US2017054707A1PendingUtilityA1

Method and Apparatus for Trusted Authentication and Logon

47
Assignee: INTERDIGITIAL PATENT HOLDINGS INCPriority: Sep 14, 2009Filed: Nov 7, 2016Published: Feb 23, 2017
Est. expirySep 14, 2029(~3.2 yrs left)· nominal 20-yr term from priority
H04L 63/06G06F 21/00H04L 2209/127G06F 21/57G06F 2221/2103H04L 63/062H04L 2209/80G06F 2221/2129H04L 9/3234G06F 21/32H04L 63/12H04L 9/3271H04L 63/10H04L 63/0823H04L 63/083H04L 63/0807
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A method and apparatus for trusted authentication and logon is disclosed. A trusted platform module (TPM) based logon method is presented for authentication and access. A user registers an identity with an identity provider that is tightly bound to the user's specific platform, e.g., the TPM. If the user decides to login, for example to a service provider using this identity, the identity provider challenges the user to provide the correct credentials. The credentials consist of a TPM generated ticket, that is, a credential chain. This allows the user to login without the need for a password at the identity provider.

Claims

exact text as granted — not AI-modified
What is claimed: 
     
         1 . A method for accessing, by a user platform comprising a trusted module, a service from a service provider, the method comprising:
 logging onto the service provider using a user identity;   the user platform receiving an authentication challenge from the service provider;   in response to the authentication challenge, generating, at the trusted module, an authentication response to the authentication challenge, wherein the authentication response may include a certificate or a reference to the certificate; and   when a verification of the authentication response is successful, accessing the service from the service provider   
     
     
         2 . The method of  claim 1 , wherein the method further comprises:
 in further response to the authentication challenge, performing a local authentication of the user.   
     
     
         3 . The method of  claim 2 , wherein the local authentication of the user is performed using one or more biometrics of the user. 
     
     
         4 . The method of  claim 1 , wherein the method further comprises:
 if the verification fails, receiving an authentication failed message.   
     
     
         5 . The method of  claim 1 , wherein the user identity corresponds to a key, the method further comprising:
 using the key to retrieve the certificate from the trusted module.   
     
     
         6 . The method of  claim 1 , the method further comprising:
 when accessing the service from the service provider, authorizing the service provider to access data associated with the user.   
     
     
         7 . The method of  claim 1 , wherein the authentication response comprises a ticket that comprises data that validates an authenticity of the ticket. 
     
     
         8 . The method of  claim 1 , wherein the authentication challenge includes at least the user identity and a type of service request. 
     
     
         9 . The method of  claim 8 , the method further comprising generating a certified signing key for signing the user identity and the service request. 
     
     
         10 . The method of  claim 1 , wherein the user identity is further associated with an attestation identity key (AIK), the method further comprising:
 providing a password for the AIK corresponding to the user identity and a storage root key password for authenticating usage of the trusted module.   
     
     
         11 . The method of  claim 1 , wherein the user identity is further associated with an attestation identity key (AIK), and wherein the certificate corresponds to the AIK. 
     
     
         12 . The method of  claim 11 , wherein the certificate is obtained on a condition that a previously acquired certificate is unavailable. 
     
     
         13 . A user equipment comprising communication circuitry such that the user equipment is communicatively coupled to a network via its communication circuitry, wherein the user equipment further comprises a processor, a trusted module, and a memory, the memory containing computer-executable instructions that when executed by the processor, cause the processor to perform operations comprising:
 logging onto the service provider using a user identity;   the user platform receiving an authentication challenge from the service provider;   in response to the authentication challenge, generating, at the trusted module, an authentication response to the authentication challenge, wherein the authentication response may include a certificate or a reference to the certificate; and   when a verification of the authentication response is successful, accessing the service from the service provider   
     
     
         14 . The user equipment of  claim 13 , wherein the memory further contains computer-executable instructions that when executed by the processor, cause the processor to perform further operations comprising:
 in further response to the authentication challenge, performing a local authentication of the user.   
     
     
         15 . The user equipment of  claim 14 , wherein the local authentication of the user is performed using one or more biometrics of the user. 
     
     
         16 . The user equipment of  claim 13 , wherein the memory further contains computer-executable instructions that when executed by the processor, cause the processor to perform further operations comprising:
 if the verification fails, receiving an authentication failed message.   
     
     
         17 . The user equipment of  claim 13 , wherein the user identity corresponds to a key, and the memory further contains computer-executable instructions that when executed by the processor, cause the processor to perform further operations comprising:
 using the key to retrieve the certificate from the trusted module.   
     
     
         18 . The user equipment of  claim 13 , wherein the memory further contains computer-executable instructions that when executed by the processor, cause the processor to perform further operations comprising:
 when accessing the service from the service provider, authorizing the service provider to access data associated with the user.   
     
     
         19 . The user equipment of  claim 13 , wherein the authentication response comprises a ticket that comprises data that validates an authenticity of the ticket. 
     
     
         20 . The user equipment of  claim 13 , wherein the authentication challenge includes at least the user identity and a type of service request.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.