EP2761852A1 - A mobile communication system implementing integration of multiple logins of mobile device applications - Google Patents
A mobile communication system implementing integration of multiple logins of mobile device applicationsInfo
- Publication number
- EP2761852A1 EP2761852A1 EP20120846629 EP12846629A EP2761852A1 EP 2761852 A1 EP2761852 A1 EP 2761852A1 EP 20120846629 EP20120846629 EP 20120846629 EP 12846629 A EP12846629 A EP 12846629A EP 2761852 A1 EP2761852 A1 EP 2761852A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- authentication
- application
- broker
- mobile
- mobile device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
Definitions
- the present invention relates generally to mobile communication devices and particularly to software applications used at mobile telephones.
- Certain embodiments of the present invention seek to provide a device which incorporates a security processor (not shown) with a dedicated smart-card based on PKI (Public Key Infrastructure).
- PKI Public Key Infrastructure
- Certain embodiments of the present invention seek to provide a security processor (not shown) including software running on a main processor, for example utilizing a mechanism such as ARM'S TrustZone Technology.
- the secure mobile device uses this PKI as a basis for network authentication which, as is well known, is superior e.g. in that PKI is less susceptible to guesses and to myriads of attacks on classical username/password based authentication.
- the secure mobile device uses this PKI as a basis for network authentication which is compatible with the use of the smart-card authentication mechanism.
- Certain embodiments of the present invention seek to provide a system for managing sign-on and applicative authentication that utilizes strong encryption available in a secure smart-phone.
- Certain embodiments of the present invention seek to provide a central system that manages authentication for all applications in a manner that is easy to manage.
- Certain embodiments of the present invention seek to provide a central system that manages authentication for all applications in a manner that is transparent to the user.
- a computer program product comprising a typically non- transitory computer usable medium or computer readable storage medium, typically tangible, having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement any or all of the methods shown and described herein. It is appreciated that any or all of the computational steps shown and described herein may be computer-implemented. The operations in accordance with the teachings herein may be performed by a computer specially constructed for the desired purposes or by a general purpose computer specially configured for the desired purpose by a computer program stored in a typically non- transitory computer readable storage medium.
- Any suitable processor, display and input means may be used to process, display e.g. on a computer screen or other computer output device, store, and accept information such as information used by or generated by any of the methods and apparatus shown and described herein; the above processor, display and input means including computer programs, in accordance with some or all of the embodiments of the present invention.
- processors workstation or other programmable device or computer or electronic computing device, either general-purpose or specifically constructed, used for processing; a computer display screen and/or printer and/or speaker for displaying; machine-readable memory such as optical disks, CDROMs, magnetic-optical discs or other discs; RAMs, ROMs, EPROMs, EEPROMs, magnetic or optical or other cards, for storing, and keyboard or mouse for accepting.
- processor includes a single processing unit or a plurality of distributed or remote such units.
- the above devices may communicate via any conventional wired or wireless digital communication means, e.g. via a wired or cellular telephone network or a computer network such as the Internet.
- the apparatus of the present invention may include, according to certain embodiments of the invention, machine readable memory containing or otherwise storing a program of instructions which, when executed by the machine, implements some or all of the apparatus, methods, features and functionalities of the invention shown and described herein.
- the apparatus of the present invention may include, according to certain embodiments of the invention, a program as above which may be written in any conventional programming language, and optionally a machine for executing the program such as but not limited to a general purpose computer which may optionally be configured or activated in accordance with the teachings of the present invention. Any of the teachings incorporated herein may wherever suitable operate on signals representative of physical objects or substances.
- a mobile communication system including:
- multiple login integration apparatus for secure integration of multiple login systems in mobile communication device applications.
- Embodiment 2 A system according to embodiment 1 wherein said apparatus incorporates a security processor with a dedicated smart-card based on PKI (Public Key Infrastructure) functionality.
- PKI Public Key Infrastructure
- Embodiment 3 A system according to embodiment 2 wherein at least one secure mobile device uses said PKI functionality as a basis for network authentication.
- Embodiment 4 A system according to embodiment 3 wherein said network authentication is compatible with smart-card authentication.
- Embodiment 5 A system according to embodiment 1 which also comprises apparatus for managing sign-on and applicative authentication that utilizes strong encryption available in a secure smart-phone.
- Embodiment 6 A system according to embodiment 1 which is operative to manage authentication for a plurality of applications in a manner that is transparent to the user.
- Embodiment 7 A system according to embodiment 1 wherein at least one of the mobile communication device applications use at least one of: username based authentication and password based authentication,
- Embodiment 8 A system according to embodiment 1 wherein PKI based authentication is employed and wherein a central entity is used to translate said authentication to an applicative authentication.
- Embodiment 9 A system according to embodiment 1 wherein a server is provided which has "single-sign on” functionality in conjunction with mobile authentication functionality.
- Embodiment 10 A system according to embodiment 9 wherein the server comprises a central server that defines logic of authentication of each application in the cellular network being served by the server.
- Embodiment 11 A mobile communication method including:
- multiple login integration including secure integration of multiple login systems in mobile communication device applications; the integration including: accepting, from a mobile application, an indication of a corporate application to which it wants to login including receiving, at an Authentication Broker, from the mobile application, a request to perform login to the corporate application;
- Embodiment 12 A method according to embodiment 11 wherein the individual mobile application is defined by a user of an individual mobile communication device.
- Embodiment 13 A system according to embodiment 9 wherein the server includes Authentication Broker functionality including modules that control the authentication process for various applications.
- Embodiment 14 A system according to embodiment 13 wherein authentication process control comprises modification or insertion of authentication records and/or enforcement of policies.
- Embodiment 15 A system according to embodiment 1 wherein the apparatus includes a Credential Management subsystem which, during integration of the network platform, installs at least some of the following information: username and password, private and/or first public key for a user, a second public key from the mobile device.
- a Credential Management subsystem which, during integration of the network platform, installs at least some of the following information: username and password, private and/or first public key for a user, a second public key from the mobile device.
- Embodiment 16 A system according to embodiment 1 wherein modules that control the authentication process reside in a central server, and hence can be centrally managed.
- Embodiment 17 A system according to embodiment 1 wherein a public key from a mobile communication device is used to protect a completely different key used to authenticate the mobile communication device to an application server.
- Embodiment 18 A system according to embodiment 1 wherein, when a mobile communication device user performs a login, at least some of the following occur: the mobile application sends a request to an Authentication Broker;
- the public key of the mobile device signs the request ;
- the Authentication Broker validates the request and creates a new login request to a target authentication system.
- Embodiment 19 A system according to embodiment 1 wherein user credentials are stored in the clear on a central server so that an Authentication Broker functionality can use the user credentials stored in the clear authenticate for purposes of another mobile application as well.
- Embodiment 20 A system according to embodiment 1 wherein the
- authentication credentials are not stored in the clear, but rather are encrypted by the public key of an intended user of the credentials.
- Embodiment 21 A system according to embodiment 20 wherein an
- authentication record is maintained including at least some of: the user name, user's password/private key, application and/or authentication service for which the record is intended.
- a mobile communication method including:
- multiple login integration including secure integration of multiple login systems in mobile communication device applications; the integration including: accepting, from a mobile application, an indication of a corporate application to which it wants to login including receiving, at an Authentication Broker, from the mobile application, a request to perform login to the corporate application;
- Embodiment 23 A method according to embodiment 22 which is repeated for each application/authentication service from among a plurality of such.
- Embodiment 24 A method according to embodiment 11 which is repeated sequentially or in parallel for each application/authentication service from among a plurality of such.
- Embodiment 25 A mobile application authentication method for authentication of applications serving any of a population of mobile devices interconnected by a communication network, the method comprising:
- Embodiment 26 A method according to embodiment 25 wherein said network comprises a wireless network.
- Embodiment 27 A method according to embodiment 26 wherein said network comprises a cellular network.
- Embodiment 28. A mobile application authentication method comprising:
- Embodiment 29 A mobile application authentication method comprising:
- Embodiment 30 A method according to embodiment 29 wherein said integrated authentication server comprises an Active Directory.
- Embodiment 31 A mobile application authentication method for authentication of applications serving any of a population of mobile devices interconnected by a communication network, the method comprising:
- Embodiment 32 A method according to embodiment 31 wherein said network comprises a wireless network.
- Embodiment 33 A method according to embodiment 31 wherein said network comprises a cellular network.
- Embodiment 34 A mobile application authentication method for authentication of applications serving any of a population of mobile devices interconnected by a communication network, the method comprising:
- Embodiment 35 A method according to any of embodiments 31 or 34 wherein a secured connection is generated between the mobile device and the broker which is secured by at least one of network- or user-authentication.
- Embodiment 36 A method according to embodiment 35 wherein authentication includes:
- the mobile device asks for an application from the broker over the secured connection
- the broker responds by sending back to the mobile device, over the secured connection, its own authentication record;
- an application in the mobile device forwards the authentication record received from the broker, on to the application server.
- Embodiment 37 A method according to any of embodiments 31 - 36 wherein information stored in the broker, is stored encrypted rather than in the clear and is subsequently sent as-is to the mobile device.
- Embodiment 38 A computer program product, comprising a computer usable medium having a computer readable program code embodied therein, said computer readable program code adapted to be executed to implement any of the methods shown and described herein.
- Embodiment 39 A method according each one of the preceding embodiments wherein said user identity authentication is based on biometric authentication mechanisms.
- Embodiment 40 A method according to embodiment 39 wherein said biometric authentication mechanisms is based at least one of the following: voice recognition, fingerprint, face recognition, iris recognition.
- Embodiment 41 A method according to any of embodiments 1 - 38 wherein said user identity authentication is based on manual user insertion of authentication record.
- Embodiment 42 A method according to embodiment 41 wherein said authentication record is username and password.
- Embodiment 43 A method according each one of the preceding embodiments wherein said user identity authentication is based on one or more of the proposed user identity authentication types such as biometric mechanisms and user insertion.
- Embodiment 44 A communication system according to any of the preceding embodiment that includes authentication record encryption apparatus (device or software) used for encryption of the clear authentication record.
- authentication record encryption apparatus device or software
- Embodiment 45 A communication system according to embodiment 44 wherein said authentication record encryption apparatus also is used to load said encrypted authentication records to the Authentication Broker.
- Embodiment 46 A method according to any of the preceding embodiments wherein said encrypted authentication record are created by authentication record encryption apparatus and loaded from the authentication record encryption apparatus to the Authentication Broker.
- the term "computer” should be broadly construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, personal computers, servers, computing system, communication devices, processors (e.g. digital signal processor (DSP), microcontrollers, field programmable gate array (FPGA), application specific integrated circuit (ASIC), etc.) and other electronic computing devices.
- processors e.g. digital signal processor (DSP), microcontrollers, field programmable gate array (FPGA), application specific integrated circuit (ASIC), etc.
- DSP digital signal processor
- FPGA field programmable gate array
- ASIC application specific integrated circuit
- Any suitable input device such as but not limited to a sensor, may be used to generate or otherwise provide information received by the apparatus and methods shown and described herein.
- Any suitable output device or display may be used to display or output information generated by the apparatus and methods shown and described herein.
- Any suitable processor may be employed to compute or generate information as described herein e.g. by providing one or more modules in the processor to perform functionalities described herein.
- Any suitable computerized data storage e.g. computer memory may be used to store information received by or generated by the systems shown and described herein.
- Functionalities shown and described herein may be divided between a server computer and a plurality of client computers. These or any other computerized components shown and described herein may communicate between themselves via a suitable computer network.
- Figs. 1 - 7 are diagrams and schematics illustrating certain embodiments of the present invention.
- Computational components described and illustrated herein can be implemented in various forms, for example, as hardware circuits such as but not limited to custom VLSI circuits or gate arrays or programmable hardware devices such as but not limited to FPGAs, or as software program code stored on at least one intangible computer readable medium and executable by at least one processor, or any suitable combination thereof.
- a specific functional component may be formed by one particular sequence of software code, or by a plurality of such, which collectively act or behave or act as described herein with reference to the functional component in question.
- the component may be distributed over several code sequences such as but not limited to objects, procedures, functions, routines and programs and may originate from several computer files which typically operate synergistically.
- Data can be stored on one or more intangible computer readable media stored at one or more different locations, different network nodes or different storage devices at a single node or location.
- Suitable computer data storage or information retention apparatus may include apparatus which is primary, secondary, tertiary or off-line; which is of any type or level or amount or category of volatility, differentiation, mutability, accessibility, addressability, capacity, performance and energy use; and which is based on any suitable technologies such as semiconductor, magnetic, optical, paper and others.
- a system operative to unify multiple authentication schemes under a single entity, possibly with a central management system are now described e.g. with reference to Fig. 1.
- the same authentication system may be applied to the VPN Gateway and to the authentication system shown and described herein.
- Such a solution may create a unified authentication architecture that provides functional cooperation between the authentication mechanism (functionality) towards the VPN Gateway, and the applications within the organizational network.
- a problem which may arise is how to use a centrally managed PKI to grant and control authentication to multiple application servers, possibly under disjointed authentication schemes and/or disconnected systems.
- an organizationally managed server e.g. a server managed by the organization associated with the private network of Fig. 1, to translate authentication used by the mobile device to the VPN Gateway to an applicative authentication i.e. an authentication process usable by the application to determine the identity or permissions of the user using the mobile device.
- the user is required to use an external, often manual, authentication solution such as an RSA secure ID.
- Option a. in both situations above typically involves all applications being changed to incorporate a new authentication mechanism and thus may incur high integration costs on a plethora of platforms.
- Option b. in both situations above transfers the problem to the user and may therefore incur higher management costs.
- a server also termed herein the "Authentication Broker” that combines “single-sign on” functionality in conjunction with mobile authentication functionality.
- the mobile authentication functionality may be based on equipment/hardware authentication (such as but not limited to smart-card ID/key, SIM-card/IMEI) or on user authentication (such as username/password, manual key-insertion, any biometric authentication method e.g. fingerprint, face recognition, iris recognition or any other, either separately or in combination) or on a combined equipment and user authentication scheme.
- equipment/hardware authentication such as but not limited to smart-card ID/key, SIM-card/IMEI
- user authentication such as username/password, manual key-insertion, any biometric authentication method e.g. fingerprint, face recognition, iris recognition or any other, either separately or in combination
- the term “Single sign on” may be interpreted as is known in the art, e.g. as per Wikipedia, or may refer to a property of access control of multiple related, but independent software systems.
- the Authentication Broker server comprises a central server that contains logic and details re the authentication of each application in the cellular network being served by the server.
- the system of Fig. 1 may include some or all of the following functional units, interacting suitably e.g. as shown:
- Microsoft Active Directories 105, 115 - (Sample authentication platform); Applications 110 requiring authentication, such as but not limited to email server applications or web-application server applications;
- a communication network 140 such as an LTE network or alternatively any wireless communication or cellular system such as 3 rd generation cellular or WiMAX;
- a mobile device 135 is a mobile device 135;
- an Authentication Broker 120 e.g. as described below; and a management system 125 for the authentication broker, which is typically responsible for introducing records into the Secure Repository of the Authentication Broker e.g. as described in Figs. 3 and 4 below.
- Fig. 6 is a simplified flowchart illustration of a usage flow including information flow in the system of Fig. 1 , according to a first embodiment.
- the flow of Fig. 6 includes some or all of the following steps, suitably ordered e.g. as shown: step 1110:
- the user of an individual mobile communication device from among a population of such devices (not shown), such as but not limited to 3 rd or 4 th generation cellular telephone, selects a mobile application such as email application or a proprietary organizational application from among a plurality of applications on a mobile communication device of which, for simplicity, 3 mobile applications are shown.
- Step 1120 As part of the requirements for the service, the mobile application (i.e. the application that is running on the mobile device) needs to authenticate to the application servers. For example, a mobile application to view or edit emails is required to authenticate the user to the mail server before any mails can be sent or received. Typically, the mobile application sends a request to the Authentication Broker to perform login to the application
- Step 1140 The Authentication Broker of Fig. 1 verifies the user's credentials, e.g. by employing a standard authentication system such as Kerberos based on the public key of the mobile device or biometric mechanism or manual username and password insertion or any combination of them.
- a standard authentication system such as Kerberos based on the public key of the mobile device or biometric mechanism or manual username and password insertion or any combination of them.
- Step 1150 The Authentication Broker of Fig. 1 logins to the appropriate application server or authentication mechanism such as Active Directory.
- the specific Active-Directory is supplied or selected by the mobile application wishing to authenticate or by the applicative authentication mechanism (e.g. in cases where the application server handles its own authentication and does not employ an Active Directory server which is often the case in in-house developed custom applications); the Broker receives from the application server or authentication mechanism authentication token; the authentication token is sent to the mobile communication device.
- the content of the authentication token differs from application server to application server.
- the token may for example comprise a binary authentication token such as the Kerberos token.
- Step 1160 The mobile application uses the authentication token to login to the application server.
- the Authentication Broker of Fig. 1 contains modules that control the authentication process for the various applications. Authentication process control may for example comprise modification or insertion of authentication records and/or enforcement of policies.
- the Credential Management system of Fig. 1 typically installs the information employed. Information may for example include both username and password, or private and or first public key for the user, as well as a second public key from the mobile device.
- a particular advantage of having modules that control the authentication process which reside in the authentication broker 120, is that these processes can then be centrally managed (updated, replaced or configured e.g.) and the organization needs only maintain a single such entity.
- the public key from the device is used to protect a completely different key used to authenticate to the application server.
- the mobile application sends a request (step 130) to the Authentication Broker.
- the public key of the mobile device typically signs the request.
- the Authentication Broker 120 creates a new login request (step 150) to a target authentication system e.g. a target Active Directory such as Active Directory 105 or Active Directory 115 in Fig. 1.
- Fig. 1 When the method of Fig. 1 is employed, user credentials are stored on the central server and the credentials are kept in a readable form, e.g. in the clear, so that the Authentication Broker of Fig. 1 can authenticate for purposes of another mobile application as well. Implementation may for example be in accordance with Figs. 2 and 6.
- the authentication credentials are not stored in the clear, but keep each authentication record encrypted by the public key of the intended user of this record.
- the authentication record may for example include the user name and password/private key, the application and/or authentication service - such as Active Directory for which the record is intended.
- the owner of the mobile device for which the authentication record is encrypted there is a single user: the owner of the mobile device for which the authentication record is encrypted. Usually this would be the same user (e.g. human) that the record indicates. For example, a mobile device owner might get access to the authentication record for her or his email account.
- Fig. 7 is a simplified flowchart illustration of a usage flow including information flow in the system of Fig. 1 , according to a second embodiment.
- the flow of Fig. 7 includes some or all of the following steps, suitably ordered e.g. as shown:
- Step 1220 Providing to the authentication record encryption apparatus (device or software) the clear authentication records
- the authentication record encryption apparatus encrypts the clear authentication records; then the encrypted authentication records are loaded to the Authentication Broker memory
- Step 1240 perform steps 1110 - 1140 of Fig. 6
- Step 1250 The Authentication Broker sends the encrypted authentication record to the mobile device
- Step 1260 The software on the mobile device sends the encrypted authentication record to a Service Dispatcher running on the mobile device in a secured manner e.g. utilizing software security such as TrustZone virtualization or the device hardware security part.
- the Service Dispatcher decrypts the encrypted authentication record.
- Step 1270 The clear authentication record is used in order to further contact the application's servers. This can be optionally done for 2 alternatives:
- Step 1280 If the authentication record is username and password then it is given to the mobile application and is used by it for authentication with the application server or its authentication mechanism
- step 1290 If the authentication record is PKI or similar authentication mean then the Service Dispatcher is used as virtual smart card and the mobile application can use it as a smart card for authentication and identity needs with the application server or its authentication mechanism.
- the mobile device when the mobile device is created, its public key is sent and stored on the Credential Management subsystem of Fig. 1.
- the authentication information (such as but not limited to username/password or private key) may be encrypted by the user's public key and only the encrypted record may be sent to the Authentication Broker of Fig. 1.
- Fig. 7 there is typically absolutely no risk of a security breach even in the event that a hacker gets full access to the Authentication Broker of Fig. 1. Moreover, typically, in case a mobile device is lost or stolen, only the credentials for the user whose device was stolen are ever at risk. In addition, in the event that a mobile device is stolen, the Authentication Broker may be rapidly and easily updated re the stolen device identity, and may thereby prevent that stolen device from being served by the system.
- Figs. 6 and 7 both typically allow easy central management of permissions, and revocations in case such is needed. Central management of permissions and revocation may be provided as is standard in authentication systems.
- Figs. 6 and 7 are typically repeated or done in parallel respectively for each application/authentication service from among a plurality of such e.g. for each of applications 110 in Fig. 1 or 210 in Fig. 2.
- the public key from the mobile device is sent, ahead of its usage, to the credential management system.
- This embodiment typically employs a security domain which is obtainable by using standard means such as but not limited to ARM's TrustZone technology.
- a secured part can optionally run on the mobile device and may include either an optional dedicated security processor (not shown) or may use a software emulation thereof using for example ARM trustzone architecture.
- Active Directory is a commercial product which is just an example of suitable implementations of the relevant component. Any suitable Security Gateway may be used herein such as but not limited to the VPN Gateway specifically mentioned herein.
- the Authentication Broker may serve as the focal point for all authentication requests.
- Each authentication request is sent to the Authentication Broker, which, in turn, performs authentication on the target machine and passes the authenticated token to the application running on the mobile device.
- Example schematics are shown in Fig. 3.
- a suitable Interface towards the mobile device may be as follows:
- the Authentication Broker exposes an applicative API towards the mobile device, e.g. by performing one or more of the following functionalities, suitably ordered e.g. as below:
- connection The first step taken when the mobile application wishes to authenticate towards a service may be to connect to the Authentication Broker.
- the connection may be established by a secure connection mechanism such as SSL.
- the mobile device may use its internal security hardware part or a software implementation thereof to perform a Kerberos login e.g. according to the specs specified in IETF's RFC 4120.
- the authentication token may be used to authenticate a web-request.
- the request may include some or all of the following information:
- the result of this process differs according to the semantics of the authenticated service e.g. as per examples listed below.
- a new, service specific, authentication token is returned, or a response stating that the rest of the traffic has to be transferred through the Authentication Broker.
- the latter case is often used in the (relatively rare) cases where the actual authenticated connection is a critical part of the authentication process.
- Integration with Active Directory authentication may for example be as follows:
- Active Directory on its own typically uses Kerberos, e.g. as per IETF's RFC 4120, as the basis of their authentication scheme typically under either of the following two flavors: Password based authentication (either uses PAP or CHAP) or a certificate-based authentication.
- the authentication broker typically uses the Active-Directory integrator in order to contact the target Active Directory.
- the Authentication manager either uses the PKI core to provide a cryptographically secure signature towards the Active Directory or if password authentication is needed, contacts the secure repository to access the user's password.
- the Kerberos token is sent back towards the mobile device.
- Web applications use a myriad of authentication schemes.
- Active Directory is commonly used, in which case, the solution above is used and no actual authentication is performed towards the Web-Application.
- Http based authentication schemes may be used, e.g. HTTP Basic authentication such as for example as described by tools.ietf.org' s RFC 2617.
- Other web-applications use entirely custom authentication schemes; a suitable embodiment is described in detail below.
- the Web-Application authenticator performs the authentication and sends back the result to the mobile device.
- the password is actually sent back to the mobile device to perform logins. This option may be supported but discouraged.
- the Authentication Broker supports a plugin architecture that allows the addition of authentication modules towards specific applications.
- the authentication module has access to the credentials of users towards this specific server.
- Integration with socket-based authentication may be provided.
- there is a special class of stateful authentication mechanisms where the actual logical connection, typically including the source IP and port of the originator of the authentication request, are part of the authenticated token. This typically does not permit the transfer of an authentication token.
- the Authentication Broker may reply to the device that "Forwarding" is required.
- the mobile device may then route all traffic destined to the application server through the Authentication Broker.
- the Authentication Broker may forward the content of the communication to the application server.
- the software on the mobile device may be configured with the communication parameters of the Authentication Broker. Each mobile application uses this address and a supplied software library to connect to the Authentication Broker.
- the Authentication Broker serves as a secure repository for authentication credentials, while the actual authentication logic is mostly performed on the mobile device itself. Authentication requests are preceded by requests for credentials which are sent to the Authentication Broker. The Authentication Broker returns the encrypted authentication records to the mobile device for further processing.
- the user's authentication information is typically stored in an encrypted format optionally based on a PKI encryption scheme.
- the resulting "authentication record" is encrypted by the mobile device's public key so that only the mobile device's private key may decode it.
- An example of suitable schematics are shown in Fig. 4.
- An example Interface towards mobile device may be as follows:
- the Authentication Broker exposes an applicative API towards the mobile device, e.g. by performing one or more of the following functionalities, suitably ordered e.g. as below:
- connection The first step taken when the mobile application wishes to authenticate towards a service may be to connect to the Authentication Broker.
- the connection may be established by a secure connection mechanism such as SSL.
- the mobile device may use its internal security hardware part, or a software implementation thereof, to perform a Kerberos login e.g. according to the specs specified in IETF's RFC 4120.
- the authentication token may be used to authenticate a web-request.
- the request may include some or all of the following information:
- Target authentication server iv.
- the Authentication Broker sends the encrypted authentication record towards the mobile device.
- the authentication process itself is typically performed by the mobile device, typically by software on the mobile device.
- the relevant parts of the software architecture may for example be as shown in the diagram of Fig. 5.
- the application When the application requests to perform authentication, the application typically requests this from the Authentication Library, which in turns contacts the Authentication Broker e.g. as described above.
- the Authentication Broker then typically sends the encrypted authentication record to the mobile device.
- the authentication record may be encrypted e.g. using a coordinated (between the mobile device and the Authentication Broker) encryption/authentication method such as, for example, PKI schemes or may be based on equipment/hardware encryption/authentication (such but not limited to as smart-card ID/key, SIM- card/IMEI) or on user authentication (such as but not limited to username/password, manual key-insertion, any biometric authentication method i.e. fingerprint, face recognition, iris recognition or any other, separately or in combination) or on a combined equipment and user authentication scheme. Encryption of the Authentication record prevents unauthorized use of the clear authentication record because only the destined mobile device can decrypt it.
- a coordinated (between the mobile device and the Authentication Broker) encryption/authentication method such as,
- Service Dispatcher which decrypts the record, optionally using the PKI core, to access the (clear) private key of the device.
- the target authentication is based on a clear password
- this password is typically sent to the application.
- the application authentication is based on a public-key scheme or a hash-based authentication
- the actual algorithm or process may be run in the Secured Domain and only the result sent back to the application.
- the Secured Domains may act as a partial "Trusted Processing Module" whose operation is defined by TrustedComputingGroup.org.
- An advantage of certain embodiments of the invention is that the mobile device user need not remember a multiplicity of passwords for each of a multiplicity of applications (e.g. if each application button on a mobile device, such as Youtube, email, etc., were to demand its own user name and password upon being pressed); instead, a connection secured enough to transmit a password (e.g.) on is provided and a single sign-on can then be effected for the multiplicity of applications.
- An advantage of certain embodiments of the invention is that although the communication network serving the mobile devices offering the applications may be wireless e.g. cellular, rather than wired e.g. Internet, and although wireless network are more sensitive to interception, nonetheless, security is achieved.
- the encryption can simultaneously achieve two goals, both security of the secured connection and preventing leakage of information in case the broker is hacked or otherwise compromised.
- software components of the present invention including programs and data may, if desired, be implemented in ROM (read only memory) form including CD-ROMs, EPROMs and EEPROMs, or may be stored in any other suitable typically non-transitory computer-readable medium such as but not limited to disks of various kinds, cards of various kinds and RAMs.
- ROM read only memory
- EEPROM electrically erasable programmable read-only memory
- Components described herein as software may, alternatively, be implemented wholly or partly in hardware, if desired, using conventional techniques.
- components described herein as hardware may, alternatively, be implemented wholly or partly in software, if desired, using conventional techniques.
- Any computer-readable or machine -readable media described herein is intended to include non-transitory computer- or machine-readable media.
- Any computations or other forms of analysis described herein may be performed by a suitable computerized method. Any step described herein may be computer-implemented.
- the invention shown and described herein may include (a) using a computerized method to identify a solution to any of the problems or for any of the objectives described herein, the solution optionally include at least one of a decision, an action, a product, a service or any other information described herein that impacts, in a positive manner, a problem or objectives described herein; and (b) outputting the solution.
- the scope of the present invention is not limited to structures and functions specifically described herein and is also intended to include devices which have the capacity to yield a structure, or perform a function, described herein, such that even though users of the device may not use the capacity, they are if they so desire able to modify the device to obtain the structure or function.
- a system embodiment is intended to include a corresponding process embodiment.
- each system embodiment is intended to include a server-centered "view” or client centered “view”, or “view” from any other node of the system, of the entire functionality of the system , computer-readable medium, apparatus, including only those functionalities performed at that server or client or node.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
IL215424A IL215424B (en) | 2008-06-17 | 2011-09-26 | A mobile communication system implementing lntegration of multiple logins of mobile device applications |
PCT/IL2012/050394 WO2013065037A1 (en) | 2011-09-26 | 2012-09-27 | A mobile communication system implementing integration of multiple logins of mobile device applications |
Publications (2)
Publication Number | Publication Date |
---|---|
EP2761852A1 true EP2761852A1 (en) | 2014-08-06 |
EP2761852A4 EP2761852A4 (en) | 2015-10-21 |
Family
ID=48194183
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12846629.9A Withdrawn EP2761852A4 (en) | 2011-09-26 | 2012-09-27 | A mobile communication system implementing integration of multiple logins of mobile device applications |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP2761852A4 (en) |
SG (2) | SG11201401003VA (en) |
WO (1) | WO2013065037A1 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2530040B (en) * | 2014-09-09 | 2021-01-20 | Arm Ip Ltd | Communication mechanism for data processing devices |
US9769668B1 (en) | 2016-08-01 | 2017-09-19 | At&T Intellectual Property I, L.P. | System and method for common authentication across subscribed services |
KR101687151B1 (en) * | 2016-08-27 | 2016-12-15 | 주식회사 탐생 | Providing method for data of study using mobile terminal |
CN112288396A (en) * | 2020-10-29 | 2021-01-29 | 上海淇玥信息技术有限公司 | Multi-system user attribute information management method and device and electronic equipment |
CN114567475A (en) * | 2022-02-23 | 2022-05-31 | 平安国际智慧城市科技股份有限公司 | Multi-system login method and device, electronic equipment and storage medium |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7221935B2 (en) * | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
US7487537B2 (en) * | 2003-10-14 | 2009-02-03 | International Business Machines Corporation | Method and apparatus for pervasive authentication domains |
WO2005062989A2 (en) | 2003-12-23 | 2005-07-14 | Wachovia Corporation | Authentication system for networked computer applications |
US7607008B2 (en) | 2004-04-01 | 2009-10-20 | Microsoft Corporation | Authentication broker service |
ES2311821T3 (en) * | 2004-05-12 | 2009-02-16 | Telefonaktiebolaget Lm Ericsson (Publ) | AUTHENTICATION SYSTEM |
CN101069402B (en) * | 2004-10-26 | 2010-11-03 | 意大利电信股份公司 | Method and system for transparently authenticating a mobile user to access web services |
US20090125992A1 (en) * | 2007-11-09 | 2009-05-14 | Bo Larsson | System and method for establishing security credentials using sms |
US9736153B2 (en) * | 2008-06-27 | 2017-08-15 | Microsoft Technology Licensing, Llc | Techniques to perform federated authentication |
US8438382B2 (en) * | 2008-08-06 | 2013-05-07 | Symantec Corporation | Credential management system and method |
WO2010037201A1 (en) * | 2008-09-30 | 2010-04-08 | Wicksoft Corporation | System and method for secure management of mobile user access to enterprise network resources |
US8510810B2 (en) * | 2008-12-23 | 2013-08-13 | Bladelogic, Inc. | Secure credential store |
-
2012
- 2012-09-27 WO PCT/IL2012/050394 patent/WO2013065037A1/en active Application Filing
- 2012-09-27 SG SG11201401003VA patent/SG11201401003VA/en unknown
- 2012-09-27 EP EP12846629.9A patent/EP2761852A4/en not_active Withdrawn
- 2012-09-27 SG SG10201601550XA patent/SG10201601550XA/en unknown
Also Published As
Publication number | Publication date |
---|---|
EP2761852A4 (en) | 2015-10-21 |
WO2013065037A1 (en) | 2013-05-10 |
SG11201401003VA (en) | 2014-08-28 |
SG10201601550XA (en) | 2016-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10284366B2 (en) | Mobile communication system implementing integration of multiple logins of mobile device applications | |
AU2019384472B2 (en) | Dual factor authentication with active directory and one time password token combination | |
US10728044B1 (en) | User authentication with self-signed certificate and identity verification and migration | |
JP6731023B2 (en) | Secure single sign-on and conditional access for client applications | |
US11881937B2 (en) | System, method and computer program product for credential provisioning in a mobile device platform | |
US9628448B2 (en) | User and device authentication in enterprise systems | |
US10630489B2 (en) | Apparatus and method for managing digital certificates | |
KR102036758B1 (en) | Fast smart card logon and federated full domain logon | |
US9866546B2 (en) | Selectively enabling multi-factor authentication for managed devices | |
EP3008877B1 (en) | User authentication in a cloud environment | |
US8627409B2 (en) | Framework for automated dissemination of security metadata for distributed trust establishment | |
US10349272B2 (en) | Virtual SIM card cloud platform | |
WO2013065037A1 (en) | A mobile communication system implementing integration of multiple logins of mobile device applications | |
US20230135968A1 (en) | Control of access to computing resources implemented in isolated environments | |
Casey et al. | An interoperable architecture for usable password-less authentication | |
US11032708B2 (en) | Securing public WLAN hotspot network access | |
US20220029991A1 (en) | Integrated hosted directory |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20140424 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
DAX | Request for extension of the european patent (deleted) | ||
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 29/06 20060101AFI20150409BHEP Ipc: H04W 12/06 20090101ALI20150409BHEP Ipc: H04W 88/02 20090101ALI20150409BHEP |
|
RA4 | Supplementary search report drawn up and despatched (corrected) |
Effective date: 20150923 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 12/06 20090101ALI20150917BHEP Ipc: H04W 88/02 20090101ALI20150917BHEP Ipc: H04L 29/06 20060101AFI20150917BHEP |
|
17Q | First examination report despatched |
Effective date: 20190311 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20190723 |