USING END-USER FEDERATED LOGIN TO DETECT A BREACH IN A KEY EXCHANGE ENCRYPTED CHANNEL

US 20150256337A1
Filed: 03/04/2015
Published: 09/10/2015
Est. Priority Date: 03/05/2014
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a key exchange between a first peer device and a second peer device, comprising:

sending, by the first peer device, federated login credentials of a user of the first peer device and a first identifier to a first federated login provider, wherein the second peer device sends the federated login credentials of the user and a second identifier to a second federated login provider;

receiving, by the first peer device, a first authentication response from the first federated login provider, wherein the second peer device receives a second authentication response from the second federated login provider;

receiving, by the first peer device, the second authentication response from the second peer device;

authenticating, by the first peer device, the second authentication response with the second federated login provider;

sending, by the first peer device, the first authentication response to the second peer device, wherein the second peer device authenticates the first authentication response with the first federated login provider;

receiving, by the first peer device, an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response;

sending, by the first peer device, an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response; and

authenticating, by the first peer device, the key exchange based on the acknowledgment from the second peer device, wherein the second peer device authenticates the key exchange based on the acknowledgment from the first peer device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods and systems for authenticating a key exchange between a first peer device and a second peer device. In an aspect, the first peer device sends federated login credentials of a user and a first identifier to a first federated login provider, receives a first authentication response from the first federated login provider, receives a second authentication response from the second peer device, authenticates the second authentication response with a second federated login provider, sends the first authentication response to the second peer device, receives an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response with the federated login provider, sends an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response, and authenticates the key exchange based on the acknowledgment from the second peer device.

34 Citations

View as Search Results

30 Claims

1. A method of authenticating a key exchange between a first peer device and a second peer device, comprising:
- sending, by the first peer device, federated login credentials of a user of the first peer device and a first identifier to a first federated login provider, wherein the second peer device sends the federated login credentials of the user and a second identifier to a second federated login provider;
  
  receiving, by the first peer device, a first authentication response from the first federated login provider, wherein the second peer device receives a second authentication response from the second federated login provider;
  
  receiving, by the first peer device, the second authentication response from the second peer device;
  
  authenticating, by the first peer device, the second authentication response with the second federated login provider;
  
  sending, by the first peer device, the first authentication response to the second peer device, wherein the second peer device authenticates the first authentication response with the first federated login provider;
  
  receiving, by the first peer device, an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response;
  
  sending, by the first peer device, an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response; and
  
  authenticating, by the first peer device, the key exchange based on the acknowledgment from the second peer device, wherein the second peer device authenticates the key exchange based on the acknowledgment from the first peer device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein receiving the first authentication response comprises receiving an HTML redirect with the first authentication response.
  - 3. The method of claim 2, wherein the first peer device sends the first authentication response to the second peer device instead of following the HTML redirect.
  - 4. The method of claim 1, further comprising:
    - establishing a secure session between the first peer device and the second peer device using the key exchange before sending the federated login credentials of the user and the first identifier to the first federated login provider.
  - 5. The method of claim 4, wherein the secure session is established using a Diffie-Helman key exchange.
  - 6. The method of claim 1, wherein the first federated login provider and the second federated login provider are different federated login providers, and wherein the first federated login provider and the second federated login provider comprise OpenID providers, OAuth providers, or FaceConnect providers.
  - 7. The method of claim 1, wherein the first federated login provider and the second federated login provider are the same federated login provider.
  - 8. The method of claim 1, wherein the first peer device comprises a controller peer device and the second peer device comprises a controlee peer device.
  - 9. The method of claim 1, further comprising:
    - generating, by the first peer device, a first public key for the key exchange;
      
      sending, by the first peer device, the first public key to the second peer device; and
      
      receiving, by the first peer device, a second public key from the second peer device.
  - 10. The method of claim 9, wherein the first identifier comprises the first public key, a combination of the first public key and the second public key, a hash of the first public key and the second public key, or a verifier of the first public key and the second public key calculated using a pseudo-random function (PRF).
  - 11. The method of claim 1, wherein the first identifier and the second identifier are the same identifier, and wherein the first identifier and the second identifier comprise a common hash or a computed verifier.
  - 12. The method of claim 1, wherein the first identifier and the second identifier are different identifiers, and wherein the first identifier comprises a first public key generated by the first peer device and the second identifier comprises a second public key generated by the second peer device.
  - 13. The method of claim 1, wherein authenticating the key exchange based on the acknowledgment from the second peer device comprises authenticating the key exchange based on receiving the acknowledgment from the second peer device.

14. An apparatus for authenticating a key exchange between a first peer device and a second peer device, comprising:
- logic configured to send, by the first peer device, federated login credentials of a user of the first peer device and a first identifier to a first federated login provider, wherein the second peer device sends the federated login credentials of the user and a second identifier to a second federated login provider;
  
  logic configured to receive, by the first peer device, a first authentication response from the first federated login provider, wherein the second peer device receives a second authentication response from the second federated login provider;
  
  logic configured to receive, by the first peer device, the second authentication response from the second peer device;
  
  logic configured to authenticate, by the first peer device, the second authentication response with the second federated login provider;
  
  logic configured to send, by the first peer device, the first authentication response to the second peer device, wherein the second peer device authenticates the first authentication response with the first federated login provider;
  
  logic configured to receive, by the first peer device, an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response;
  
  logic configured to send, by the first peer device, an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response; and
  
  logic configured to authenticate, by the first peer device, the key exchange based on the acknowledgment from the second peer device, wherein the second peer device authenticates the key exchange based on the acknowledgment from the first peer device.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The apparatus of claim 14, wherein the logic configured to receive the first authentication response comprises logic configured to receive an HTML redirect with the first authentication response.
  - 16. The apparatus of claim 15, wherein the first peer device sends the first authentication response to the second peer device instead of following the HTML redirect.
  - 17. The apparatus of claim 14, further comprising:
    - logic configured to establish a secure session between the first peer device and the second peer device using the key exchange before sending the federated login credentials of the user and the first identifier to the first federated login provider.
  - 18. The apparatus of claim 17, wherein the secure session is established using a Diffie-Helman key exchange.
  - 19. The apparatus of claim 14, wherein the first federated login provider and the second federated login provider are different federated login providers, and wherein the first federated login provider and the second federated login provider comprise OpenID providers, OAuth providers, or FaceConnect providers.
  - 20. The apparatus of claim 14, wherein the first federated login provider and the second federated login provider are the same federated login provider.
  - 21. The apparatus of claim 14, wherein the first peer device comprises a controller peer device and the second peer device comprises a controlee peer device.
  - 22. The apparatus of claim 14, further comprising:
    - logic configured to generate, by the first peer device, a first public key for the key exchange;
      
      logic configured to send, by the first peer device, the first public key to the second peer device; and
      
      logic configured to receive, by the first peer device, a second public key from the second peer device.
  - 23. The apparatus of claim 22, wherein the first identifier comprises the first public key, a combination of the first public key and the second public key, a hash of the first public key and the second public key, or a verifier of the first public key and the second public key calculated using a pseudo-random function (PRF).
  - 24. The apparatus of claim 14, wherein the first identifier and the second identifier are the same identifier, and wherein the first identifier and the second identifier comprise a common hash or a computed verifier.
  - 25. The apparatus of claim 14, wherein the first identifier and the second identifier are different identifiers, and wherein the first identifier comprises a first public key generated by the first peer device and the second identifier comprises a second public key generated by the second peer device.
  - 26. The apparatus of claim 14, wherein the logic configured to authenticate the key exchange based on the acknowledgment from the second peer device comprises logic configured to authenticate the key exchange based on receiving the acknowledgment from the second peer device.

27. An apparatus for authenticating a key exchange between a first peer device and a second peer device, comprising:
- means for sending, by the first peer device, federated login credentials of a user of the first peer device and a first identifier to a first federated login provider, wherein the second peer device sends the federated login credentials of the user and a second identifier to a second federated login provider;
  
  means for receiving, by the first peer device, a first authentication response from the first federated login provider, wherein the second peer device receives a second authentication response from the second federated login provider;
  
  means for receiving, by the first peer device, the second authentication response from the second peer device;
  
  means for authenticating, by the first peer device, the second authentication response with the second federated login provider;
  
  means for sending, by the first peer device, the first authentication response to the second peer device, wherein the second peer device authenticates the first authentication response with the first federated login provider;
  
  means for receiving, by the first peer device, an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response;
  
  means for sending, by the first peer device, an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response; and
  
  means for authenticating, by the first peer device, the key exchange based on the acknowledgment from the second peer device, wherein the second peer device authenticates the key exchange based on the acknowledgment from the first peer device.
- View Dependent Claims (28)
- - 28. The apparatus of claim 27, further comprising:
    - means for establishing a secure session between the first peer device and the second peer device using the key exchange before the federated login credentials of the user and the first identifier are sent to the first federated login provider.

29. A non-transitory computer-readable medium for authenticating a key exchange between a first peer device and a second peer device, comprising:
- at least one instruction to send, by the first peer device, federated login credentials of a user of the first peer device and a first identifier to a first federated login provider, wherein the second peer device sends the federated login credentials of the user and a second identifier to a second federated login provider;
  
  at least one instruction to receive, by the first peer device, a first authentication response from the first federated login provider, wherein the second peer device receives a second authentication response from the second federated login provider;
  
  at least one instruction to receive, by the first peer device, the second authentication response from the second peer device;
  
  at least one instruction to authenticate, by the first peer device, the second authentication response with the second federated login provider;
  
  at least one instruction to send, by the first peer device, the first authentication response to the second peer device, wherein the second peer device authenticates the first authentication response with the first federated login provider;
  
  at least one instruction to receive, by the first peer device, an acknowledgment from the second peer device indicating that the second peer device has authenticated the first authentication response;
  
  at least one instruction to send, by the first peer device, an acknowledgment to the second peer device indicating that the first peer device has authenticated the second authentication response; and
  
  at least one instruction to authenticate, by the first peer device, the key exchange based on the acknowledgment from the second peer device, wherein the second peer device authenticates the key exchange based on the acknowledgment from the first peer device.
- View Dependent Claims (30)
- - 30. The non-transitory computer-readable medium of claim 29, further comprising:
    - at least one instruction to establish a secure session between the first peer device and the second peer device using the key exchange before the federated login credentials of the user and the first identifier are sent to the first federated login provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Qualcomm, Inc.
Original Assignee
Qualcomm, Inc.
Inventors
NGUYEN, Phil Tien, BURNS, Gregory, MCDONALD, Cameron Allen George

Granted Patent

US 9,954,679 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 67/141   Setup of application sessio...

H04L 9/0841   involving Diffie-Hellman or...

H04L 9/32   including means for verifyi...

H04L 9/3271   using challenge-response

H04W 12/069   using certificates or pre-s...

H04W 4/70   Services for machine-to-mac...

H04W 4/80   Services using short range ...

USING END-USER FEDERATED LOGIN TO DETECT A BREACH IN A KEY EXCHANGE ENCRYPTED CHANNEL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

USING END-USER FEDERATED LOGIN TO DETECT A BREACH IN A KEY EXCHANGE ENCRYPTED CHANNEL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links