Method and apparatus for pervasive authentication domains

US 7,953,976 B2
Filed: 10/31/2007
Issued: 05/31/2011
Est. Priority Date: 10/14/2003
Status: Expired due to Fees

First Claim

Patent Images

1. An apparatus comprising:

at least one processor;

a discoverer which finds at least one device configured as a personal authentication gateway capable of responding to token requests for access credentials from at least one pervasive device included in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;

a token requestor which sends at least one token request for at least one token required by the at least one pervasive device;

a token client which accepts at least one token response including the access credentials from the device configured as a personal authentication gateway;

wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway; and

an arrangement adapted to register a pervasive device to be a member of a pervasive authentication domain by registering with the device configured as a personal authentication gateway;

wherein said registering arrangement comprises;

an arrangement adapted to enter a same random password on the pervasive device as on the device configured as the personal authentication gateway;

an arrangement adapted to receive an encryption key and encrypted value generated on the device configured as the personal authentication gateway;

an arrangement adapted to compute a fingerprint of the value encrypted by the encryption key and the same random password; and

an arrangement adapted to compare the fingerprint of the value on the pervasive device.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for enabling a Pervasive Authentication Domain. A Pervasive Authentication Domain allows many registered Pervasive Devices to obtain authentication credentials from a single Personal Authentication Gateway and to use these credentials on behalf of users to enable additional capabilities for the devices. It provides an arrangement for a user to store credentials in one device (the Personal Authentication Gateway), and then make use of those credentials from many authorized Pervasive Devices without re-entering the credentials. It provides a convenient way for a user to share credentials among many devices, particularly when it is not convenient to enter credentials as in a smart wristwatch environment. It further provides an arrangement for disabling access to credentials to devices that appear to be far from the Personal Authentication Gateway as measured by metrics such as communications signal strengths.

28 Citations

View as Search Results

18 Claims

1. An apparatus comprising:
- at least one processor;
  
  a discoverer which finds at least one device configured as a personal authentication gateway capable of responding to token requests for access credentials from at least one pervasive device included in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  a token requestor which sends at least one token request for at least one token required by the at least one pervasive device;
  
  a token client which accepts at least one token response including the access credentials from the device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway; and
  
  an arrangement adapted to register a pervasive device to be a member of a pervasive authentication domain by registering with the device configured as a personal authentication gateway;
  
  wherein said registering arrangement comprises;
  
  an arrangement adapted to enter a same random password on the pervasive device as on the device configured as the personal authentication gateway;
  
  an arrangement adapted to receive an encryption key and encrypted value generated on the device configured as the personal authentication gateway;
  
  an arrangement adapted to compute a fingerprint of the value encrypted by the encryption key and the same random password; and
  
  an arrangement adapted to compare the fingerprint of the value on the pervasive device.
- View Dependent Claims (2, 3, 4)
- - 2. The apparatus according to claim 1, wherein the at least one token request comprises a pervasive device identification indicating the at least one pervasive device is a member of the pervasive authentication domain.
  - 3. The apparatus according to claim 2, wherein the at least one token request is encrypted using information obtained during registration as a member of the pervasive authentication domain.
  - 4. The apparatus according to claim 3, wherein said device configured as a personal authentication gateway is a pervasive device.

5. An apparatus comprising:
- at least one processor;
  
  means for registering at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials; and
  
  means for receiving a token request for the access credentials from at least one pervasive device;
  
  means for determining whether the at least one pervasive device is a member of the pervasive authentication domain based on a pervasive device identification;
  
  means for sending at least one token response including the access credentials to said at least one pervasive device from a device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway;
  
  wherein said means for registering comprises;
  
  means for entering a same random password on the device configured as the personal authentication gateway as on the at least one pervasive device; and
  
  means for transmitting an encryption key and encrypted value generated on the device configured as the personal authentication gateway to the at least one pervasive device such that the at least one pervasive device can compute a fingerprint of the value encrypted by the encryption key and the same random password and compare the fingerprint of the value.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
- - 6. The apparatus according to claim 5, wherein said sending means comprises an arrangement adapted such that the device configured as a personal authentication gateway responds to a pervasive authentication domain discovery message from the at least one pervasive device.
  - 7. The apparatus according to claim 6, wherein:
    - said means for sending comprises an arrangement adapted to send the at least one token response only if the pervasive device identification for the pervasive authentication domain discovery message is a member of the pervasive authentication domain of the device configured as a personal authentication gateway.
  - 8. The apparatus according to claim 5, wherein said means for sending comprises:
    - an arrangement adapted to determine the pervasive device identification of the at least one token request;
      
      an arrangement adapted to derive at least one pervasive authentication domain for the at least one pervasive device; and
      
      an arrangement adapted to retrieve at least one authentication token for the pervasive device.
  - 9. The apparatus according to claim 5, wherein the at least one token response is encrypted.
  - 10. The apparatus according to claim 8, wherein said determining arrangement is adapted to validate that the at least one pervasive device has been registered for the at least one pervasive authentication domain.
  - 11. The apparatus according to claim 8, wherein said determining arrangement is adapted to ascertain whether the at least one pervasive device is within a given distance of the device configured as a personal authentication gateway.
  - 12. The apparatus according to claim 8, wherein said determining arrangement is adapted to ascertain whether the at least one pervasive device has recently made a previous request.
  - 13. The apparatus according to claim 8, wherein said determining arrangement is adapted to ascertain whether the at least one pervasive device has not sent a message indicating that the at least one pervasive device is no longer to be trusted.

14. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform steps comprising:
- registering, at a device configured as a personal authentication gateway, at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  ascertaining the device configured as a personal authentication gateway from the at least one pervasive device;
  
  sending at least one token request for the access credentials from the at least one pervasive device to the device configured as a personal authentication gateway; and
  
  receiving a token response including the access credentials at the at least one pervasive device from the device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway; and
  
  wherein said registering step comprises;
  
  entering a same random password on the pervasive device as on the device configured as the personal authentication gateway;
  
  receiving an encryption key and encrypted value on the device configured as the personal authentication gateway;
  
  computing a fingerprint of the value encrypted by the encryption key and the same random password; and
  
  comparing the fingerprint of the value on the pervasive device.

15. A non-transitory program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform steps comprising:
- registering, at a device configured as a personal authentication gateway, at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  receiving at least one token request for access credentials from at least one pervasive device at a device configured as a personal authentication gateway for a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  determining whether the at least one pervasive device is a member of the pervasive authentication domain; and
  
  sending at least one token response including the access credentials to the at least one pervasive device from the device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway; and
  
  wherein said registering step comprises;
  
  entering a same random password on the device configured as the personal authentication gateway as on the at least one pervasive device; and
  
  transmitting an encryption key and encrypted value generated on the device configured as the personal authentication gateway to the at least one pervasive device such that the at least one pervasive device can compute a fingerprint of the value encrypted by the encryption key and the same random password and compare the fingerprint of the value.

16. An article of manufacture comprising:
- a non-transitory computer usable medium having computer readable program code means embodied therein for performing steps for retrieving at least one authentication token from a device configured as a personal authentication gateway, said steps comprising;
  
  registering, at the device configured as a personal authentication gateway, at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  ascertaining a device configured as a personal authentication gateway for a pervasive authentication domain from at least one pervasive device, the pervasive authentication domain including devices authorized to share access credentials;
  
  sending at least one token request for access credentials from at least one pervasive device to the device configured as a personal authentication gateway; and
  
  receiving a token response including the access credentials at the at least one pervasive device from the device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as a personal authentication gateway; and
  
  wherein said registering step comprises;
  
  entering a same random password on the pervasive device as on the device configured as the personal authentication gateway;
  
  receiving an encryption key and encrypted value generated on the device configured as the personal authentication gateway;
  
  computing a fingerprint of the value encrypted by the encryption key and the same random password; and
  
  comparing the fingerprint of the value on the pervasive device.

17. An article of manufacture comprising:
- a non-transitory computer usable medium having computer readable program code means embodied therein for performing steps comprising;
  
  registering, at a device configured as a personal authentication gateway, at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  receiving at least one token request for access credentials from at least one pervasive device at a device configured as a personal authentication gateway for a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  determining whether the at least one pervasive device is authorized to receive authentication tokens; and
  
  sending at least one token response including the access credentials to the at least one pervasive device from the device configured as a personal authentication gateway;
  
  wherein the access credentials allow the at least one pervasive device to authenticate to one or more services on behalf of a user as configured in the device configured as the personal authentication gateway; and
  
  wherein said registering step comprises;
  
  entering a same random password on the device configured as the personal authentication gateway as on the at least one pervasive device; and
  
  transmitting an encryption key and encrypted value generated on the device configured as the personal authentication gateway to the at least one pervasive device such that the at least one pervasive device can compute a fingerprint of the value encrypted by the encryption key and the same random password and compare the fingerprint of the value.

18. A computer program product comprising a non-transitory computer usable medium having computer readable program code means embodied therewith for performing steps comprising:
- registering, at a device configured as a personal authentication gateway, at least one pervasive device for membership in a pervasive authentication domain, the pervasive authentication domain including devices authorized to share access credentials;
  
  discovering the device configured as a personal authentication gateway for a pervasive authentication domain, the pervasive authentication domain including one or more pervasive devices authorized to receive authentication tokens including access credentials for authenticating to one or more services on behalf of a user;
  
  sending at least one request for at least one token required by the at least one pervasive device for authenticating to one or more services;
  
  accepting at least one token request and sending at least one token response with at least one authentication token to the at least one pervasive device;
  
  wherein said registering step comprises;
  
  entering a same random password on the pervasive device as on the device configured as the personal authentication gateway;
  
  receiving an encryption key and encrypted value generated on the device configured as the personal authentication gateway;
  
  computing a fingerprint of the value encrypted by the encryption key and the same random password; and
  
  comparing the fingerprint of the value on the pervasive device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Giles, James R., Sailer, Reiner
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US11/932,804
Publication Number

US 20080141356A1
Time in Patent Office

1,308 Days
Field of Search

726 5- 7, 726/10, 726/9, 713/168, 713/170, 713/182, 713/150, 713/153, 380/277
US Class Current

713/168
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/126   the source of the received ...

Method and apparatus for pervasive authentication domains

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for pervasive authentication domains

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links