DEVICE-LEVEL AUTHENTICATION WITH UNIQUE DEVICE IDENTIFIERS

US 20170026187A1
Filed: 09/11/2015
Published: 01/26/2017
Est. Priority Date: 07/25/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

transmitting, by a client device, a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;

establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;

transmitting, by the client device over the secure connection, device data that characterizes the client device;

after transmission of the device data, receiving, by the client device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device;

after transmission of the device data, receiving, by the client device over the secure connection, a unique client device identifier, wherein the unique client device identifier is not included in the device data and is configured to support secure access to the pre-validated server devices;

storing, by the client device, the unique client device identifier in a tamper-resistant secure memory element of the client device; and

based on the unique client device identifier, accessing, by the client device, protected information available to a particular pre-validated server device of the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and the particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment may include transmitting a manufacturer security certificate to a provisioning server device, and establishing, with the provisioning server device, a secure connection based on the manufacturer security certificate. The embodiment may also involve transmitting, over the secure connection, device data that characterizes the client device, and receiving, over the secure connection, a server security certificate. The embodiment may further include obtaining a unique client device identifier, where the unique client device identifier is stored in a secure memory element of the client device. The embodiment may additionally include, possibly based on the server security certificate and the unique client device identifier, accessing protected information available to a particular pre-validated server device.

26 Citations

24 Claims

1. A method comprising:
- transmitting, by a client device, a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  transmitting, by the client device over the secure connection, device data that characterizes the client device;
  
  after transmission of the device data, receiving, by the client device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device;
  
  after transmission of the device data, receiving, by the client device over the secure connection, a unique client device identifier, wherein the unique client device identifier is not included in the device data and is configured to support secure access to the pre-validated server devices;
  
  storing, by the client device, the unique client device identifier in a tamper-resistant secure memory element of the client device; and
  
  based on the unique client device identifier, accessing, by the client device, protected information available to a particular pre-validated server device of the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and the particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device.
- View Dependent Claims (3, 4, 5, 7, 9, 12)
- - 3. The method of claim 1, wherein at least one of the secure connection or the second secure connection is established, at least in part, by a web browser application operating on the client device.
  - 4. The method of claim 1, wherein the secure connection is based on Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
  - 5. The method of claim 1, wherein, prior to transmitting the manufacturer security certificate to the provisioning server device, the client device has not communicated with the provisioning server device or any of the one or more pre-validated server devices.
  - 7. The method of claim 1 further comprising:
    - in response to receiving the server security certificate, validating, by the client device, the server security certificate.
  - 9. The method of claim 1, wherein writing the unique client device identifier to the tamper-resistant secure memory element comprises locking the tamper-resistant secure memory element with the unique client device identifier stored therein.
  - 12. The method of claim 1, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the particular pre-validated server device.

2. (canceled)

6. (canceled)

8. (canceled)

10-11. -11. (canceled)

13. A method comprising:
- receiving, by a provisioning server device, a manufacturer security certificate from a client device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  receiving, by the provisioning server device over the secure connection, device data that characterizes the client device;
  
  transmitting, by the provisioning server device over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device;
  
  randomly generating, by the provisioning server device, a representation of a unique client device identifier, wherein the unique client device identifier is associated with the client device and is configured to support, for the client device, secure access to the pre-validated server devices;
  
  transmitting, by the provisioning server device over the secure connection, the unique client device identifier, wherein reception of the unique client device identifier causes the client device to store the unique client device identifier in a tamper-resistant secure memory element of the client device; and
  
  based on the representation of the unique client device identifier, registering, by the provisioning server device, the client device, wherein the registration associates the representation of the unique client device identifier with policies that allow the client device to securely access, by way of the secure communication parameters, protected information available to the one or more pre-validated server devices, wherein the accessing the protected information comprises (i) establishing, between the client device and a particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device.
- View Dependent Claims (14, 17, 18)
- - 14. The method of claim 13, further comprising:
    - generating a hash of the unique client device identifier, wherein the hash is a one-way cryptographic function;
      
      comparing the hash to other hashes associated with other unique client device identifiers; and
      
      verifying that the hash is unique amongst the other hashes.
  - 17. The method of claim 13, further comprising:
    - instructing, by the provisioning server device over the secure connection, the client device to perform a secure test transaction with a particular pre-validated server device, wherein security of the secure test transaction is based on the secure communication parameters.
  - 18. The method of claim 13, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the one or more pre-validated server devices.

15-16. -16. (canceled)

19. An article of manufacture including a non-transitory computer-readable medium, having stored thereon program instructions that, upon execution by a client device, cause the client device to perform operations comprising:
- transmitting a manufacturer security certificate to a provisioning server device, wherein the manufacturer security certificate is associated with a manufacturer of the client device;
  
  establishing, between the client device and the provisioning server device, a secure connection, wherein the secure connection is established based on the manufacturer security certificate;
  
  transmitting, over the secure connection, device data that characterizes the client device;
  
  after transmission of the device data, receiving, over the secure connection, a server security certificate, wherein the server security certificate identifies secure communication parameters of one or more pre-validated server devices, wherein the pre-validated server devices do not include the provisioning server device;
  
  after transmission of the device data, receiving a unique client device identifier over the secure connection, wherein the unique client device identifier is not included in the device data and is configured to support secure access to the pre-validated server devices;
  
  storing, by the client device, the unique client device identifier in a tamper-resistant secure memory element of the client device; and
  
  based on the unique client device identifier, accessing protected information available to a particular pre-validated server device, wherein the accessing the protected information comprises (i) establishing, between the client device and the particular pre-validated server device, a second secure connection, wherein the second secure connection is established based on the server security certificate, (ii) after establishing the second secure connection, transmitting, by the client device over the second secure connection, a representation of the unique client device identifier, and (iii) receiving, by the client device over the second secure connection, the protected information, wherein the second secure connection involves mutual authentication between the client device and the particular pre-validated server device.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The article of manufacture of claim 19, wherein, prior to transmitting the manufacturer security certificate to the provisioning server device, the client device has not communicated with the provisioning server device or any of the one or more pre-validated server devices.
  - 22. The article of manufacture of claim 19, the operations further comprising:
    - in response to receiving the server security certificate, validating, by the client device, the server security certificate.
  - 23. The article of manufacture of claim 19, wherein writing the unique client device identifier to the tamper-resistant secure memory element comprises locking the tamper-resistant secure memory element with the unique client device identifier stored therein.
  - 24. The article of manufacture of claim 19, wherein accessing the protected information occurs without the client device transmitting security credentials that identify a user of the client device to the particular pre-validated server device.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Confia Systems, Inc.
Original Assignee
Confia Systems, Inc.
Inventors
Ramatchandirane, Nadaradjane

Granted Patent

US 9,602,292 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/44   Program or device authentic...

G06F 21/6218   to a system of files or obj...

H04L 63/0823   using certificates cryptogr...

H04L 63/0876   based on the identity of th...

H04L 63/166   at the transport layer

H04L 9/3268   using certificate validatio...

DEVICE-LEVEL AUTHENTICATION WITH UNIQUE DEVICE IDENTIFIERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DEVICE-LEVEL AUTHENTICATION WITH UNIQUE DEVICE IDENTIFIERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links