WO2013100967A1 - Web authentication using client platform root of trust - Google Patents

Web authentication using client platform root of trust Download PDF

Info

Publication number
WO2013100967A1
WO2013100967A1 PCT/US2011/067592 US2011067592W WO2013100967A1 WO 2013100967 A1 WO2013100967 A1 WO 2013100967A1 US 2011067592 W US2011067592 W US 2011067592W WO 2013100967 A1 WO2013100967 A1 WO 2013100967A1
Authority
WO
WIPO (PCT)
Prior art keywords
stored
server
website
web address
uniform resource
Prior art date
Application number
PCT/US2011/067592
Other languages
French (fr)
Inventor
Gyan Prakash
Rajesh Poornachandran
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Priority to EP11878354.7A priority Critical patent/EP2798772A4/en
Priority to CN201180075948.8A priority patent/CN104025503B/en
Priority to PCT/US2011/067592 priority patent/WO2013100967A1/en
Priority to US13/992,811 priority patent/US9887997B2/en
Priority to JP2014550250A priority patent/JP5850382B2/en
Priority to TW101148119A priority patent/TWI477137B/en
Publication of WO2013100967A1 publication Critical patent/WO2013100967A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Definitions

  • Accessing personal information online has increasingly become commonplace, as it has become a convenient and efficient way to manage one's affairs. For example, users may access their bank accounts online to view balances and transactions, transfer money, pay bills, etc. Although the ability to access such information provides convenience, it also raises the potential of security threats to sensitive information.
  • a threat to personal information is a phishing attack, in which a user may be taken to or redirected to a fake website to gather personal information such as a username, password, social security number, date of birth, credit card information, etc.
  • personal information such as a username, password, social security number, date of birth, credit card information, etc.
  • communications purporting to be from a popular social website, auction site, online payment processor, etc. may be used to lure an unsuspecting user into providing personal information.
  • a threat to personal information is a pharming attack, in which a user may be redirected to a fake website by a false domain name service (DNS) record, effectively redirecting the traffic from the intended website to a the fake website. For example, this may be done by changing a DNS host file after breaching the DNS server.
  • DNS domain name service
  • SSL secure socket layer
  • TLS transport layer security
  • PKI public key infrastructure
  • URI uniform resource identifier
  • secure authentication using SSL or TLS and certificates may include indicating that a connection is in authentication mode, indicating which website a user is connected to, and indicating which authority (e.g., certificate authority) authenticates the identity of the website.
  • this authentication process may be easy to circumvent, because the authentication is typically confirmed by the user, introducing user error. Additionally, because these current techniques for preventing attacks are purely software -based, they may be ineffective against some threats to personal information (e.g., if the user's own computer is compromised).
  • FIG. 1 illustrates an example of a system for utilizing a secure execution environment in accordance with example embodiments
  • FIG. 2 illustrates an example of a method for provisioning a user device to securely access a website in accordance with example embodiments
  • FIG. 3 illustrates an example of a method for securely accessing a website using a provisioned user device in accordance with example
  • FIG. 4 illustrates a block diagram of an example of a machine upon which any one or more of the techniques discussed herein may be performed in accordance with example embodiments.
  • the server of the website may authenticate the user before allowing access.
  • the website may be any website that a user may use to access personal information.
  • the website may be a bank website for accessing account information.
  • the authentication may include authenticating the particular user device used to access the website.
  • the authentication of the user device may be performed using a secure execution environment on the user device.
  • the secure execution environment may be a hidden environment (e.g., not visible or directly accessible, in whole or part, by the user, the operating system, or other applications running on the user device) on the user device upon which web authentication may occur.
  • Web authentication using a particular user device may occur by provisioning the particular user device to be authenticated with the server of the website.
  • a user may provide credentials used to log in to the website.
  • the credentials used to log in to a website may be any credentials for a user that may help verify the identity of the user. Examples of credentials may include any one or more of the following: a username; a password; a social security number; an account number; a date of birth; credit card information; a billing address; a phone number; etc.
  • the server may determine whether the device belongs to the user.
  • the server may verify whether the user owns the device by determining whether the device is in a particular geographic area (e.g., address, building, city, state, global positioning system (GPS) coordinates, etc.) associated with the device or the user. After successful verifications, the server may generate a device- specific URI (e.g., a web address) specific to the user device.
  • This device- specific URI may be stored in both the secure execution environment of the user device and at the server. The stored device-specific URI may be used for web authentication.
  • the user may use the device-specific URI stored in the secure execution environment to access the website securely.
  • the server may receive the device-specific URI from the secure execution environment of the device and may verify that the URI is valid for the device that is being used to access the website.
  • Web authentication that includes a device-specific authorization module increases security by ensuring that the entity accessing the user's information is authorized to do so.
  • the server may send the device-specific URI to the user device and the secure execution environment on the device may verify that the website that will be accessed is the intended website and not a fake website to which the user may have been redirected.
  • FIG. 1 illustrates an example of a system 100 for using a secure execution environment 160.
  • the system 100 may include a user device 1 10 in communication with a content web server 115 and an
  • the authorization server 120 via a network 105.
  • the authorization server 120 may include an authorization module arranged to perform any one or more of the operations of the authorization of the authorization server 120.
  • the network 105 may be any communication network for communicating between entities (e.g., the Internet, local area network, etc.).
  • the user device 1 10 may be any user device arranged (e.g., configured) to access a website.
  • User device 110 examples may include, but are not limited to: mobile devices (e.g., smartphones, portable digital assistants (PDAs), tablet computers); desktop computers; laptop computers; televisions; set-top boxes; media consoles; etc.
  • the user device 110 may include one or more processors 125 in communication with a memory 135.
  • the memory 135 may include any type of memory to store instructions executable by the one or more processors 125, applications, or operating systems of the user device 100.
  • the memory 135 may also store data, such as in a filesystem (e.g., one or more data structures arranged to store files).
  • the user device 1 10 may include one or more communication modules 130 (e.g., antenna, circuits arranged to enable Wi- Fi®, Wi-Max®, or cellular communications, etc.), a display module 140 (e.g., processing hardware, screen, etc.) arranged to display information to a user, a camera module 145 for capturing photos and/or video, and one or more input modules 150 arranged to receive inputs from a user (e.g., microphone, keypad, etc.).
  • the user device 1 10 may include a platform sensor hub 155, which may be connected to, or include, inertial sensors, pressure sensors, ambient light sensors, proximity sensors, global positioning system (GPS) devices, etc.
  • GPS global positioning system
  • the user device 1 10 may include a secure execution environment 160.
  • the secure execution environment 160 may be arranged to provide host- independent tamper-proof secure computing and storage capabilities.
  • the secure execution environment 160 may include one or more processors or instructions on machine (e.g., computer) readable media arranged to perform authentication of the user device 110 to a website.
  • the secure execution environment 160 may store the device-specific URI provisioned to the user device 110.
  • the secure execution environment 160 may store an encrypted version of the device-specific URI, such as a device-specific URL signature hash.
  • the encryption version of the device-specific URI may be encrypted using any type of encryption mechanism.
  • the components of the user device 1 10 may be contained within the user device 110 as one or more chips.
  • the user device 110 may contain one or more processors including: multi-core processors, main core processors, or ultra-low power core processors, etc.
  • the content web server 115 may be any web server arranged to provide access to one or more websites for an entity.
  • the content web server 115 may provide access to content including, for example, personal information, user accounts, etc.
  • the authorization server 120 may be any web server arranged to perform the authorization of the user device 1 10 (e.g., via an authorization module).
  • the authorization server 120 may store user device information such as, tamper resistant software (TRS), the device-specific URI, encryption keys, etc.
  • the authorization server 120 may be a third-party server arranged to perform authorization for any number of content web servers from any number of entities.
  • the operations performed by the content web server 115 and the authorization server 120 may be performed by the same server (e.g., computer).
  • FIG. 2 illustrates an example of a method 200 for provisioning a user device 1 10 to securely access a website.
  • the authorization server 120 may receive a request to provision the user device 110 to access a website securely.
  • Receiving the request may include receiving user credentials from the user.
  • the user credentials received may be any credentials for verifying the identity of the user (e.g., username, password, etc.).
  • the authorization server 120 may determine whether the credentials are valid. This may include determining whether the credentials match a particular user account of the website. If the credentials are not valid, in operation 215, the request to provision the device may be denied. In operation 220, if the credentials are valid, the authorization server 120 may determine whether the device is valid. In an embodiment, this may include determining whether the device to be provisioned is owned by the user. For example, the authorization server 120 may determine whether the geographical location of the device matches the location in which the user resides or receives service. If the device is not valid, in operation 215, the request to provision the device may be denied.
  • the authorization server 120 may store this device- specific URI.
  • the authorization server 120 may store one or more of encryption keys, identifiers for the user, identifiers for the user device 110, TRS-based root of trust, etc., for web authentication of the user device 1 10.
  • the authorization server 120 may send the device-specific URI and any encryption keys to the secure execution
  • the secure execution environment 160 may store the device-specific URI and any encryption keys for web authentication with the website.
  • This device-specific URI may be encrypted with the user device's public key such that only that specific user device may receive the URI signature for the device-specific URI securely.
  • FIG. 3 illustrates an example of a method 300 for securely accessing a website using a provisioned user device 1 10 storing a device-specific URI and any encryption keys at the secure execution environment 160.
  • the secure execution environment 160 may send a request to access the website to the authorization server 120.
  • the request may include a hypertext transfer protocol (HTTP) header handshake.
  • HTTP hypertext transfer protocol
  • the request may also include a device-specific authentication indicator (e.g., flag) indicating that the extended security of the device-specific authentication is included in the header.
  • a user may request to visit a generic website for a bank (e.g., http://www.bankname.com).
  • the request may include the device-specific authentication indicator indicating that extended security of the device-specific authentication should be used.
  • the authorization server 120 may determine whether the request includes a valid device-specific authentication indicator in the header. If the header does not properly include the device-specific authentication indicator, in operation 315, the authorization server 120 may direct the user to proceed with the credential check for a non-provisioned device (e.g., using TLS). For example, the user may log in to an account at the website using credentials for the non-extended security authentication (authentication that is not based on the user device 1 10). In an embodiment, if the header does not properly include the device-specific authentication indicator, the
  • authorization server 120 may initiate the provisioning process (e.g., as described above). In an embodiment, if the header does not properly include the device- specific authentication indicator, the authorization server 120 may deny access to the website.
  • the secure execution environment 160 may receive a request for the device-specific URI from the authorization server 120 (e.g., http://www.bankname.com/deviceURL012345). In operation 325, the secure execution environment 160 may send the device-stored device-specific URI to the authorization server 120 in response to the request of operation 320. In an embodiment, an encrypted device-specific URI (e.g., a URL signature hash) may be sent to the authorization server 120.
  • a request for the device-specific URI e.g., http://www.bankname.com/deviceURL012345.
  • an encrypted device-specific URI e.g., a URL signature hash
  • the secure execution environment 160 may receive the server-stored device-specific URI from the authorization server 120. This may be received so that the secure execution environment 160 may verify that the website to be accessed is the intended website and that the user has not been redirected to another website (e.g., as in a pharming attack).
  • the authorization server 120 may determine whether the device-stored URI is valid.
  • a device-stored URI may be valid if it matches the device-specific URI stored at the authorization server 120.
  • the authorization server 120 may decrypt the received the device-stored URI using the encryption key stored at the authorization server 120. If the decrypted device-stored URI matches the URI stored at the authorization server 120, the device-stored URI may be determined to be valid. If the device-stored URI is determined to be invalid, in operation 340, the authorization server 120 may deny access to the website based on the device-specific web authentication. In an embodiment, the user may be directed to perform the non-extended security authentication credential check (e.g., as described in operation 315).
  • the secure execution environment 160 may also determine whether the received server-stored URI is valid.
  • the secure execution environment 160 may decrypt the received server-stored URI using the encryption key stored at the secure execution environment 160. If the decrypted server-stored URI matches the URI stored at the secure execution environment 160, the server-stored URI may be determined to be valid. This may ensure that the user has not been redirected to another website (e.g., a malicious website). If the server-stored URI is determined to be invalid, in operation 350, the secure execution environment 160 may deny access to the website based on the device-specific web authentication. In an embodiment, the user may, instead of being denied access to the website, proceed with the non-extended security authentication credential check (e.g., as described in operation 315).
  • the user device 1 10 may securely access the website.
  • access may be automatic without requiring additional information from the user.
  • access may be provided after the user enters any requested user credentials.
  • the device-specific authentication may be an extension to SSL or TLS.
  • access to the website may be allowed based on a one-time password (OTP) process.
  • OTP one-time password
  • the authorization server 120 may send a URI that is valid to access the website for a particular (e.g., defined, temporary, etc.) period of time.
  • the URI (e.g., OTP URI to provide website access during the particular period of time) may be generated by the authorization server 120 by appending a user device identifier and a timestamp for the time of authentication appended to the website's address.
  • the OTP URI may include the user device identifier and the timestamp based on an OTP algorithm such that the URI may only be used to access the website for the particular period of time.
  • FIG. 4 illustrates a block diagram of an example of a machine 400 upon which any one or more of the techniques (e.g., methodologies) discussed herein may be performed.
  • the machine 400 may operate as a standalone device or may be connected (e.g., networked) to other machines.
  • the machine 400 may operate in the capacity of a server machine, a client machine, or both in server-client network environments.
  • the machine 400 may act as a peer machine in peer-to-peer (P2P) (or other distributed) network environment.
  • P2P peer-to-peer
  • the machine 400 may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a mobile telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA Personal Digital Assistant
  • STB set-top box
  • PDA Personal Digital Assistant
  • mobile telephone a web appliance
  • network router, switch or bridge or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein, such as cloud computing, software as a service (SaaS), other computer cluster configurations.
  • SaaS software as a service
  • Examples, as described herein, may include, or may operate on, logic or a number of components, modules, or mechanisms.
  • Modules are tangible entities capable of performing specified operations and may be configured or arranged in a certain manner.
  • circuits may be arranged (e.g., internally or with respect to external entities such as other circuits) in a specified manner as a module.
  • the whole or part of one or more computer systems e.g., a standalone, client or server computer system
  • one or more hardware processors may be configured by firmware or software (e.g., instructions, an application portion, or an application) as a module that operates to perform specified operations.
  • the software may reside (1) on a non- transitory machine -readable medium or (2) in a transmission signal.
  • the software when executed by the underlying hardware of the module, causes the hardware to perform the specified operations.
  • the term "module" is understood to encompass a tangible entity, be that an entity that is physically constructed, specifically configured (e.g., hardwired), or temporarily (e.g., transitorily) configured (e.g., programmed) to operate in a specified manner or to perform part or all of any operation described herein.
  • each of the modules need not be instantiated at any one moment in time.
  • the modules comprise a general-purpose hardware processor configured using software
  • the general-purpose hardware processor may be configured as respective different modules at different times.
  • Software may accordingly configure a hardware processor, for example, to constitute a particular module at one instance of time and to constitute a different module at a different instance of time.
  • the machine 400 may include at least one hardware processor 402 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a hardware processor core, or any combination thereof), a main memory 404, and a static memory 406, some or all of which may communicate with each other via an interlink 408 (e.g., a link or a bus).
  • the machine 400 may further include a display device 410, an input device 412 (e.g., a keyboard), and a user interface (UI) navigation device 414 (e.g., a mouse).
  • the display device 410, input device 412, and UI navigation device 414 may be a touch screen display.
  • the machine 400 may additionally include a mass storage (e.g., drive unit) 416, a signal generation device 418 (e.g., a speaker), a network interface device 420, and one or more sensors 421, such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor.
  • the machine 400 may include an output controller 428, such as a serial (e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared(IR)) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
  • a serial e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared(IR)) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
  • USB universal serial bus
  • IR infrared
  • the mass storage 416 may include a machine-readable storage medium 422 on which is stored one or more sets of data structures or instructions 424 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein.
  • the instructions 424 may also reside, completely or at least partially, within the main memory 404, within static memory 406, or within the hardware processor 402 during execution thereof by the machine 400.
  • one or any combination of the hardware processor 402, the main memory 404, the static memory 406, or the mass storage 416 may constitute machine readable media.
  • machine-readable storage medium 422 is illustrated as a single medium, the term “machine readable medium” may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that configured to store the one or more instructions 424.
  • machine readable medium may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that configured to store the one or more instructions 424.
  • machine -readable storage medium may include any tangible medium that is capable of storing, encoding, or carrying instructions for execution by the machine 400 and that cause the machine 400 to perform any one or more of the techniques of the present disclosure, or that is capable of storing, encoding or carrying data structures used by or associated with such instructions.
  • Non-limiting machine -readable medium examples may include solid-state memories, and optical and magnetic media.
  • Specific examples of machine -readable media may include: non-volatile memory, such as
  • EPROM Electrically Programmable Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • flash memory devices e.g., electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM)
  • EPROM Electrically Programmable Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • flash memory devices magnetic disks, such as internal hard disks and removable disks
  • magneto-optical disks magneto-optical disks
  • CD-ROM and DVD- ROM disks CD-ROM and DVD- ROM disks.
  • the instructions 424 may further be transmitted or received over a communications network 426 using a transmission medium via the network interface device 420 utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.).
  • transfer protocols e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.
  • Example communication networks may include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, and wireless data networks (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1 1 family of standards known as Wi-Fi®, IEEE 802.16 family of standards known as WiMax®), peer-to-peer (P2P) networks, among others.
  • the network interface device 420 may include one or more physical jacks (e.g., Ethernet, coaxial, or phone jacks) or one or more antennas to connect to the communications network 426.
  • the network interface device 420 may include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple- output (MIMO), or multiple-input single-output (MISO) techniques.
  • SIMO single-input multiple-output
  • MIMO multiple-input multiple- output
  • MISO multiple-input single-output
  • transmission medium shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine 400, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.
  • Example 1 may include subject matter (such as an apparatus, device, machine, target machine, or system) comprising at least one processor and a secure execution environment.
  • the at least one processor may be arranged to request a website and access the website in response to an website access initiation from an authorization module on a server.
  • the a secure execution environment may be arranged to store a device-stored uniform resource identifier, send the device-stored uniform resource identifier to the authorization module, receive a server-stored uniform resource identifier from the
  • authorization module and send a validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination.
  • Example 2 the subject matter of Example 1 may optionally include, wherein to send the device-stored uniform resource identifier includes the secure execution environment arranged to send an encryption of the device- stored uniform resource identifier.
  • Example 3 the subject matter of one or any of Examples 1-2 may optionally include, wherein the validation of the server-stored uniform resource identifier includes the server execution environment arranged to compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make the validity determination valid if they match and invalid otherwise.
  • Example 4 the subject matter of one or any of Examples 1-3 may optionally include, wherein to receive the server-stored uniform resource identifier includes the server execution environment arranged to receive an encryption of the server-stored uniform resource identifier.
  • Example 5 the subject matter of one or any of Examples 1-4 may optionally include, wherein to access the website includes the processor arranged to access account information associated with an account of a user of the device.
  • Example 6 the subject matter of one or any of Examples 1-5 may optionally include, wherein the secure execution environment is further arranged to send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website, and receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.
  • Example 7 the subject matter of one or any of Examples 1-6 may optionally include, wherein the request includes an indicator to use device-specific authentication, the authorization module sending the server-stored uniform resource identifier based on the indicator.
  • Example 8 the subject matter of one or any of Examples 1-7 may optionally include, wherein the device-stored uniform resource identifier is arranged to provide access to the website for a particular period of time.
  • Example 9 the subject matter of one or any of Examples 1-8 may optionally include, wherein the secure execution environment is arranged to deny access to the website by the processor.
  • Example 10 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-9 to include, subject matter (such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by a machine cause the machine to performs acts) comprising responsive to a request to access a website using a device having a secure execution environment, the device arranged to use a client platform root of trust, sending to a server a device-stored web address stored at the secure execution environment, the device-stored web address being specific to the device, receiving at the secure execution environment on the device, a server-stored web address stored at the server, the server-stored web address being specific to the device, determining, via the secure execution environment, whether the server-stored web address is valid, and initiating access to the website if the server-stored web address is valid and if the server determines that the device-stored web address is valid.
  • subject matter such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by
  • Example 11 the subject matter of Example 10 may optionally include, wherein accessing the website includes accessing account information associated with an account of a user.
  • Example 12 the subject matter of one or any of Examples 10-
  • 11 may optionally include, wherein the server-stored web address is valid if the server-stored web address matches the device-stored web address.
  • Example 13 the subject matter of one or any of Examples 10-
  • sending the device-stored web address includes sending an encryption of the device-stored web address.
  • Example 14 the subject matter of one or any of Examples 10- 13 may optionally include, wherein receiving the server-stored web address includes receiving an encryption of the server-stored web address.
  • Example 15 the subject matter of one or any of Examples 10-
  • the 14 may optionally include, sending to the server a request to configure the device to securely access the website including sending credentials of a user having an account associated with the website, receiving at the secure execution environment the device-stored web address after the server has determined that the credentials are valid and that the device is associated with the user, and storing the device-stored web address at the secure execution environment.
  • Example 16 the subject matter of one or any of Examples 10- 15 may optionally include, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being received based on the indicator.
  • Example 17 the subject matter of one or any of Examples 10-
  • 16 may optionally include, wherein the access to the website is provided by the server for a period of time.
  • Example 18 the subject matter of one or any of Examples 10- 17 may optionally include denying, via the secure execution environment, access to the website if the server-stored web address is invalid.
  • Example 19 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-18 to include, subject matter (such as an apparatus, device, machine, or system) comprising an authorization module for device-specific web authentication.
  • the authorization module may be arranged to receive a request to access a website from a device having a secure execution environment, receive a device-stored uniform resource identifier from the device, the device-stored uniform resource identifier being stored in the secure execution environment, send a server-stored uniform resource identifier to the secure execution environment, and provide access to the website in response to a determination that the device-stored uniform resource identifier is valid and in response to a determination by the secure execution environment that the server-stored uniform resource identifier is valid.
  • Example 20 the subject matter of Example 19 may optionally include, wherein the website includes account information associated with an account of a user.
  • Example 21 the subject matter of one or any of Examples 19-
  • the determination that the device-stored uniform resource identifier is valid includes the authorization module arranged to compare the device-stored uniform resource identifier to the server-stored uniform resource identifier and find it valid if they match and invalid otherwise.
  • Example 22 the subject matter of one or any of Examples 19-
  • 21 may optionally include, wherein to receive the device-stored uniform resource identifier includes the authorization module arranged to receive an encryption of the device-stored uniform resource identifier.
  • Example 23 the subject matter of one or any of Examples 19-
  • server 22 may optionally include, wherein to send the server-stored uniform resource identifier includes the authorization module arranged to send an encryption of the server-stored uniform resource identifier.
  • Example 24 the subject matter of one or any of Examples 19-
  • the authorization module is further arranged to receive a provisioning request from the device to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website, generate the device-stored uniform resource identifier in response to a determination that the credentials are valid and that the device is associated with the user, and send the device-stored uniform resource identifier to the secure execution environment.
  • Example 25 the subject matter of one or any of Examples 19-
  • the 24 may optionally include, wherein to generate the device-stored uniform resource identifier include the authorization module arranged to generate the device-stored uniform resource identifier based on a one-time password algorithm.
  • Example 26 the subject matter of one or any of Examples 19-
  • the request to access the website includes an indicator to use device-specific authentication
  • the authorization module is arranged to send the server-stored uniform resource identifier to the secure execution environment in response to the indicator.
  • Example 27 the subject matter of one or any of Examples 19-
  • 26 may optionally include, wherein to provide access to the website includes the authorization module arranged to provide access to the website for a particular period of time.
  • Example 28 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-27 to include, subject matter (such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by a machine cause the machine to performs acts) comprising receiving at a server a device-stored web address stored at the secure environment, the device-stored web address being a web address specific to the device, the device arranged to use a client platform root of trust, sending from the server to the secure execution environment on the device a server-stored web address stored at the server, determining, via the server, whether the device-stored web address is valid, and providing access to the website if the device-stored web address is valid and if the secure execution environment of the device determines that the server-stored web address is valid.
  • subject matter such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by a machine cause the machine to performs acts
  • Example 29 the subject matter of Example 28 may optionally include, wherein providing access to the website includes providing access to account information associated with an account of a user.
  • Example 30 the subject matter of one or any of Examples 28-
  • 29 may optionally include, wherein the device-stored web address is valid if the device-stored web address matches the server-stored web address.
  • Example 31 the subject matter of one or any of Examples 28-
  • sending the server-stored web address includes sending an encryption of the server-stored web address.
  • Example 32 the subject matter of one or any of Examples 28-
  • receiving the device-stored web address includes receiving an encryption of the device-stored web address.
  • Example 33 the subject matter of one or any of Examples 28-
  • 32 may optionally include, receiving at the server a request to configure the device to securely access the website including receiving credentials of a user having an account associated with the website, determining whether the credentials are valid and whether the device is associated with the user, generating the device-stored web address if the credentials are valid and if the device is associated with the user, and sending to the secure execution environment the device-stored web address, wherein the device-stored web address is stored at the secure execution environment.
  • Example 34 the subject matter of one or any of Examples 28-
  • the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being sent based on the indicator.
  • Example 35 the subject matter of one or any of Examples 28- 34 may optionally include, wherein providing access to the website includes providing access to the website for a period of time.
  • Example 36 the subject matter of one or any of Examples 28-
  • 35 may optionally include, denying, via the server, access to the website if the device-stored web address is invalid.

Abstract

Systems and methods for performing web authentication using a client platform root of trust are disclosed herein. Website and user validity and integrity may be authenticated based on the user device's attempt to access the website. A user device may securely access the website once the user device is successfully authenticated with a server. In an embodiment, the user device may perform an authentication of the website to ensure the website is a valid entity.

Description

WEB AUTHENTICATION USING CLIENT PLATFORM ROOT OF
TRUST
BACKGROUND
[0001] Accessing personal information online has increasingly become commonplace, as it has become a convenient and efficient way to manage one's affairs. For example, users may access their bank accounts online to view balances and transactions, transfer money, pay bills, etc. Although the ability to access such information provides convenience, it also raises the potential of security threats to sensitive information.
[0002] One example of a threat to personal information is a phishing attack, in which a user may be taken to or redirected to a fake website to gather personal information such as a username, password, social security number, date of birth, credit card information, etc. For example, communications purporting to be from a popular social website, auction site, online payment processor, etc. may be used to lure an unsuspecting user into providing personal information.
[0003] Another example of a threat to personal information is a pharming attack, in which a user may be redirected to a fake website by a false domain name service (DNS) record, effectively redirecting the traffic from the intended website to a the fake website. For example, this may be done by changing a DNS host file after breaching the DNS server.
[0004] Some techniques for preventing these attacks may include browser-based website verification performed via a browser plug-in. However, these verification techniques may be unable to prevent pharming attacks. In some cases, phishing may be avoided by using secure socket layer (SSL) or transport layer security (TLS) with strong public key infrastructure (PKI) encryption (e.g., using public key certificates), where a uniform resource identifier (URI) (e.g., a uniform resource locator (URL)) for a website is used as an identifier. Generally, secure authentication using SSL or TLS and certificates may include indicating that a connection is in authentication mode, indicating which website a user is connected to, and indicating which authority (e.g., certificate authority) authenticates the identity of the website. However, this authentication process may be easy to circumvent, because the authentication is typically confirmed by the user, introducing user error. Additionally, because these current techniques for preventing attacks are purely software -based, they may be ineffective against some threats to personal information (e.g., if the user's own computer is compromised).
BRIEF DESCRIPTION OF THE DRAWINGS
[0005] FIG. 1 illustrates an example of a system for utilizing a secure execution environment in accordance with example embodiments;
[0006] FIG. 2 illustrates an example of a method for provisioning a user device to securely access a website in accordance with example embodiments;
[0007] FIG. 3 illustrates an example of a method for securely accessing a website using a provisioned user device in accordance with example
embodiments; and
[0008] FIG. 4 illustrates a block diagram of an example of a machine upon which any one or more of the techniques discussed herein may be performed in accordance with example embodiments.
DETAILED DESCRIPTION
[0009] The following description and the drawings sufficiently illustrate specific embodiments to enable those skilled in the art to practice them. Other embodiments may incorporate structural, logical, electrical, process, and other changes. Portions and features of some embodiments may be included in, or substituted for, those of other embodiments. Embodiments set forth in the claims encompass all available equivalents of those claims.
[0010] Several of the embodiments described herein provide techniques for web authentication using a client platform root of trust. When a user requests access to a website having personal information of the user, the server of the website may authenticate the user before allowing access. The website may be any website that a user may use to access personal information. For example, the website may be a bank website for accessing account information. The authentication may include authenticating the particular user device used to access the website. In an embodiment, the authentication of the user device may be performed using a secure execution environment on the user device. The secure execution environment may be a hidden environment (e.g., not visible or directly accessible, in whole or part, by the user, the operating system, or other applications running on the user device) on the user device upon which web authentication may occur.
[0011] Web authentication using a particular user device may occur by provisioning the particular user device to be authenticated with the server of the website. When provisioning a user device, a user may provide credentials used to log in to the website. The credentials used to log in to a website may be any credentials for a user that may help verify the identity of the user. Examples of credentials may include any one or more of the following: a username; a password; a social security number; an account number; a date of birth; credit card information; a billing address; a phone number; etc. Additionally, the server may determine whether the device belongs to the user. For example, the server may verify whether the user owns the device by determining whether the device is in a particular geographic area (e.g., address, building, city, state, global positioning system (GPS) coordinates, etc.) associated with the device or the user. After successful verifications, the server may generate a device- specific URI (e.g., a web address) specific to the user device. This device- specific URI may be stored in both the secure execution environment of the user device and at the server. The stored device-specific URI may be used for web authentication.
[0012] When a user attempts to access a website using a user device that has been provisioned for the website, the user may use the device-specific URI stored in the secure execution environment to access the website securely. The server may receive the device-specific URI from the secure execution environment of the device and may verify that the URI is valid for the device that is being used to access the website. Web authentication that includes a device-specific authorization module increases security by ensuring that the entity accessing the user's information is authorized to do so.
[0013] Additionally, the server may send the device-specific URI to the user device and the secure execution environment on the device may verify that the website that will be accessed is the intended website and not a fake website to which the user may have been redirected.
[0014] For example, FIG. 1 illustrates an example of a system 100 for using a secure execution environment 160. The system 100 may include a user device 1 10 in communication with a content web server 115 and an
authorization server 120 via a network 105. In an embodiment, the authorization server 120 may include an authorization module arranged to perform any one or more of the operations of the authorization of the authorization server 120. The network 105 may be any communication network for communicating between entities (e.g., the Internet, local area network, etc.).
[0015] The user device 1 10 may be any user device arranged (e.g., configured) to access a website. User device 110 examples may include, but are not limited to: mobile devices (e.g., smartphones, portable digital assistants (PDAs), tablet computers); desktop computers; laptop computers; televisions; set-top boxes; media consoles; etc. The user device 110 may include one or more processors 125 in communication with a memory 135. The memory 135 may include any type of memory to store instructions executable by the one or more processors 125, applications, or operating systems of the user device 100. The memory 135 may also store data, such as in a filesystem (e.g., one or more data structures arranged to store files). The user device 1 10 may include one or more communication modules 130 (e.g., antenna, circuits arranged to enable Wi- Fi®, Wi-Max®, or cellular communications, etc.), a display module 140 (e.g., processing hardware, screen, etc.) arranged to display information to a user, a camera module 145 for capturing photos and/or video, and one or more input modules 150 arranged to receive inputs from a user (e.g., microphone, keypad, etc.). The user device 1 10 may include a platform sensor hub 155, which may be connected to, or include, inertial sensors, pressure sensors, ambient light sensors, proximity sensors, global positioning system (GPS) devices, etc.
[0016] The user device 1 10 may include a secure execution environment 160. The secure execution environment 160 may be arranged to provide host- independent tamper-proof secure computing and storage capabilities. The secure execution environment 160 may include one or more processors or instructions on machine (e.g., computer) readable media arranged to perform authentication of the user device 110 to a website. For example, the secure execution environment 160 may store the device-specific URI provisioned to the user device 110. In an embodiment, the secure execution environment 160 may store an encrypted version of the device-specific URI, such as a device-specific URL signature hash. The encryption version of the device-specific URI may be encrypted using any type of encryption mechanism.
[0017] The components of the user device 1 10 may be contained within the user device 110 as one or more chips. In an embodiment, the user device 110 may contain one or more processors including: multi-core processors, main core processors, or ultra-low power core processors, etc.
[0018] The content web server 115 may be any web server arranged to provide access to one or more websites for an entity. For example, the content web server 115 may provide access to content including, for example, personal information, user accounts, etc.
[0019] The authorization server 120 may be any web server arranged to perform the authorization of the user device 1 10 (e.g., via an authorization module). The authorization server 120 may store user device information such as, tamper resistant software (TRS), the device-specific URI, encryption keys, etc. In an embodiment, the authorization server 120 may be a third-party server arranged to perform authorization for any number of content web servers from any number of entities. In an embodiment, the operations performed by the content web server 115 and the authorization server 120 may be performed by the same server (e.g., computer).
[0020] FIG. 2 illustrates an example of a method 200 for provisioning a user device 1 10 to securely access a website. In operation 205, the authorization server 120 may receive a request to provision the user device 110 to access a website securely. Receiving the request may include receiving user credentials from the user. The user credentials received may be any credentials for verifying the identity of the user (e.g., username, password, etc.).
[0021] In operation 210, the authorization server 120 may determine whether the credentials are valid. This may include determining whether the credentials match a particular user account of the website. If the credentials are not valid, in operation 215, the request to provision the device may be denied. In operation 220, if the credentials are valid, the authorization server 120 may determine whether the device is valid. In an embodiment, this may include determining whether the device to be provisioned is owned by the user. For example, the authorization server 120 may determine whether the geographical location of the device matches the location in which the user resides or receives service. If the device is not valid, in operation 215, the request to provision the device may be denied.
[0022] In operation 225, if the device is valid, the authorization server
120 may generate a device-specific URI for accessing the website. The device- specific URI may be generated using any mechanisms for generating a URI specific to a particular device, such as a random-number generator, a hash of an identifier of the user device 110, etc. In an embodiment, the device-specific URI is an encrypted web address specific to the user device 110 using any type of encryption. In operation 230, the authorization server 120 may store this device- specific URI. In an embodiment, the authorization server 120 may store one or more of encryption keys, identifiers for the user, identifiers for the user device 110, TRS-based root of trust, etc., for web authentication of the user device 1 10.
[0023] In operation 235, the authorization server 120 may send the device-specific URI and any encryption keys to the secure execution
environment 160 of the user device 1 10. In operation 240, the secure execution environment 160 may store the device-specific URI and any encryption keys for web authentication with the website. This device-specific URI may be encrypted with the user device's public key such that only that specific user device may receive the URI signature for the device-specific URI securely.
[0024] FIG. 3 illustrates an example of a method 300 for securely accessing a website using a provisioned user device 1 10 storing a device-specific URI and any encryption keys at the secure execution environment 160. In operation 305, the secure execution environment 160 may send a request to access the website to the authorization server 120. In an embodiment, the request may include a hypertext transfer protocol (HTTP) header handshake. The request may also include a device-specific authentication indicator (e.g., flag) indicating that the extended security of the device-specific authentication is included in the header. For example, a user may request to visit a generic website for a bank (e.g., http://www.bankname.com). The request may include the device-specific authentication indicator indicating that extended security of the device-specific authentication should be used.
[0025] In operation 310, the authorization server 120 may determine whether the request includes a valid device-specific authentication indicator in the header. If the header does not properly include the device-specific authentication indicator, in operation 315, the authorization server 120 may direct the user to proceed with the credential check for a non-provisioned device (e.g., using TLS). For example, the user may log in to an account at the website using credentials for the non-extended security authentication (authentication that is not based on the user device 1 10). In an embodiment, if the header does not properly include the device-specific authentication indicator, the
authorization server 120 may initiate the provisioning process (e.g., as described above). In an embodiment, if the header does not properly include the device- specific authentication indicator, the authorization server 120 may deny access to the website.
[0026] If the authorization server 120 determines that the header properly includes the indicator, in operation 320, the secure execution environment 160 may receive a request for the device-specific URI from the authorization server 120 (e.g., http://www.bankname.com/deviceURL012345). In operation 325, the secure execution environment 160 may send the device-stored device-specific URI to the authorization server 120 in response to the request of operation 320. In an embodiment, an encrypted device-specific URI (e.g., a URL signature hash) may be sent to the authorization server 120.
[0027] In operation 330, the secure execution environment 160 may receive the server-stored device-specific URI from the authorization server 120. This may be received so that the secure execution environment 160 may verify that the website to be accessed is the intended website and that the user has not been redirected to another website (e.g., as in a pharming attack).
[0028] In operation 335, the authorization server 120 may determine whether the device-stored URI is valid. A device-stored URI may be valid if it matches the device-specific URI stored at the authorization server 120. The authorization server 120 may decrypt the received the device-stored URI using the encryption key stored at the authorization server 120. If the decrypted device-stored URI matches the URI stored at the authorization server 120, the device-stored URI may be determined to be valid. If the device-stored URI is determined to be invalid, in operation 340, the authorization server 120 may deny access to the website based on the device-specific web authentication. In an embodiment, the user may be directed to perform the non-extended security authentication credential check (e.g., as described in operation 315).
[0029] If the device-stored URI is determined to be valid, in operation
345, the secure execution environment 160 may also determine whether the received server-stored URI is valid. The secure execution environment 160 may decrypt the received server-stored URI using the encryption key stored at the secure execution environment 160. If the decrypted server-stored URI matches the URI stored at the secure execution environment 160, the server-stored URI may be determined to be valid. This may ensure that the user has not been redirected to another website (e.g., a malicious website). If the server-stored URI is determined to be invalid, in operation 350, the secure execution environment 160 may deny access to the website based on the device-specific web authentication. In an embodiment, the user may, instead of being denied access to the website, proceed with the non-extended security authentication credential check (e.g., as described in operation 315).
[0030] If the server-stored URI is determined to be valid, in operation
355, the user device 1 10 may securely access the website. In an embodiment, access may be automatic without requiring additional information from the user. In an embodiment, access may be provided after the user enters any requested user credentials. In an embodiment, the device-specific authentication may be an extension to SSL or TLS. In an embodiment, access to the website may be allowed based on a one-time password (OTP) process. For example, the authorization server 120 may send a URI that is valid to access the website for a particular (e.g., defined, temporary, etc.) period of time. The URI (e.g., OTP URI to provide website access during the particular period of time) may be generated by the authorization server 120 by appending a user device identifier and a timestamp for the time of authentication appended to the website's address. In an embodiment, the OTP URI may include the user device identifier and the timestamp based on an OTP algorithm such that the URI may only be used to access the website for the particular period of time.
[0031] FIG. 4 illustrates a block diagram of an example of a machine 400 upon which any one or more of the techniques (e.g., methodologies) discussed herein may be performed. In alternative embodiments, the machine 400 may operate as a standalone device or may be connected (e.g., networked) to other machines. In a networked deployment, the machine 400 may operate in the capacity of a server machine, a client machine, or both in server-client network environments. In an example, the machine 400 may act as a peer machine in peer-to-peer (P2P) (or other distributed) network environment. The machine 400 may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a mobile telephone, a web appliance, a network router, switch or bridge, or any machine capable of executing instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein, such as cloud computing, software as a service (SaaS), other computer cluster configurations.
[0032] Examples, as described herein, may include, or may operate on, logic or a number of components, modules, or mechanisms. Modules are tangible entities capable of performing specified operations and may be configured or arranged in a certain manner. In an example, circuits may be arranged (e.g., internally or with respect to external entities such as other circuits) in a specified manner as a module. In an example, the whole or part of one or more computer systems (e.g., a standalone, client or server computer system) or one or more hardware processors may be configured by firmware or software (e.g., instructions, an application portion, or an application) as a module that operates to perform specified operations. In an example, the software may reside (1) on a non- transitory machine -readable medium or (2) in a transmission signal. In an example, the software, when executed by the underlying hardware of the module, causes the hardware to perform the specified operations. [0033] Accordingly, the term "module" is understood to encompass a tangible entity, be that an entity that is physically constructed, specifically configured (e.g., hardwired), or temporarily (e.g., transitorily) configured (e.g., programmed) to operate in a specified manner or to perform part or all of any operation described herein. Considering examples in which modules are temporarily configured, each of the modules need not be instantiated at any one moment in time. For example, where the modules comprise a general-purpose hardware processor configured using software, the general-purpose hardware processor may be configured as respective different modules at different times. Software may accordingly configure a hardware processor, for example, to constitute a particular module at one instance of time and to constitute a different module at a different instance of time.
[0034] The machine (e.g., computer system) 400 may include at least one hardware processor 402 (e.g., a central processing unit (CPU), a graphics processing unit (GPU), a hardware processor core, or any combination thereof), a main memory 404, and a static memory 406, some or all of which may communicate with each other via an interlink 408 (e.g., a link or a bus). The machine 400 may further include a display device 410, an input device 412 (e.g., a keyboard), and a user interface (UI) navigation device 414 (e.g., a mouse). In an example, the display device 410, input device 412, and UI navigation device 414 may be a touch screen display. The machine 400 may additionally include a mass storage (e.g., drive unit) 416, a signal generation device 418 (e.g., a speaker), a network interface device 420, and one or more sensors 421, such as a global positioning system (GPS) sensor, compass, accelerometer, or other sensor. The machine 400 may include an output controller 428, such as a serial (e.g., universal serial bus (USB), parallel, or other wired or wireless (e.g., infrared(IR)) connection to communicate or control one or more peripheral devices (e.g., a printer, card reader, etc.).
[0035] The mass storage 416 may include a machine-readable storage medium 422 on which is stored one or more sets of data structures or instructions 424 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein. The instructions 424 may also reside, completely or at least partially, within the main memory 404, within static memory 406, or within the hardware processor 402 during execution thereof by the machine 400. In an example, one or any combination of the hardware processor 402, the main memory 404, the static memory 406, or the mass storage 416 may constitute machine readable media.
[0036] While the machine-readable storage medium 422 is illustrated as a single medium, the term "machine readable medium" may include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that configured to store the one or more instructions 424.
[0037] The term "machine -readable storage medium" may include any tangible medium that is capable of storing, encoding, or carrying instructions for execution by the machine 400 and that cause the machine 400 to perform any one or more of the techniques of the present disclosure, or that is capable of storing, encoding or carrying data structures used by or associated with such instructions. Non-limiting machine -readable medium examples may include solid-state memories, and optical and magnetic media. Specific examples of machine -readable media may include: non-volatile memory, such as
semiconductor memory devices (e.g., Electrically Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM)) and flash memory devices; magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD- ROM disks.
[0038] The instructions 424 may further be transmitted or received over a communications network 426 using a transmission medium via the network interface device 420 utilizing any one of a number of transfer protocols (e.g., frame relay, internet protocol (IP), transmission control protocol (TCP), user datagram protocol (UDP), hypertext transfer protocol (HTTP), etc.). Example communication networks may include a local area network (LAN), a wide area network (WAN), a packet data network (e.g., the Internet), mobile telephone networks (e.g., cellular networks), Plain Old Telephone (POTS) networks, and wireless data networks (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1 1 family of standards known as Wi-Fi®, IEEE 802.16 family of standards known as WiMax®), peer-to-peer (P2P) networks, among others. In an example, the network interface device 420 may include one or more physical jacks (e.g., Ethernet, coaxial, or phone jacks) or one or more antennas to connect to the communications network 426. In an example, the network interface device 420 may include a plurality of antennas to wirelessly communicate using at least one of single-input multiple-output (SIMO), multiple-input multiple- output (MIMO), or multiple-input single-output (MISO) techniques. The term "transmission medium" shall be taken to include any intangible medium that is capable of storing, encoding or carrying instructions for execution by the machine 400, and includes digital or analog communications signals or other intangible medium to facilitate communication of such software.
ADDITIONAL NOTES AND EXAMPLES
[0039] Example 1 may include subject matter (such as an apparatus, device, machine, target machine, or system) comprising at least one processor and a secure execution environment. The at least one processor may be arranged to request a website and access the website in response to an website access initiation from an authorization module on a server. The a secure execution environment may be arranged to store a device-stored uniform resource identifier, send the device-stored uniform resource identifier to the authorization module, receive a server-stored uniform resource identifier from the
authorization module, and send a validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination.
[0040] In Example 2, the subject matter of Example 1 may optionally include, wherein to send the device-stored uniform resource identifier includes the secure execution environment arranged to send an encryption of the device- stored uniform resource identifier.
[0041] In Example 3, the subject matter of one or any of Examples 1-2 may optionally include, wherein the validation of the server-stored uniform resource identifier includes the server execution environment arranged to compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make the validity determination valid if they match and invalid otherwise.
[0042] In Example 4, the subject matter of one or any of Examples 1-3 may optionally include, wherein to receive the server-stored uniform resource identifier includes the server execution environment arranged to receive an encryption of the server-stored uniform resource identifier.
[0043] In Example 5, the subject matter of one or any of Examples 1-4 may optionally include, wherein to access the website includes the processor arranged to access account information associated with an account of a user of the device.
[0044] In Example 6, the subject matter of one or any of Examples 1-5 may optionally include, wherein the secure execution environment is further arranged to send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website, and receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.
[0045] In Example 7, the subject matter of one or any of Examples 1-6 may optionally include, wherein the request includes an indicator to use device- specific authentication, the authorization module sending the server-stored uniform resource identifier based on the indicator.
[0046] In Example 8, the subject matter of one or any of Examples 1-7 may optionally include, wherein the device-stored uniform resource identifier is arranged to provide access to the website for a particular period of time.
[0047] In Example 9, the subject matter of one or any of Examples 1-8 may optionally include, wherein the secure execution environment is arranged to deny access to the website by the processor.
[0048] Example 10 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-9 to include, subject matter (such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by a machine cause the machine to performs acts) comprising responsive to a request to access a website using a device having a secure execution environment, the device arranged to use a client platform root of trust, sending to a server a device-stored web address stored at the secure execution environment, the device-stored web address being specific to the device, receiving at the secure execution environment on the device, a server-stored web address stored at the server, the server-stored web address being specific to the device, determining, via the secure execution environment, whether the server-stored web address is valid, and initiating access to the website if the server-stored web address is valid and if the server determines that the device-stored web address is valid.
[0049] In Example 11, the subject matter of Example 10 may optionally include, wherein accessing the website includes accessing account information associated with an account of a user.
[0050] In Example 12, the subject matter of one or any of Examples 10-
11 may optionally include, wherein the server-stored web address is valid if the server-stored web address matches the device-stored web address.
[0051] In Example 13, the subject matter of one or any of Examples 10-
12 may optionally include, wherein sending the device-stored web address includes sending an encryption of the device-stored web address.
[0052] In Example 14, the subject matter of one or any of Examples 10- 13 may optionally include, wherein receiving the server-stored web address includes receiving an encryption of the server-stored web address.
[0053] In Example 15, the subject matter of one or any of Examples 10-
14 may optionally include, sending to the server a request to configure the device to securely access the website including sending credentials of a user having an account associated with the website, receiving at the secure execution environment the device-stored web address after the server has determined that the credentials are valid and that the device is associated with the user, and storing the device-stored web address at the secure execution environment.
[0054] In Example 16, the subject matter of one or any of Examples 10- 15 may optionally include, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being received based on the indicator. [0055] In Example 17, the subject matter of one or any of Examples 10-
16 may optionally include, wherein the access to the website is provided by the server for a period of time.
[0056] In Example 18, the subject matter of one or any of Examples 10- 17 may optionally include denying, via the secure execution environment, access to the website if the server-stored web address is invalid.
[0057] Example 19 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-18 to include, subject matter (such as an apparatus, device, machine, or system) comprising an authorization module for device-specific web authentication. The authorization module may be arranged to receive a request to access a website from a device having a secure execution environment, receive a device-stored uniform resource identifier from the device, the device-stored uniform resource identifier being stored in the secure execution environment, send a server-stored uniform resource identifier to the secure execution environment, and provide access to the website in response to a determination that the device-stored uniform resource identifier is valid and in response to a determination by the secure execution environment that the server-stored uniform resource identifier is valid.
[0058] In Example 20, the subject matter of Example 19 may optionally include, wherein the website includes account information associated with an account of a user.
[0059] In Example 21, the subject matter of one or any of Examples 19-
20 may optionally include, wherein the determination that the device-stored uniform resource identifier is valid includes the authorization module arranged to compare the device-stored uniform resource identifier to the server-stored uniform resource identifier and find it valid if they match and invalid otherwise.
[0060] In Example 22, the subject matter of one or any of Examples 19-
21 may optionally include, wherein to receive the device-stored uniform resource identifier includes the authorization module arranged to receive an encryption of the device-stored uniform resource identifier.
[0061] In Example 23, the subject matter of one or any of Examples 19-
22 may optionally include, wherein to send the server-stored uniform resource identifier includes the authorization module arranged to send an encryption of the server-stored uniform resource identifier.
[0062] In Example 24, the subject matter of one or any of Examples 19-
23 may optionally include, wherein the authorization module is further arranged to receive a provisioning request from the device to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website, generate the device-stored uniform resource identifier in response to a determination that the credentials are valid and that the device is associated with the user, and send the device-stored uniform resource identifier to the secure execution environment.
[0063] In Example 25, the subject matter of one or any of Examples 19-
24 may optionally include, wherein to generate the device-stored uniform resource identifier include the authorization module arranged to generate the device-stored uniform resource identifier based on a one-time password algorithm.
[0064] In Example 26, the subject matter of one or any of Examples 19-
25 may optionally include, wherein the request to access the website includes an indicator to use device-specific authentication, and wherein the authorization module is arranged to send the server-stored uniform resource identifier to the secure execution environment in response to the indicator.
[0065] In Example 27, the subject matter of one or any of Examples 19-
26 may optionally include, wherein to provide access to the website includes the authorization module arranged to provide access to the website for a particular period of time.
[0066] Example 28 may include, or may optionally be combined with the subject matter of one or any combination of Examples 1-27 to include, subject matter (such as a method, means for performing acts, or machine-readable medium including instructions that, when performed by a machine cause the machine to performs acts) comprising receiving at a server a device-stored web address stored at the secure environment, the device-stored web address being a web address specific to the device, the device arranged to use a client platform root of trust, sending from the server to the secure execution environment on the device a server-stored web address stored at the server, determining, via the server, whether the device-stored web address is valid, and providing access to the website if the device-stored web address is valid and if the secure execution environment of the device determines that the server-stored web address is valid.
[0067] In Example 29, the subject matter of Example 28 may optionally include, wherein providing access to the website includes providing access to account information associated with an account of a user.
[0068] In Example 30, the subject matter of one or any of Examples 28-
29 may optionally include, wherein the device-stored web address is valid if the device-stored web address matches the server-stored web address.
[0069] In Example 31, the subject matter of one or any of Examples 28-
30 may optionally include, wherein sending the server-stored web address includes sending an encryption of the server-stored web address.
[0070] In Example 32, the subject matter of one or any of Examples 28-
31 may optionally include, wherein receiving the device-stored web address includes receiving an encryption of the device-stored web address.
[0071] In Example 33, the subject matter of one or any of Examples 28-
32 may optionally include, receiving at the server a request to configure the device to securely access the website including receiving credentials of a user having an account associated with the website, determining whether the credentials are valid and whether the device is associated with the user, generating the device-stored web address if the credentials are valid and if the device is associated with the user, and sending to the secure execution environment the device-stored web address, wherein the device-stored web address is stored at the secure execution environment.
[0072] In Example 34, the subject matter of one or any of Examples 28-
33 may optionally include, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being sent based on the indicator.
[0073] In Example 35, the subject matter of one or any of Examples 28- 34 may optionally include, wherein providing access to the website includes providing access to the website for a period of time. [0074] In Example 36, the subject matter of one or any of Examples 28-
35 may optionally include, denying, via the server, access to the website if the device-stored web address is invalid.
[0075] The above detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are also referred to herein as "examples." Such examples may include elements in addition to those shown or described. However, the present inventors also contemplate examples in which only those elements shown or described are provided. Moreover, the present inventors also contemplate examples using any combination or permutation of those elements shown or described (or one or more aspects thereof), either with respect to a particular example (or one or more aspects thereof), or with respect to other examples (or one or more aspects thereof) shown or described herein.
[0076] In this document, the terms "a" or "an" are used, as is common in patent documents, to include one or more than one, independent of any other instances or usages of "at least one" or "one or more." In this document, the term "or" is used to refer to a nonexclusive or, such that "A or B" includes "A but not B," "B but not A," and "A and B," unless otherwise indicated. In the appended claims, the terms "including" and "in which" are used as the plain- English equivalents of the respective terms "comprising" and "wherein." Also, in the following claims, the terms "including" and "comprising" are open-ended, that is, a system, device, article, or process that includes elements in addition to those listed after such a term in a claim are still deemed to fall within the scope of that claim. Moreover, in the following claims, the terms "first," "second," and "third," etc. are used merely as labels, and are not intended to impose numerical requirements on their objects.
[0077] The above description is intended to be illustrative, and not restrictive. For example, the above-described examples (or one or more aspects thereof) may be used in combination with each other. Other embodiments may be used, such as by one of ordinary skill in the art upon reviewing the above description. [0078] The Abstract is provided to comply with 37 C.F.R. § 1.72(b), to allow the reader to quickly ascertain the nature of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. Also, in the above Detailed Description, various features may be grouped together to streamline the disclosure. This should not be interpreted as intending that an unclaimed disclosed feature is essential to any claim. Rather, inventive subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the Detailed Description, with each claim standing on its own as a separate embodiment. The scope of the invention should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.

Claims

CLAIMS What is claimed is:
1. A device for device-specific web authentication, the device comprising: at least one processor arranged to:
request a website; and
access the website in response to an website access initiation from an authorization module on a server; and
a secure execution environment arranged to:
store a device-stored uniform resource identifier; send the device-stored uniform resource identifier to the authorization module;
receive a server-stored uniform resource identifier from the authorization module; and
send a validity determination to the authorization module in response to a validation of the server-stored uniform resource identifier by the secure execution environment, the website access initiation being based on the validity determination.
2. The device of claim 1, wherein to send the device-stored uniform resource identifier includes the secure execution environment arranged to send an encryption of the device-stored uniform resource identifier.
3. The device of claim 1, wherein the validation of the server-stored uniform resource identifier includes the server execution environment arranged to compare the server-stored uniform resource identifier to the device-stored uniform resource identifier and make the validity determination valid if they match and invalid otherwise.
4. The device of claim 1 , wherein to receive the server-stored uniform resource identifier includes the server execution environment arranged to receive an encryption of the server-stored uniform resource identifier.
5. The device of claim 1, wherein to access the website includes the processor arranged to access account information associated with an account of a user of the device.
6. The device of claim 1 , wherein the secure execution environment is further arranged to:
send a provisioning request to the authorization module to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website; and
receive the device-stored uniform resource identifier after the authorization module has determined that the credentials are valid and that the device is associated with the user.
7. The device of claim 1, wherein the request includes an indicator to use device-specific authentication, the authorization module sending the server- stored uniform resource identifier based on the indicator.
8. The device of claim 1, wherein the device-stored uniform resource identifier is arranged to provide access to the website for a particular period of time.
9. The device of any one of claims 1 to 8, wherein the secure execution environment is arranged to deny access to the website by the processor.
10. A method for web authentication, the method comprising:
responsive to a request to access a website using a device having a secure execution environment, the device arranged to use a client platform root of trust, sending to a server a device-stored web address stored at the secure execution environment, the device-stored web address being specific to the device;
receiving at the secure execution environment on the device, a server- stored web address stored at the server, the server-stored web address being specific to the device; determining, via the secure execution environment, whether the server- stored web address is valid; and
initiating access to the website if the server-stored web address is valid and if the server determines that the device-stored web address is valid.
11. The method of claim 10, wherein accessing the website includes accessing account information associated with an account of a user.
12. The method of claim 10, wherein the server-stored web address is valid if the server-stored web address matches the device-stored web address.
13. The method of claim 10, wherein sending the device-stored web address includes sending an encryption of the device-stored web address.
14. The method of claim 10, wherein receiving the server-stored web address includes receiving an encryption of the server-stored web address.
15. The method of claim 10, further comprising:
sending to the server a request to configure the device to securely access the website including sending credentials of a user having an account associated with the website;
receiving at the secure execution environment the device-stored web address after the server has determined that the credentials are valid and that the device is associated with the user; and
storing the device-stored web address at the secure execution
environment.
16. The method of claim 10, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being received based on the indicator.
17. The method of claim 10, wherein the access to the website is provided by the server for a period of time.
18. The method of claim 10, further comprising denying, via the secure execution environment, access to the website if the server-stored web address is invalid.
19. At least one machine -readable medium comprising a plurality of instructions that, in response to being executed on a computing device, cause the computing device to perform the method according to any one of claims 10 to 18.
20. An apparatus including at least one processor arranged to perform the method according to any one of claims 10 to 18.
21. An authorization module for device-specific web authentication, the authorization module arranged to:
receive a request to access a website from a device having a secure execution environment;
receive a device-stored uniform resource identifier from the device, the device-stored uniform resource identifier being stored in the secure execution environment;
send a server-stored uniform resource identifier to the secure execution environment; and
provide access to the website in response to a determination that the device-stored uniform resource identifier is valid and in response to a determination by the secure execution environment that the server-stored uniform resource identifier is valid.
22. The authorization module of claim 21, wherein the website includes account information associated with an account of a user.
23. The authorization module of claim 21, wherein the determination that the device-stored uniform resource identifier is valid includes the authorization module arranged to compare the device-stored uniform resource identifier to the server-stored uniform resource identifier and find it valid if they match and invalid otherwise.
24. The authorization module of claim 21, wherein to receive the device- stored uniform resource identifier includes the authorization module arranged to receive an encryption of the device-stored uniform resource identifier.
25. The authorization module of claim 21, wherein to send the server-stored uniform resource identifier includes the authorization module arranged to send an encryption of the server-stored uniform resource identifier.
26. The authorization module of claim 21, wherein the authorization module is further arranged to:
receive a provisioning request from the device to configure the device to securely access the website, the provisioning request including credentials of a user having an account associated with the website;
generate the device-stored uniform resource identifier in response to a determination that the credentials are valid and that the device is associated with the user; and
send the device-stored uniform resource identifier to the secure execution environment.
27. The authorization module of claim 26, wherein to generate the device- stored uniform resource identifier include the authorization module arranged to generate the device-stored uniform resource identifier based on a one-time password algorithm.
28. The authorization module of claim 21, wherein the request to access the website includes an indicator to use device-specific authentication, and wherein the authorization module is arranged to send the server-stored uniform resource identifier to the secure execution environment in response to the indicator.
29. The authorization module of any one of claims 21 to 29, wherein to provide access to the website includes the authorization module arranged to provide access to the website for a particular period of time.
30. A method for web authentication, the method comprising:
receiving at a server a device-stored web address stored at the secure environment, the device-stored web address being a web address specific to the device, the device arranged to use a client platform root of trust;
sending from the server to the secure execution environment on the device a server-stored web address stored at the server;
determining, via the server, whether the device-stored web address is valid; and
providing access to the website if the device-stored web address is valid and if the secure execution environment of the device determines that the server- stored web address is valid.
31. The method of claim 30, wherein providing access to the website includes providing access to account information associated with an account of a user.
32. The method of claim 30, wherein the device-stored web address is valid if the device-stored web address matches the server-stored web address.
33. The method of claim 30, wherein sending the server-stored web address includes sending an encryption of the server-stored web address.
34. The method of claim 30, wherein receiving the device-stored web address includes receiving an encryption of the device-stored web address.
35. The method of claim 30, further comprising: receiving at the server a request to configure the device to securely access the website including receiving credentials of a user having an account associated with the website;
determining whether the credentials are valid and whether the device is associated with the user;
generating the device-stored web address if the credentials are valid and if the device is associated with the user; and
sending to the secure execution environment the device-stored web address, wherein the device-stored web address is stored at the secure execution environment.
36. The method of claim 30, wherein the request to access the website includes an indicator indicating the secure execution environment stores the device-stored web address, the server-stored web address being sent based on the indicator.
37. The method of claim 30, wherein providing access to the website includes providing access to the website for a period of time.
38. The method of claim 30, further comprising denying, via the server, access to the website if the device-stored web address is invalid.
39. At least one machine -readable medium comprising a plurality of instructions that, in response to being executed on a computing device, cause the computing device to perform the method according to any one of claims 30 to 38.
40. An apparatus including at least one processor arranged to perform the method according to any one of claims 30 to 38.
PCT/US2011/067592 2011-12-28 2011-12-28 Web authentication using client platform root of trust WO2013100967A1 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
EP11878354.7A EP2798772A4 (en) 2011-12-28 2011-12-28 Web authentication using client platform root of trust
CN201180075948.8A CN104025503B (en) 2011-12-28 2011-12-28 Use the webpage certification of client platform root of trust
PCT/US2011/067592 WO2013100967A1 (en) 2011-12-28 2011-12-28 Web authentication using client platform root of trust
US13/992,811 US9887997B2 (en) 2011-12-28 2011-12-28 Web authentication using client platform root of trust
JP2014550250A JP5850382B2 (en) 2011-12-28 2011-12-28 Client platform trust root with web authentication
TW101148119A TWI477137B (en) 2011-12-28 2012-12-18 Web authentication using client platform root of trust

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2011/067592 WO2013100967A1 (en) 2011-12-28 2011-12-28 Web authentication using client platform root of trust

Publications (1)

Publication Number Publication Date
WO2013100967A1 true WO2013100967A1 (en) 2013-07-04

Family

ID=48698210

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/067592 WO2013100967A1 (en) 2011-12-28 2011-12-28 Web authentication using client platform root of trust

Country Status (6)

Country Link
US (1) US9887997B2 (en)
EP (1) EP2798772A4 (en)
JP (1) JP5850382B2 (en)
CN (1) CN104025503B (en)
TW (1) TWI477137B (en)
WO (1) WO2013100967A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104519042A (en) * 2013-09-30 2015-04-15 瞻博网络公司 Detecting and preventing man-in-the-middle attacks on encrypted connection
WO2018019134A1 (en) * 2016-07-29 2018-02-01 华为技术有限公司 Verification code short message processing method and terminal
US9887997B2 (en) 2011-12-28 2018-02-06 Intel Corporation Web authentication using client platform root of trust

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9444872B2 (en) * 2012-12-14 2016-09-13 Tencent Technology (Shenzhen) Company Limited Method, server and system for data sharing
US9224030B2 (en) * 2014-01-10 2015-12-29 Qualcomm Incorporated Sensor identification
CN105376203B (en) * 2014-08-26 2019-11-05 阿里巴巴集团控股有限公司 The processing method of interactive information, apparatus and system
US10110754B2 (en) * 2014-09-25 2018-10-23 Verizon Patent And Licensing Inc. Provisioning a trial service to a mobile device
US9760501B2 (en) * 2014-11-05 2017-09-12 Google Inc. In-field smart device updates
WO2016153431A1 (en) * 2015-03-26 2016-09-29 Einnovations Holdings Pte. Ltd. System and method for facilitating remittance
US9800580B2 (en) 2015-11-16 2017-10-24 Mastercard International Incorporated Systems and methods for authenticating an online user using a secure authorization server
KR101792862B1 (en) * 2015-12-23 2017-11-20 주식회사 케이티 Authentication apparatus based on biometric information, control server, and login method based on biometric information thereof
CN107104993A (en) * 2016-02-19 2017-08-29 中国移动通信集团公司 A kind of transmission of Uniform Resource Identifier, preparation method and device
US9747378B1 (en) * 2016-08-09 2017-08-29 Afilias Plc Linked web presence pages associated with a top level domain
TWI615734B (en) * 2016-12-12 2018-02-21 Chunghwa Telecom Co Ltd Key management method for virtual smart card applied to mobile device
KR102441023B1 (en) * 2016-12-30 2022-09-06 주식회사 케이티 System and method for providing one time web service
JP7227919B2 (en) * 2017-06-16 2023-02-22 クリプトグラフィ リサーチ, インコーポレイテッド Internet of Things (IOT) device management
US11290466B2 (en) * 2017-08-16 2022-03-29 Cable Television Laboratories, Inc. Systems and methods for network access granting
US11392711B2 (en) 2019-03-21 2022-07-19 Microsoft Technology Licensing, Llc Authentication state-based permission model for a file storage system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060179315A1 (en) * 2005-02-08 2006-08-10 Fujitsu Limited System and method for preventing fraud of certification information, and recording medium storing program for preventing fraud of certification information
US20080028444A1 (en) * 2006-07-27 2008-01-31 William Loesch Secure web site authentication using web site characteristics, secure user credentials and private browser
US20080109657A1 (en) 2006-11-06 2008-05-08 Siddharth Bajaj Web site authentication
WO2008064403A1 (en) 2006-11-27 2008-06-05 Emue Holdings Pty Ltd Remote service authentication method
US20080270571A1 (en) * 2007-04-30 2008-10-30 Walker Philip M Method and system of verifying permission for a remote computer system to access a web page
US20100100935A1 (en) * 2007-01-26 2010-04-22 Junichi Sato Content distribution system, content distribution method and program
US20110145930A1 (en) * 2009-12-14 2011-06-16 International Business Machines Corporation Method, Program Product and Server for Controlling a Resource Access to an Electronic Resource Stored Within a Protected Data

Family Cites Families (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7107610B2 (en) * 2001-05-11 2006-09-12 Intel Corporation Resource authorization
US7698389B2 (en) * 2001-05-16 2010-04-13 Hewlett-Packard Development Company, L.P. Device configuration in a distributed environment
US7362698B2 (en) 2004-01-22 2008-04-22 International Business Machines Corporation Method, system and service for achieving synchronous communication responsive to dynamic status
JP4698239B2 (en) * 2005-01-31 2011-06-08 エヌ・ティ・ティ・ソフトウェア株式会社 Web site impersonation detection method and program
US20070174630A1 (en) * 2005-02-21 2007-07-26 Marvin Shannon System and Method of Mobile Anti-Pharming and Improving Two Factor Usage
JP5044784B2 (en) * 2007-01-30 2012-10-10 ヤフー株式会社 Method and server for authenticating a user
US8352743B2 (en) * 2007-02-07 2013-01-08 Nippon Telegraph And Telephone Corporation Client device, key device, service providing apparatus, user authentication system, user authentication method, program, and recording medium
JP4942101B2 (en) * 2007-04-17 2012-05-30 株式会社セキュアブレイン Authentication system and authentication program
US7979899B2 (en) * 2008-06-02 2011-07-12 Microsoft Corporation Trusted device-specific authentication
JP5258422B2 (en) 2008-07-01 2013-08-07 Kddi株式会社 Mutual authentication system, mutual authentication method and program
JP5341481B2 (en) * 2008-11-13 2013-11-13 三菱電機ビルテクノサービス株式会社 Web page access authentication device
US8468582B2 (en) * 2009-02-03 2013-06-18 Inbay Technologies Inc. Method and system for securing electronic transactions
US8510811B2 (en) * 2009-02-03 2013-08-13 InBay Technologies, Inc. Network transaction verification and authentication
US20100241865A1 (en) * 2009-03-19 2010-09-23 Chunghwa Telecom Co., Ltd One-Time Password System Capable of Defending Against Phishing Attacks
JP2011076195A (en) * 2009-09-29 2011-04-14 Triworks Corp Japan Member management server device and system using membership card with unique url information written thereon and mobile phone terminal
US8776169B2 (en) * 2010-03-30 2014-07-08 Authentic8, Inc. Disposable browsers and authentication techniques for a secure online user environment
KR101581606B1 (en) * 2011-12-16 2015-12-30 인텔 코포레이션 Secure user attestation and authentication to a remote server
WO2013100918A1 (en) * 2011-12-27 2013-07-04 Intel Corporation Authenticating to a network via a device-specific one time password
CN104025503B (en) 2011-12-28 2017-07-28 英特尔公司 Use the webpage certification of client platform root of trust
US8893255B1 (en) * 2013-10-23 2014-11-18 Iboss, Inc. Device authentication using device-specific proxy addresses

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060179315A1 (en) * 2005-02-08 2006-08-10 Fujitsu Limited System and method for preventing fraud of certification information, and recording medium storing program for preventing fraud of certification information
US20080028444A1 (en) * 2006-07-27 2008-01-31 William Loesch Secure web site authentication using web site characteristics, secure user credentials and private browser
US20080109657A1 (en) 2006-11-06 2008-05-08 Siddharth Bajaj Web site authentication
WO2008064403A1 (en) 2006-11-27 2008-06-05 Emue Holdings Pty Ltd Remote service authentication method
US20100100935A1 (en) * 2007-01-26 2010-04-22 Junichi Sato Content distribution system, content distribution method and program
US20080270571A1 (en) * 2007-04-30 2008-10-30 Walker Philip M Method and system of verifying permission for a remote computer system to access a web page
US20110145930A1 (en) * 2009-12-14 2011-06-16 International Business Machines Corporation Method, Program Product and Server for Controlling a Resource Access to an Electronic Resource Stored Within a Protected Data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2798772A4 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9887997B2 (en) 2011-12-28 2018-02-06 Intel Corporation Web authentication using client platform root of trust
CN104519042A (en) * 2013-09-30 2015-04-15 瞻博网络公司 Detecting and preventing man-in-the-middle attacks on encrypted connection
CN104519042B (en) * 2013-09-30 2018-03-06 瞻博网络公司 Detect and prevent the man-in-the-middle attack on encryption connection
US10171250B2 (en) 2013-09-30 2019-01-01 Juniper Networks, Inc. Detecting and preventing man-in-the-middle attacks on an encrypted connection
WO2018019134A1 (en) * 2016-07-29 2018-02-01 华为技术有限公司 Verification code short message processing method and terminal

Also Published As

Publication number Publication date
CN104025503B (en) 2017-07-28
EP2798772A4 (en) 2015-10-21
US9887997B2 (en) 2018-02-06
JP2015503792A (en) 2015-02-02
TW201347499A (en) 2013-11-16
JP5850382B2 (en) 2016-02-03
CN104025503A (en) 2014-09-03
EP2798772A1 (en) 2014-11-05
US20140289831A1 (en) 2014-09-25
TWI477137B (en) 2015-03-11

Similar Documents

Publication Publication Date Title
US9887997B2 (en) Web authentication using client platform root of trust
WO2022262078A1 (en) Access control method based on zero-trust security, and device and storage medium
US10171250B2 (en) Detecting and preventing man-in-the-middle attacks on an encrypted connection
TWI587672B (en) Login authentication method, client, server and system
JP2019531567A (en) Device authentication system and method
US9369286B2 (en) System and methods for facilitating authentication of an electronic device accessing plurality of mobile applications
US9547756B2 (en) Registration of devices in a digital rights management environment
US20180255066A1 (en) Enhanced authentication security
US20140359741A1 (en) Mutually Authenticated Communication
WO2016188335A1 (en) Access control method, apparatus and system for user data
JP2015535362A (en) Method and apparatus for securely accessing web services
CN106789858B (en) Access control method and device and server
CN117223254A (en) Entity authentication for pre-authentication links
CN106487752B (en) Method and device for verifying access security
US20120204242A1 (en) Protecting web authentication using external module
US20130091355A1 (en) Techniques to Prevent Mapping of Internal Services in a Federated Environment
US9621546B2 (en) Method of generating one-time password and apparatus for performing the same
KR101619928B1 (en) Remote control system of mobile
US11848964B2 (en) Zero trust end point network security device
KR102534012B1 (en) System and method for authenticating security level of content provider
WO2014073948A1 (en) System and method for managing public network
KR20140023085A (en) A method for user authentication, a authentication server and a user authentication system
EP3261009B1 (en) System and method for secure online authentication
KR101737925B1 (en) Method and system for authenticating user based on challenge-response

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11878354

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011878354

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 13992811

Country of ref document: US

ENP Entry into the national phase

Ref document number: 2014550250

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE