 4. The method of claim 3, further comprising signing, by the authentication system using a first authentication certificate, the encrypted challenge message and the encrypted timeout notice.
  - 5. The method of claim 4, wherein:
    - the encrypted response and the keep-alive message are signed using a second authentication certificate;
      
      the method further comprising, withholding authorization, by the authentication system, for the content server to exchange unencrypted data with the unauthorized user device via the network device, if the second authentication certificate is not recognized by the authentication system.
  - 6. The method of claim 1, wherein the identifier of the unauthorized user device is an Internet protocol source address, a media access control address, or a universal unique identifier.

7. An apparatus comprising:
- one or more processors; and
  
  a memory, the memory storing computer-executable instructions that, when executed by the one or more processors, cause the apparatus to;
  
  receive, from a content server, a request to authenticate a network device;
  
  send, to the network device, an encrypted challenge message;
  
  receive, from the network device, an encrypted response to the encrypted challenge message, the encrypted response comprising a digital signature of the network device, the encrypted response further comprising an identifier of an unauthorized user device requesting to exchange data with the content server;
  
  verify, based on the encrypted response, an authenticity of the network device; and
  
  authorize, based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized user device via the network device.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the instructions further cause the apparatus to:
    - send, to the network device, an encrypted timeout notice that comprises an indication of a time interval;
      
      receive, from the network device, an encrypted keep-alive message prior to the expiration of the indicated time interval; and
      
      send, to the content server, a reauthorization to exchange unencrypted data with the unauthorized user device via the network device.
  - 9. The apparatus of claim 8, wherein the instructions further cause the apparatus to sign, based on a first authentication certificate, the encrypted challenge message and the encrypted timeout notice.
  - 10. The apparatus of claim 7, wherein:
    - the encrypted response and the encrypted keep-alive message are signed using a second authentication certificate; and
      
      the instructions further cause the apparatus to withhold the authorization if the second authentication certificate is not recognized by the apparatus.
  - 11. The apparatus of claim 7, wherein the encrypted challenge message comprises a realm and a nonce, and wherein the instructions further cause the apparatus to:
    - determine whether the encrypted response includes the realm and the nonce; and
      
      withhold, if the encrypted response lacks either the realm or the nonce, the authorization.
  - 12. The apparatus of claim 7, wherein the identifier of the unauthorized user device is an Internet protocol source address, a media access control address, or a universal unique identifier.

13. A system comprising:
- a network device configured to provide network access to one or more user devices;
  
  a content server configured to communicate with the one or more user devices via the network device; and
  
  an authentication server configured to;
  
  receive, from the content server, a request to authenticate the network device;
  
  send, to the network device, an encrypted challenge message;
  
  receive, from the network device, an encrypted response to the encrypted challenge message, wherein the encrypted response comprises a digital signature of the network device, and wherein the encrypted response further comprises an identifier of an unauthorized one of the one or more user devices requesting to exchange data with the content server via the network device; and
  
  verify, based on the encrypted response, an authenticity of the network device; and
  
  authorize, based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized one of the one or more user devices via the network device.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. The system of claim 13, wherein the authentication server is further configured to:
    - send, to the network device, an encrypted timeout notice that comprises an indication of a time interval;
      
      receive, from the network device, an encrypted keep-alive message prior to the expiration of the indicated time interval; and
      
      send, to the content server, a reauthorization to exchange unencrypted data with the unauthorized one of the one or more user devices via the network device.
  - 15. The system of claim 14, wherein the authentication server is further configured to sign, using a first authentication certificate, the encrypted challenge message and the encrypted timeout notice.
  - 16. The system of claim 15, wherein:
    - the network device is configured to sign, using a second authentication certificate, the response and the encrypted keep-alive message; and
      
      the authentication server is further configured to withhold the authorization if the second authentication certificate is not recognized by the authentication server.
  - 17. The system of claim 15, wherein the encrypted challenge, the encrypted response, the encrypted timeout notice, and the encrypted keep-alive message are encrypted in accordance with an MD5 hash.
  - 18. The system of claim 13, wherein the authentication server is further configured to:
    - include a realm and a nonce in the encrypted challenge message;
      
      determine whether the encrypted response includes the realm and the nonce; and
      
      withhold the authorization if the encrypted response lacks either the realm or the nonce.
  - 19. The system of claim 13, wherein the identifier of the unauthorized one of the one or more user devices is an Internet protocol source address, a media access control address, or a universal unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Original Assignee
Comcast Cable Communications LLC (Comcast Corporation)
Inventors
Lee, Yiu Leung
Primary Examiner(s)
Li, Meng

Application Number

US14/640,745
Publication Number

US 20160261414A1
Time in Patent Office

1,194 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0281   Proxies

H04L 63/0823   using certificates cryptogr...

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

Secure authentication of remote equipment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure authentication of remote equipment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links