US20140006781A1 - Encapsulating the complexity of cryptographic authentication in black-boxes - Google Patents
Encapsulating the complexity of cryptographic authentication in black-boxes Download PDFInfo
- Publication number
- US20140006781A1 US20140006781A1 US13/925,824 US201313925824A US2014006781A1 US 20140006781 A1 US20140006781 A1 US 20140006781A1 US 201313925824 A US201313925824 A US 201313925824A US 2014006781 A1 US2014006781 A1 US 2014006781A1
- Authority
- US
- United States
- Prior art keywords
- black
- box
- authentication
- verifier
- authentication token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
A method of authenticating a computing device to a back-end subsystem. In one embodiment a prover black-box in the computing device authenticates cryptographically to a verifier black-box in the back-end subsystem by proving possession of a cryptographic credential. The verifier black-box sends an authentication token to the prover black-box as verifiable confirmation of the cryptographic authentication. The prover black-box sends the authentication token to an application front-end in the computing device. The application front-end sends the authentication token to an application back-end in the back-end subsystem, and the application back-end verifies the authentication token.
Description
- The subject matter of this application is related to the subject matter of U.S. Provisional Patent Applications No. 61/663,569 (filed on Jun. 23, 2012), No. 61/677,011 (filed on Jul. 30, 2012), No. 61/804,638 (filed on Mar. 23, 2013) and No. 61/809,790 (filed on Apr. 8, 2013), priority to which is claimed under 35 U.S.C. §119(e) and which are incorporated herein by reference.
- Passwords are commonly used for returning-user authentication to a software application back-end across a network such as the Internet, but they have well known security weaknesses, including vulnerability to phishing attacks, breaches of back-end database security, and reuse at malicious sites. Furthermore, passwords are ill-suited for use on mobile devices such as smart phones and tablets: entering a strong password with letters, digits and punctuation on a small touch screen keyboard is cumbersome, and password characters are exposed to shoulder surfing because they are echoed by the keyboard as they are being typed in an effort to prevent typographical errors.
- Cryptography provides alternatives for returning-user authentication that are more secure and better suited for mobile devices. For example, a mobile device could authenticate to an application back-end by proving knowledge of a private key that is part of a key pair pertaining to a public key cryptosystem, a hash of the public key that is part of the same key pair having been previously registered with the application back-end; the user would be indirectly authenticated as the owner of the device. This is more secure than authentication with a password because the private key is not sent to the application back-end or stored in a back-end database; and it is better suited for mobile devices because it does not require typing a password.
- Cryptography also allows a user to authenticate to an application back-end as having an identity or attributes asserted by a third-party, without the third-party being involved in the authentication transaction. For example, a computing device owned by the user may generate a key pair pertaining to a public key cryptosystem. The user may ask the third-party to sign a public key certificate binding the public key that is part of the key pair to one or more identifiers and/or attributes that the third-party is authoritative for, and store the public key certificate in the computing device together with the private key that is part of the key pair. The computing device may then authenticate to the application back-end by sending the certificate and proving knowledge of the private key. The user controlling the device is then indirectly authenticated as being entitled to the identifier and/or attributes.
- Cryptography is currently used successfully for user authentication in some specific use cases, such as authentication of a US federal employee to the information system of a US federal agency using a public key certificate and its associated private key stored in a Personal Identity Verification (PIV) card connected to a personal computer. But cryptographic authentication is not broadly used outside such specific use cases.
- One reason why cryptographic authentication is not broadly used is that it is difficult to implement for application developers. While user authentication with a password simply requires transmission of the password from a user's device to the application back-end, cryptographic authentication requires execution of a cryptographic protocol involving multiple cryptographic operations (such as digital signatures, verification of digital signatures, computation of cryptographic hashes, etc.) by multiple parties, and transmission of multiple messages between those parties. The details of the individual cryptographic operations performed by the parties to a cryptographic protocol are typically hidden from application developers in cryptographic libraries, but application developers must still cope with many difficulties. They must understand the cryptographic protocol, install cryptographic libraries, ensure that all parties agree on the parameters of the protocol, implement the sequence of messages and cryptographic operations required by the protocol, and handle errors and exceptions.
- Such difficulties discourage many application developers from using cryptography to authenticate a computing device to an application back-end. Hence there is a need for a method of authenticating a computing device to an application back-end using a cryptographic protocol that is easier to implement for application developers than prior methods.
- A method is provided for authenticating a computing device to a back-end subsystem using a prover black-box in the computing device and/or a verifier black-box in the back-end subsystem to encapsulate cryptographic functionality.
- In one embodiment the prover black-box authenticates cryptographically to the verifier black-box by proving possession of a cryptographic credential. The verifier black-box sends an authentication token to the prover black-box as verifiable confirmation of the cryptographic authentication. The prover black-box sends the authentication token to an application front-end in the computing device. The application front-end sends the authentication token to an application back-end in the back-end subsystem, and the application back-end verifies the authentication token.
- The accompanying drawings are included to provide a further understanding of embodiments and are incorporated in and constitute a part of this specification. The drawings illustrate embodiments and together with the description serve to explain principles of embodiments. Other embodiments and many of the intended advantages of embodiments will be readily appreciated as they become better understood by reference to the following detailed description. Reference numerals consist of a concatenation of a one- or two-digit number referring to a figure, followed by a two-digit number that locates the referenced part within the figure. A reference numeral introduced in a figure may be used in other figures to refer to the same part or a similar part.
-
FIG. 1 is a block diagram generally illustrating a system for authenticating a computing device using a prover black-box and a verifier black-box, according to embodiments described herein. -
FIG. 1A is a block diagram illustrating embodiments that feature a prover black-box but no verifier black-box. -
FIG. 1B is a block diagram illustrating embodiments that feature a verifier black-box but no prover black-box. -
FIG. 2 is a flow diagram illustrating a process for authenticating a computing device using a prover black-box and a verifier black-box. -
FIG. 2A is a flow diagram illustrating a process for authenticating a computing device using a prover black-box. -
FIG. 2B is a flow diagram illustrating a process for authenticating a computing device using a verifier black-box. -
FIG. 3 is a block diagram illustrating embodiments where the verifier black-box is a virtual appliance. -
FIG. 4 is a flow diagram illustrating a process for authenticating a computing device using an authentication token that uniquely identifies an authentication object comprising authentication data. -
FIG. 5 is a block diagram illustrating embodiments where the authentication token is used as a login session identifier. -
FIG. 6 is a flow diagram illustrating a process that creates a session record upon successful cryptographic authentication. -
FIG. 7 is a flow diagram illustrating a process for using an authentication token as a login session identifier. -
FIG. 8 is a block diagram illustrating an authentication token comprising signed authentication data. -
FIG. 9 is a flow diagram illustrating a process for authenticating a computing device using an authentication token comprising signed authentication data. - This Detailed Description refers to the accompanying drawings, which are a part hereof and illustrate examples of embodiments of the invention. It is to be understood that other embodiments are possible, and that the features of different exemplary embodiments can be combined together unless otherwise stated.
-
FIG. 1 is a block diagram generally illustrating asystem 100 for authenticating acomputing device 110, which makes it easy for application developers to use cryptography by encapsulating cryptographic complexity in a prover black-box 120 and a verifier black-box 130. - (The term “black-box” refers to a hardware or software component that is dedicated to a specific purpose and can be used without an understanding of its internal workings The term “prover black-box” refers to a black-box whose purpose is to prove possession of one or more cryptographic credentials to a verifier. The term “verifier black-box” refers to a black-box whose purpose is to verify possession of one or more cryptographic credentials by a prover.)
- The
computing device 110 authenticates to a back-end subsystem 140 over a network such as the Internet. Authentication of the device indirectly authenticates a user controlling the device as the owner of the device. The user interacts with an application front-end 150 running on the device, which communicates over the network with an application back-end 160 that is part of the back-end subsystem. The prover black-box 120 runs on the computing device and communicates with the verifier black-box 130 over the network. In some embodiments the application back-end and the verifier black-box communicate over the same network that connects the device to the application back-end and the verifier black-box, while in other embodiments they communicate over a separate network such as a private network, and in yet other embodiments they are implemented by software running on the same machine. - Within the
device 110 the application front-end and the prover black-box communicate with each other by exchanging messages. - In one embodiment the
computing device 110 is a mobile device equipped with the iOS operating system, the prover black-box 120 and the application front-end 150 are separate iOS apps, and messages exchanged between the prover black-box and the application front-end are implemented as “URLs with custom schemes,” as explained in the sections entitled “Communicating with Other Apps” and “Implementing Custom URL Schemes” of the “iOS App Programming Guide”. - (The terms “iOS app” and “Android app” are used herein, with their usual meanings, to refer to computer programs running on computing devices equipped with the iOS and Android operating systems respectively. The unabbreviated term “application,” on the other hand, is used more broadly to refer to a computer program that may be distributed over multiple computers. For example, an application may have a front-end component running on mobile device and back-end component running on a server connected to the device over a network. Different components of an application may be developed and deployed by different organizations.)
- In one embodiment the
computing device 110 is a mobile device equipped with the Android operating system, the prover block-box 120 and the application front-end 150 are separate Android apps, and messages exchanged between the prover black-box and the application front-end are implemented as “Intent objects” as explained in the Android developer guide entitled “Intents and Intent Filters”. In an alternative embodiment thecomputing device 110 is also equipped with the Android operating system, and the messages exchanged between the prover black-box and the application front-end are also implemented as “Intent objects”, but the prover black-box and the application front-end are parts of the same Android app, each comprising one or more “components” of the app. - In one embodiment the prover black-
box 120 is a software library linked to the application front-end, messages from the application front-end 150 to the prover black-box being implemented as Application Programming Interface (API) function calls, and messages from the prover black-box to the application front-end as callbacks. -
FIG. 1A illustrates embodiments that feature a prover black-box 120 but no verifier black-box. The functionality of verifying possession of cryptographic credentials exists in the back-end subsystem 140 but is not encapsulated in a verifier black-box. No distinction is made within the back-end subsystem 140 between an application back-end and a verifier black-box. -
FIG. 1B illustrates embodiments that feature a verifier black-box but no prover black-box. The functionality of proving possession of cryptographic credentials exists in thedevice 110 but is not encapsulated in a prover black-box. No distinction is made within thedevice 110 between an application front-end and a prover black-box. -
FIG. 2 is a flow diagram that generally illustrates aprocess 200 followed bysystem 100 for authenticating thecomputing device 110 to the back-end subsystem 140. - At 210 the application front-
end 150 asks the prover black-box 120 to authenticate cryptographically to the verifier black-box 130. - At 220 the prover black-box authenticates cryptographically to the verifier black-
box 130 by proving possession of one or more cryptographic credentials. Then the process continues at 230. - At 230 the process fails if cryptographic authentication failed at 220. Otherwise the process continues at 240.
- At 240 the verifier black-box sends to the prover black-box an authentication token providing verifiable confirmation of the cryptographic authentication. Then the process continues at 250.
- At 250, the prover black-box sends the authentication token to the application front-end. Then the process continues at 260.
- At 260 the application front-end authenticates to the application back-
end 160 by sending the authentication token. Then the process continues at 270. - At 270 the application back-end attempts to verify the authentication token as being confirmation of a cryptographic authentication. Then the process continues at 280.
- At 280 the process succeeds if the authentication token was verified. Otherwise the process fails.
- Thus application-specific functionality is embodied in the application front-end and the application back-end, which are developed by developers skilled in the art of application development, whereas cryptographic authentication functionality is encapsulated in the prover black-box and the verifier black-box, which are developed by developers skilled in the art of cryptographic protocol development, and which are made available for use by any number of different applications. This allows application developers to implement cryptographic authentication easily by making use of pre-existing prover and verifier black-boxes.
-
FIG. 2A illustrates a process followed by embodiments illustrated inFIG. 1A for authenticating thecomputing device 110 to the back-end subsystem.FIG. 2A differs fromFIG. 2 in that the back-end subsystem plays inFIG. 2A the roles played by the application back-end and the verifier black-box inFIG. 2 . -
FIG. 2B illustrates a process followed by embodiments illustrated inFIG. 1B for authenticating the computing device to the back-end subsystem 140.FIG. 2B differs fromFIG. 2 in that steps 210 and 250 are omitted and the computing device plays inFIG. 2B the roles played by the application front-end and the prover black-box inFIG. 2 . -
FIG. 3 is a block diagram illustrating embodiments where the prover black-box 120 uses a key pair for cryptographic authentication to the verifier black-box 130 and the verifier black-box is a virtual appliance, i.e. a virtual server pre-configured as a generic verifier black-box, whose functionality is not specific to a particular application. - In one embodiment the verifier black-
box 130 and the application back-end 160 are virtual servers known as Elastic Computing Cloud EC2 machine instances, made available for rent by the hour by Amazon Web Services (AWS), and located within a Virtual Private Cloud (VPC) 310 internal to the back-end subsystem 140, so that they communicate securely over a virtual private network. The verifier black-box virtual server is pre-configured by developers skilled in the art of implementing cryptographic protocols, and made available as a virtual appliance on the AWS Marketplace. The application back-end virtual server has access to arelational database 320 provided by the AWS Relational Database Service (RDS). - (The term “appliance” is to be understood as referring to a physical or virtual machine that has been pre-configured as a black-box dedicated to a specific purpose and made generally available for use by applications to that purpose.)
- The
database 320 comprises a table ofuser records 330 and a table of device records 340. Each user record corresponds to an application user, and comprises a USERRECORD HANDLE field 332 that uniquely identifies the record within the table, as well as a collection offields 334 containing user data. Each user record is indexed by the value of the USERRECORD HANDLE field 332 for efficient retrieval of the record given that value. Each device record corresponds to a device that an application user has registered for use with the application, and comprises a DEVICERECORD HANDLE field 342 that uniquely identifies the record, a HASH OFPUBLIC KEY field 344, and a USERRECORD HANDLE field 346. The value of the USERRECORD HANDLE field 346 refers to the user record for the user who registered the device. Each device record is indexed by the value of the DEVICERECORD HANDLE field 342 for efficient retrieval of the record given that value. - (The term “handle” is used herein as a synonym for the term “primary key” of database terminology, to avoid confusion between database keys and cryptographic keys.)
- The prover black-
box 120 has acredential 350 comprising adevice record handle 352 and akey pair 354 pertaining to a digital signature public key cryptosystem such as one of the public key cryptosystems, DSA, ECDSA or RSA, specified in the Digital Signature Standard (DSS), publication FIPS PUB 186-3 of the National Institute of Standards and Technology (NIST). The device record handle identifies a device record in thedatabase 320, viz. the device record that contains thedevice record handle 352 as the value of the DEVICERECORD HANDLE field 342. That record is expected to contain a hash of the public key that is part of thekey pair 354 as the value of the HASH OFPUBLIC KEY field 344. - (The
key pair 354 consists a collection of cryptographic parameters. The terms “private key” and “public key” are used herein to refer to the key pair parameters needed to sign and verify a signature, respectively. For example, with the notations of Section 4.1 of the DSS, a DSA key pair consists of the parameters p, q, g, x and y. The private key is (p,q,g,x) and the public key is (p,q,g,y). This usage of the terms “private key” and “public key” is different from the usage in the DSS, which does not consider “domain parameters” as being part of the private and public keys. For example, in the case of the DSA cryptosystem, the DSS refers to x as the private key and y as the public key, omitting the domain parameters p, q and g.) -
FIG. 4 is a flow diagram showing anauthentication process 400 followed by embodiments illustrated inFIG. 3 . - At 405 the application front-
end 150 sends a message to the prover black-box 120 asking it to authenticate cryptographically to the verifier black-box 130. Then the process continues at 410. - At 410 the prover black-box authenticates cryptographically to the verifier black-box. To that purpose it establishes a TLS connection to a cryptographic authentication endpoint of the verifier black-box. (The acronym TLS refers to the Transport Layer Security protocol of the Internet Engineering Task Force, which is a successor to the Secure Sockets Layer protocol.) During the TLS handshake, the verifier black-box authenticates to the prover black-box by sending a TLS server certificate and proving knowledge of the corresponding private key. After the TLS connection has been established, the verifier black-box sends a random high-entropy nonce to the prover black-box over the TLS connection. The verifier black-box and the prover black-box separately construct a challenge by computing a cryptographic hash of the nonce and the TLS server certificate. The prover black-box signs the challenge using the private key that is part of the
key pair 354, and sends the signature, the public key that is part of the key pair, and thedevice record handle 352 to the verifier black-box over the TLS connection; by signing the challenge, the prover black-box proves knowledge of the private key; by sending the device record handle and proving knowledge of the private key the prover black-box proves possession of thecredential 350. Then the process continues at 415. - At 415 the verifier black-box verifies the signature using the public key that is part of the key pair. If the verification of the signature succeeds, cryptographic authentication is successful and the process continues at 420. Otherwise the process fails.
- At 420 the verifier black-box creates an
authentication object 360, shown inFIG. 3 , containing anauthentication token 362, atimestamp 363 andauthentication data 364. The authentication token is generated by the verifier black-box as a high entropy random string. The authentication data comprises thedevice record handle 352 received from the prover black-box atstep 410 and acryptographic hash 365 computed by applying a cryptographic hash function to the public key also received atstep 410. In one embodiment the cryptographic hash function is the hash function SHA-1 specified in the Secure Hash Standard (SHS), published by NIST as FIPS PUB 180-4; in alternative embodiments it is one of the other hash functions specified in the SHS. The authentication object is an element of anarray 366 of such authentication objects. Since the authentication token is a high-entropy random string, the authentication object is uniquely identified with high probability by the authentication token, and hence is retrievable by the authentication token. In one embodiment the array ofobjects 366 is stored in shared memory allocated in the verifier black-boxvirtual server 130; in an alternative embodiment the array of authentication objects is implemented as a table of authentication records within a relational database internal to the verifier black-box virtual server, each authentication object being referred to as an authentication record and being indexed by the authentication token. Then the process continues at 425. - (The term “random string” is meant to encompass both a truly random string, and a string generated by a pseudo-random string generator or an entropy accumulator such as the /dev/urandom facility of Linux and other Unix systems.)
- At 425 the verifier black-box sends the authentication token to the prover black-box over the TLS connection established at
step 410, as confirmation that cryptographic authentication was successful at 410. This confirmation is verifiable by using the authentication token to retrieve theauthentication object 360 created at 420 (as is done at step 445). Then the process continues at 430. - At 430 the prover black-box sends a message to the application front-end containing the authentication token. Then the process continues at 435.
- At 435 the application front-end authenticates to the application back-
end 160 by sending the authentication token over a TLS connection. Then the process continues at 440. - At 440 the application back-end sends the authentication token to an authentication data retrieval endpoint of the verifier black-box for verification, over the virtual private network provided by the
VPC 310. Then the process continues at 445. - At 445 the verifier black-box attempts to retrieve an
authentication object 360 containing the authentication token received atstep 440 and being recent enough, i.e. having an age, determined by thetimestamp 363, that is less than an age limit set by a security policy. If there is no such object, the process fails. Otherwise the authentication token is deemed to have been verified as a confirmation of the cryptographic authentication that resulted in the creation of the object, and the process continues at 450. - At 450 the verifier black-box sends the authentication data contained in the authentication object to the application back-end over the virtual private network. The authentication data comprises the
device record handle 352 and the hash of apublic key 365. Then the process continues at 455. - At 455 the application back-end looks in the
database 320 for a device record containing thedevice record handle 352 in the DEVICERECORD HANDLE field 342 and the hash of apublic key 365 in the HASH OFPUBLIC KEY field 344. If no such record is found, the process fails. Otherwise the process continues at 460. - At 460 the application back-end looks in the
database 320 for a user record whose USERRECORD HANDLE field 332 that has the same value as the USERRECORD HANDLE field 346 of the device record found atstep 455. If no such record is found, the process fails. Otherwise the process continues at 465. - At 465 the application back-end sends user data contained in the
user data fields 334 of the user record found atstep 460 to the application front-end over a TLS connection. Then the process terminates successfully: the device has been successfully authenticated to the application back-end as being the device corresponding to the device record found atstep 455, owned by the user corresponding to the user record found atstep 460. - In one embodiment, steps 455 and 460 are combined and implemented together using a join of the table of
device records 340 and the table ofuser records 330, in a manner well known to developers skilled in the art of relational database query processing. -
FIG. 5 is a block diagram illustrating embodiments where the authentication token is used repeatedly by the application front-end 150 as a login session identifier for intra-session authentication to the application back-end 160 while a login session is in progress, following an initial cryptographic authentication. Thedatabase 320 comprises a table of login session records 510. Each login session record represents a login session and comprises aSESSION ID field 520 that uniquely identifies the record, a DEVICERECORD HANDLE field 530 that refers to a device record, and anEXPIRATION TIME field 540 that specifies a time at which the login session will expire. Each login session record is indexed by the value of theSESSION ID field 520 for efficient retrieval of the record given that value. Upon initial cryptographic authentication, a login session record is created and the authentication token is stored in the record as the value of the SESSION ID field. The authentication token is also stored by the application front-end in amemory location 550 for use as a login session identifier. -
FIG. 6 is a flow diagram illustrating an extension of theauthentication process 400, followed by embodiments illustrated inFIG. 5 , to accommodate the creation of a session record upon successful cryptographic authentication. Two additional steps are inserted into theprocess 400. Step 610 is inserted betweensteps steps - At 610 the application front-
end 150 stores a copy of the authentication token, received atstep 430, in thememory location 550, before forwarding it to the application back-end atstep 435. - At 620 the application back-
end 160 creates a login session record in the table of login session records 510, comprising the authentication token, received atstep 430, as the value of theSESSION ID field 520, the device record handle, contained in the authentication data received atstep 450, as the value of the DEVICERECORD HANDLE field 530, and an expiration time as the value of theEXPIRATION TIME field 540. -
FIG. 7 is a flow diagram illustrating aprocess 700, followed by embodiments illustrated inFIG. 5 , to use an authentication token as a login session identifier. - At 710 the application front-
end 150 sends the authentication token stored in thememory location 550 to the application back-end 160 over a TLS connection. Then the process continues at 720. - At 720 the application back-end looks in the
database 320 for a login session record where the value of theSESSION ID field 520 is the authentication token. If no such record is found, the process fails. Otherwise the process continues at 730. - At 730 the application back-end checks if the current time is past the expiration time specified by the EXPIRATION TIME field of the login session record found at
step 720. If so, the process fails. Otherwise the process continues at 740. - At 740 the application back-end looks in the
database 320 for a device record whose DEVICERECORD HANDLE field 342 that has the same value as the DEVICERECORD HANDLE field 530 of the login session record found atstep 720. If no such record is found, the process fails. Otherwise the process continues at 750. - At 750 the application back-end looks in the
database 320 for a user record whose USERRECORD HANDLE field 332 that has the same value as the USERRECORD HANDLE field 346 of the device record found atstep 740. If no such record is found, the process fails. Otherwise the process terminates successfully: the device has been successfully authenticated to the application back-end as being the device corresponding to the device record found atstep 740, owned by the user corresponding to the user record found atstep 750. - In one embodiment, steps 740, 750 and 760 are combined and implemented together using a join of the table of login session records 510, the table of
device records 340 and the table ofuser records 330, in a manner well known to developers skilled in the art of relational database query processing. -
FIG. 8 is a block diagram illustrating anauthentication token 800 that comprises digitally signed authentication data. Instead of uniquely identifying anauthentication object 360 that comprisesauthentication data 364 including thedevice record handle 352 and the publickey hash 365, the authentication token itself comprises theauthentication data 364 with thedevice record handle 352 and the publickey hash 365, acreation timestamp 363, and asignature 810 computed by the verifier black-box 130 on the authentication data and the timestamp. -
FIG. 9 is a flow diagram illustrating aprocess 900 for authenticating a computing device using an authentication token comprising signed authentication data.Embodiments using process 900 are illustrated inFIG. 3 , except that the verifier black-box 130 does not use anarray 366 of authentication objects. - The
process 900 is a modification of theprocess 400 ofFIG. 4 .Steps steps - At 920 the verifier black-box
constructs authentication data 364 as atstep 420 ofprocess 400. But instead of storing the data in an authentication object, it creates theauthentication token 800 comprising theauthentication data 364, acreation timestamp 363, and a signature on the authentication data and the timestamp. In one embodiment the signature is computed using a private key pertaining to a digital signature public key cryptosystem such as those specified in the DSS (DSA, ECDSA or RSA). - At 940, instead of sending the authentication token to the verifier black-box for verification as at
step 440 ofprocess 400, the application back-end checks that thetimestamp 363 is not older than an age limit set by a security policy, and verifies thesignature 810 using the public key associated with private key that the verifier black-box used to compute the signature atstep 920. - At 945, the process fails if the verification of the signature failed at 940. Otherwise the process continues at 450.
- In some embodiments the
credential 350 shown inFIG. 3 is created when a user registers thecomputing device 110 with the application back-end 160. In one embodiment thekey pair 354 pertains to one of the digital signature public key cryptosystems specified by the DSS (DSA, ECDSA or RSA) and is generated by the prover black-box as specified in the DSS. In one embodiment the prover black-box generates thedevice record handle 352 as a high entropy random string so that it is distinct with high probability from handles of other device records in the table of device records 340. As inprocess 400, the prover black-box proves possession of the newly created credential to the verifier black-box, which creates an authentication object retrievable by an authentication token and sends the authentication object to the prover black-box, which forwards it to the application back-end via the application front-end. The application back-end uses the authentication token to retrieve the authentication data from the verifier black-box, then creates a device record, using the device record handle in the authentication data as the value of the DEVICERECORD HANDLE field 342 and the hash of the public key in the authentication data as the value of the HASH OFPUBLIC KEY field 344. - If no user record has been created yet for the user who registers the device, the user provides user data to the application front-end, which sends the user data to the application back-end over the same TLS connection that it uses to send the authentication token. The application back-end creates a user record containing the user data in the
user data fields 334 and containing a new user record handle distinct from those of other user records in the USERRECORD HANDLE field 332. (In one embodiment the new user record handle is obtained by incrementing a counter of user record handles; in an alternative embodiment it is generated as high entropy random string, which is distinct from existing user record handles with high probability.) Then the application back-end stores the new user record handle in the USERRECORD HANDLE field 346 of the newly created device record. - If a user record already exists for the user who registers the device, the user provides a registration code, which the user has obtained via another computing device, to the application front-end. The registration code is a reference to a short-lived registration record that contains a user record handle that identifies the user record. The application front-end sends the registration code to the application back-end over the same TLS connection that it uses to send the authentication token. The application back-end finds the user record referenced by the registration record and stores the user record handle of that record in the USER
RECORD HANDLE field 346 of the newly created device record.
Claims (21)
1-13. (canceled)
14. A method of authenticating a computing device to a back-end subsystem, comprising:
a prover black-box in the computing device authenticating cryptographically to a verifier black-box in the back-end subsystem by proving possession of a cryptographic credential;
the verifier black-box sending an authentication token to the prover black-box as verifiable confirmation of the cryptographic authentication;
the prover black-box sending the authentication token to an application front-end in the computing device;
the application front-end sending the authentication token to an application back-end in the back-end subsystem; and
the application back-end verifying the authentication token.
15. The method of claim 14 , wherein the verifier black-box is a virtual appliance.
16. The method of claim 14 , wherein the device uses the authentication token as a login session identifier.
17. The method of claim 14 , wherein the authentication token uniquely identifies an object comprising authentication data.
18. The method of claim 14 , wherein the authentication token comprises digitally signed authentication data.
19. The method of claim 14 , wherein the cryptographic credential comprises a key pair pertaining to a public key cryptosystem and a public key that is part of the key pair is stored in a database within the back-end subsystem.
20. The method of claim 14 , wherein the cryptographic credential comprises a key pair pertaining to a public key cryptosystem and a hash of a public key that is part of the key pair is stored in a database within the back-end subsystem.
21. The method of claim 14 , wherein the cryptographic credential comprises a private key that is part of a key pair pertaining to a public key cryptosystem, and proving possession of the cryptographic credential includes proving knowledge of the private key.
22. The method of claim 21 , wherein the public key cryptosystem is a digital signature cryptosystem, and proving knowledge of the private key includes using the private key to sign a challenge.
23. A prover black-box included in a computing device and used in authenticating the device to a back-end subsystem, configured to:
receive a request from an application front-end running on the device to perform a cryptographic authentication to the back-end subsystem;
authenticate cryptographically to the back-end subsystem by proving possession of a credential;
receive an authentication token from the back-end subsystem as confirmation of the cryptographic authentication; and
send the authentication token to the application front-end.
24. The prover black-box of claim 23 , wherein the credential comprises a private key that is part of a key pair pertaining to a public key cryptosystem, and proving possession of the credential includes proving knowledge of the private key.
25. The prover black-box of claim 24 , wherein the public key cryptosystem is a digital signature cryptosystem, and proving knowledge of the private key includes using the private key to sign a challenge.
26. A verifier black-box configured to:
authenticate cryptographically a computing device by verifying possession of a cryptographic credential by the device;
return an authentication token to the device as verifiable confirmation of the cryptographic authentication;
receive the authentication token from an application back-end; and
send authentication data to the application back-end.
27. The verifier black-box of claim 26 , wherein the credential comprises a private key that is part of a key pair pertaining to a public key cryptosystem, and verifying possession of the credential includes verifying knowledge of the private key.
28. The verifier black-box of claim 27 , wherein the public key cryptosystem is a digital signature cryptosystem, and verifying possession of the private key includes verifying that a signature made with the private key is valid.
29. The verifier black-box of claim 26 , further configured to create an authentication object that comprises authentication data and is uniquely identified by the authentication token.
30. The verifier black-box of claim 29 , wherein the authentication data comprises a hash of a public key that is part of the credential.
31. The verifier black-box of claim 26 , wherein the authentication token comprises digitally signed authentication data.
32. The verifier black-box of claim 26 , implemented as a virtual server made available for rent by a cloud service provider.
33. The verifier black-box of claim 32 , located together with the application back-end within a virtual private cloud.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/925,824 US20140006781A1 (en) | 2012-06-23 | 2013-06-24 | Encapsulating the complexity of cryptographic authentication in black-boxes |
US13/954,973 US9185111B2 (en) | 2012-06-23 | 2013-07-30 | Cryptographic authentication techniques for mobile devices |
US14/016,022 US20140006806A1 (en) | 2012-06-23 | 2013-08-30 | Effective data protection for mobile devices |
US14/588,413 US20150113283A1 (en) | 2012-06-23 | 2015-01-01 | Protecting credentials against physical capture of a computing device |
US15/136,834 US9887989B2 (en) | 2012-06-23 | 2016-04-22 | Protecting passwords and biometrics against back-end security breaches |
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201261663569P | 2012-06-23 | 2012-06-23 | |
US201261677011P | 2012-07-30 | 2012-07-30 | |
US201361804638P | 2013-03-23 | 2013-03-23 | |
US201361809790P | 2013-04-08 | 2013-04-08 | |
US13/925,824 US20140006781A1 (en) | 2012-06-23 | 2013-06-24 | Encapsulating the complexity of cryptographic authentication in black-boxes |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/954,973 Continuation-In-Part US9185111B2 (en) | 2012-06-23 | 2013-07-30 | Cryptographic authentication techniques for mobile devices |
Publications (1)
Publication Number | Publication Date |
---|---|
US20140006781A1 true US20140006781A1 (en) | 2014-01-02 |
Family
ID=49779490
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/925,824 Abandoned US20140006781A1 (en) | 2012-06-23 | 2013-06-24 | Encapsulating the complexity of cryptographic authentication in black-boxes |
US13/954,973 Active 2033-09-16 US9185111B2 (en) | 2012-06-23 | 2013-07-30 | Cryptographic authentication techniques for mobile devices |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/954,973 Active 2033-09-16 US9185111B2 (en) | 2012-06-23 | 2013-07-30 | Cryptographic authentication techniques for mobile devices |
Country Status (1)
Country | Link |
---|---|
US (2) | US20140006781A1 (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2015163967A3 (en) * | 2014-02-04 | 2015-12-23 | Exponential Horizons | Cryptographic method and system of protecting digital content and recovery of same through unique user identification |
US20160269393A1 (en) * | 2012-06-23 | 2016-09-15 | Pomian & Corella Llc | Protecting passwords and biometrics against back-end security breaches |
US10893053B2 (en) * | 2018-03-13 | 2021-01-12 | Roblox Corporation | Preventing unauthorized account access based on location and time |
US20210243227A1 (en) * | 2018-12-03 | 2021-08-05 | Citrix Systems, Inc. | Detecting attacks using handshake requests systems and methods |
US11489675B1 (en) * | 2019-07-12 | 2022-11-01 | Allscripts Software, Llc | Computing system for electronic message tamper-roofing |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160277412A1 (en) * | 2010-11-17 | 2016-09-22 | Invysta Technology Group | Methodology for identifying local/mobile client computing devices using a network based database containing records of hashed distinctive hardware, software, and user provided biometric makers for authorization of electronic transactions and right of entry to secure locations |
WO2014182957A1 (en) * | 2013-05-08 | 2014-11-13 | Acuity Systems, Inc. | Authentication system |
US9189617B2 (en) * | 2013-09-27 | 2015-11-17 | Intel Corporation | Apparatus and method for implementing zero-knowledge proof security techniques on a computing platform |
US10402554B2 (en) * | 2015-06-27 | 2019-09-03 | Intel Corporation | Technologies for depth-based user authentication |
US20170300673A1 (en) * | 2016-04-19 | 2017-10-19 | Brillio LLC | Information apparatus and method for authorizing user of augment reality apparatus |
US10097544B2 (en) | 2016-06-01 | 2018-10-09 | International Business Machines Corporation | Protection and verification of user authentication credentials against server compromise |
US11558743B2 (en) * | 2018-09-05 | 2023-01-17 | Whitefox Defense Technologies, Inc. | Integrated secure device manager systems and methods for cyber-physical vehicles |
GB2584154A (en) * | 2019-05-24 | 2020-11-25 | Nchain Holdings Ltd | Knowledge proof |
US20220138306A1 (en) * | 2020-11-05 | 2022-05-05 | Adobe Inc. | Offline multi-factor one-time password authentication |
US11451402B1 (en) | 2021-07-29 | 2022-09-20 | IPAssets Technology Holdings Inc. | Cold storage cryptographic authentication apparatus and system |
Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6775536B1 (en) * | 1999-11-03 | 2004-08-10 | Motorola, Inc | Method for validating an application for use in a mobile communication device |
US6957199B1 (en) * | 2000-08-30 | 2005-10-18 | Douglas Fisher | Method, system and service for conducting authenticated business transactions |
US7051200B1 (en) * | 2000-06-27 | 2006-05-23 | Microsoft Corporation | System and method for interfacing a software process to secure repositories |
US7203838B1 (en) * | 1999-09-09 | 2007-04-10 | American Express Travel Related Services Company, Inc. | System and method for authenticating a web page |
US7319759B1 (en) * | 1999-03-27 | 2008-01-15 | Microsoft Corporation | Producing a new black box for a digital rights management (DRM) system |
US20080065550A1 (en) * | 2004-10-30 | 2008-03-13 | Shera International Ltd. | Certified deployment of applications on terminals |
US7349871B2 (en) * | 2002-08-08 | 2008-03-25 | Fujitsu Limited | Methods for purchasing of goods and services |
US20090122984A1 (en) * | 2007-11-13 | 2009-05-14 | Koolspan, Inc. | Secure mobile telephony |
US7543140B2 (en) * | 2003-02-26 | 2009-06-02 | Microsoft Corporation | Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority |
US20100195833A1 (en) * | 2006-07-14 | 2010-08-05 | Vodafone Group Plc | Telecommunications device security |
US7900048B2 (en) * | 2002-05-07 | 2011-03-01 | Sony Ericsson Mobile Communications Ab | Method for loading an application in a device, device and smart card therefor |
US20120204035A1 (en) * | 2010-07-30 | 2012-08-09 | International Business Machines Corporation | Cryptographic Proofs in Data Processing Systems |
US8261365B2 (en) * | 2003-11-27 | 2012-09-04 | Nagravision S.A. | Method for the authentication of applications |
US20130003970A1 (en) * | 2007-12-13 | 2013-01-03 | Certicom Corp. | System and Method for Controlling Features on a Device |
US8474004B2 (en) * | 2006-07-31 | 2013-06-25 | Telecom Italia S.P.A. | System for implementing security on telecommunications terminals |
US8584224B1 (en) * | 2011-04-13 | 2013-11-12 | Symantec Corporation | Ticket based strong authentication with web service |
US8588766B2 (en) * | 2001-05-31 | 2013-11-19 | Qualcomm Incorporated | Safe application distribution and execution in a wireless environment |
US8656016B1 (en) * | 2012-10-24 | 2014-02-18 | Blackberry Limited | Managing application execution and data access on a device |
US8800008B2 (en) * | 2006-06-01 | 2014-08-05 | Intellectual Ventures Ii Llc | Data access control systems and methods |
US8839458B2 (en) * | 2009-05-12 | 2014-09-16 | Nokia Corporation | Method, apparatus, and computer program for providing application security |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6170058B1 (en) | 1997-12-23 | 2001-01-02 | Arcot Systems, Inc. | Method and apparatus for cryptographically camouflaged cryptographic key storage, certification and use |
US7328350B2 (en) | 2001-03-29 | 2008-02-05 | Arcot Systems, Inc. | Method and apparatus for secure cryptographic key generation, certification and use |
US7454782B2 (en) | 1997-12-23 | 2008-11-18 | Arcot Systems, Inc. | Method and system for camouflaging access-controlled data |
-
2013
- 2013-06-24 US US13/925,824 patent/US20140006781A1/en not_active Abandoned
- 2013-07-30 US US13/954,973 patent/US9185111B2/en active Active
Patent Citations (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7319759B1 (en) * | 1999-03-27 | 2008-01-15 | Microsoft Corporation | Producing a new black box for a digital rights management (DRM) system |
US7203838B1 (en) * | 1999-09-09 | 2007-04-10 | American Express Travel Related Services Company, Inc. | System and method for authenticating a web page |
US6775536B1 (en) * | 1999-11-03 | 2004-08-10 | Motorola, Inc | Method for validating an application for use in a mobile communication device |
US7051200B1 (en) * | 2000-06-27 | 2006-05-23 | Microsoft Corporation | System and method for interfacing a software process to secure repositories |
US6957199B1 (en) * | 2000-08-30 | 2005-10-18 | Douglas Fisher | Method, system and service for conducting authenticated business transactions |
US8588766B2 (en) * | 2001-05-31 | 2013-11-19 | Qualcomm Incorporated | Safe application distribution and execution in a wireless environment |
US7900048B2 (en) * | 2002-05-07 | 2011-03-01 | Sony Ericsson Mobile Communications Ab | Method for loading an application in a device, device and smart card therefor |
US7349871B2 (en) * | 2002-08-08 | 2008-03-25 | Fujitsu Limited | Methods for purchasing of goods and services |
US7543140B2 (en) * | 2003-02-26 | 2009-06-02 | Microsoft Corporation | Revocation of a certificate and exclusion of other principals in a digital rights management (DRM) system based on a revocation list from a delegated revocation authority |
US8261365B2 (en) * | 2003-11-27 | 2012-09-04 | Nagravision S.A. | Method for the authentication of applications |
US20080065550A1 (en) * | 2004-10-30 | 2008-03-13 | Shera International Ltd. | Certified deployment of applications on terminals |
US8800008B2 (en) * | 2006-06-01 | 2014-08-05 | Intellectual Ventures Ii Llc | Data access control systems and methods |
US20100195833A1 (en) * | 2006-07-14 | 2010-08-05 | Vodafone Group Plc | Telecommunications device security |
US8474004B2 (en) * | 2006-07-31 | 2013-06-25 | Telecom Italia S.P.A. | System for implementing security on telecommunications terminals |
US20090122984A1 (en) * | 2007-11-13 | 2009-05-14 | Koolspan, Inc. | Secure mobile telephony |
US20130003970A1 (en) * | 2007-12-13 | 2013-01-03 | Certicom Corp. | System and Method for Controlling Features on a Device |
US8839458B2 (en) * | 2009-05-12 | 2014-09-16 | Nokia Corporation | Method, apparatus, and computer program for providing application security |
US20120204035A1 (en) * | 2010-07-30 | 2012-08-09 | International Business Machines Corporation | Cryptographic Proofs in Data Processing Systems |
US8584224B1 (en) * | 2011-04-13 | 2013-11-12 | Symantec Corporation | Ticket based strong authentication with web service |
US8656016B1 (en) * | 2012-10-24 | 2014-02-18 | Blackberry Limited | Managing application execution and data access on a device |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160269393A1 (en) * | 2012-06-23 | 2016-09-15 | Pomian & Corella Llc | Protecting passwords and biometrics against back-end security breaches |
US9887989B2 (en) * | 2012-06-23 | 2018-02-06 | Pomian & Corella, Llc | Protecting passwords and biometrics against back-end security breaches |
WO2015163967A3 (en) * | 2014-02-04 | 2015-12-23 | Exponential Horizons | Cryptographic method and system of protecting digital content and recovery of same through unique user identification |
US9800419B2 (en) | 2014-02-04 | 2017-10-24 | Exponential Horizons, Llc | Cryptographic method and system of protecting digital content and recovery of same through unique user identification |
US10893053B2 (en) * | 2018-03-13 | 2021-01-12 | Roblox Corporation | Preventing unauthorized account access based on location and time |
US11818138B2 (en) | 2018-03-13 | 2023-11-14 | Roblox Corporation | Preventing unauthorized account access based on location and time |
US20210243227A1 (en) * | 2018-12-03 | 2021-08-05 | Citrix Systems, Inc. | Detecting attacks using handshake requests systems and methods |
US11489675B1 (en) * | 2019-07-12 | 2022-11-01 | Allscripts Software, Llc | Computing system for electronic message tamper-roofing |
US11818277B1 (en) * | 2019-07-12 | 2023-11-14 | Allscripts Software, Llc | Computing system for electronic message tamper-proofing |
Also Published As
Publication number | Publication date |
---|---|
US9185111B2 (en) | 2015-11-10 |
US20140032906A1 (en) | 2014-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20140006781A1 (en) | Encapsulating the complexity of cryptographic authentication in black-boxes | |
US11711219B1 (en) | PKI-based user authentication for web services using blockchain | |
CN108092776B (en) | System based on identity authentication server and identity authentication token | |
CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
US9838205B2 (en) | Network authentication method for secure electronic transactions | |
JP7228977B2 (en) | Information processing device, authorization system and verification method | |
US9231925B1 (en) | Network authentication method for secure electronic transactions | |
US10382426B2 (en) | Authentication context transfer for accessing computing resources via single sign-on with single use access tokens | |
RU2417422C2 (en) | Single network login distributed service | |
US8775794B2 (en) | System and method for end to end encryption | |
US8959335B2 (en) | Secure password-based authentication for cloud computing services | |
CN112671720B (en) | Token construction method, device and equipment for cloud platform resource access control | |
US20200374137A1 (en) | Systems, methods, and storage media for permissioned delegation in a computing environment | |
EP3206329B1 (en) | Security check method, device, terminal and server | |
CN112313648A (en) | Authentication system, authentication method, application providing device, authentication device, and authentication program | |
Mishra et al. | An anonymous and secure biometric‐based enterprise digital rights management system for mobile environment | |
KR102012262B1 (en) | Key management method and fido authenticator software authenticator | |
Chang et al. | A practical secure and efficient enterprise digital rights management mechanism suitable for mobile environment | |
Akram et al. | An anonymous authenticated key-agreement scheme for multi-server infrastructure | |
CN114301617A (en) | Identity authentication method and device for multi-cloud application gateway, computer equipment and medium | |
CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
CN113569210A (en) | Distributed identity authentication method, equipment access method and device | |
CN105577606A (en) | Method and device for realizing register of authenticator | |
WO2013067792A1 (en) | Method, device and system for querying smart card | |
CN111723347B (en) | Identity authentication method, identity authentication device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: POMIAN & CORELLA, LLC, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CORELLA, FRANCISCO;LEWISON, KAREN POMIAN;REEL/FRAME:031720/0173 Effective date: 20131125 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |