WO2017153990A1 - Système et procédé d'authentification de dispositif au moyen d'identifiants de matériel et de logiciel - Google Patents

Système et procédé d'authentification de dispositif au moyen d'identifiants de matériel et de logiciel Download PDF

Info

Publication number
WO2017153990A1
WO2017153990A1 PCT/IL2017/050286 IL2017050286W WO2017153990A1 WO 2017153990 A1 WO2017153990 A1 WO 2017153990A1 IL 2017050286 W IL2017050286 W IL 2017050286W WO 2017153990 A1 WO2017153990 A1 WO 2017153990A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing device
identifier
ipvx
processor
unique
Prior art date
Application number
PCT/IL2017/050286
Other languages
English (en)
Inventor
Chaim Menachem KAWE
Ziv Meron HADAD
Idan Avraham EISENBERG
Original Assignee
Protectivx Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Protectivx Ltd. filed Critical Protectivx Ltd.
Publication of WO2017153990A1 publication Critical patent/WO2017153990A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity

Definitions

  • the present invention relates to communication systems. More particularly, the present invention relates to authentication of data using IPvX identifiers.
  • Mobile devices are considered as one of the weakest links in corporate security. Mobile phone security is particularly challenging because such devices are designed to connect in many different ways. Whether it is a text message, email, web browsing, Bluetooth or near-field communication (NFC) connectivity, each method of communication is a potential attack route. Phones are also often set to connect automatically and display quick preview images, data or text. This makes it possible to exploit a system without the recipient opening or 'clicking' anything. Device security can be compromised also during production, as happened in 2014 when a factory- installed "Trojan horse" was found on a smartphone, that enabled hackers to operate the phone remotely and, being embedded at the factory, could not be removed.
  • NFC near-field communication
  • the disclosed invention describes systems and methods for authenticating network devices and their legitimate users. Such systems and methods may be implemented and effectively used, among other purposes, for securing connected devices and networks from hacking and/or other attacks.
  • a method of authenticating identity of a computing device including determining, by a processor, a unique identifier of the computing device, wherein the unique identifier corresponds to at least one media access control (MAC) address of the computing device, determining, by the processor, an IPvX identifier for the computing device, wherein the IPvX identifier corresponds to the determined unique identifier of the computing device, and authenticating, by the processor, the determined IPvX identifier with data received from the computing device.
  • MAC media access control
  • the method further includes storing the determined IPvX identifier as an initial key store. In some embodiments, the method further includes determining at least one MAC address of the computing device, and transmitting the at least one MAC address to a remote server.
  • the method further includes encrypting, by an encryption engine, at least one of a hardware identifier and a software identifier of the computing device, and modifying the MAC identifier based on the output of the encryption. In some embodiments, the method further includes determining an initial key store based on the at least one MAC address of the computing device.
  • a method of authenticating identity of a computing device including storing, in a memory, a unique network identifier of the computing device, determining, by a processor, a first identifier of the computing device, the first identifier being a function of the unique network identifier and data from at least one of a hardware component and a software component associated with the computing device, receiving, from the computing device, data associated with the unique network identifier, and receiving from the computing device the data from at least one of the hardware component and the software component associated with the computing device, determining, by the processor, a second identifier, the second identifier being a function of the unique network identifier and of the data from at least one of the hardware component and the software component associated with the computing device, comparing, by the processor, the first identifier to the second identifier, and issuing a signal of an authentication of the computing device if the comparing indicates that the first identifier matches the second
  • the unique network identifier includes at least one of a media access control (MAC) address and an IPvX identifier.
  • the method further includes calculating the IPvX identifier using the MAC address.
  • the first identifier is a function of the IPvX identifier and the data from at least one of the hardware component and the software component associated with the computing device.
  • the first identifier is stored remotely from the computing device. In some embodiments, the method further includes performing remote server virtualization.
  • a system for authenticating identity of a device including at least one processor, and a memory, wherein the memory is configured to store a unique network identifier of the computing device, and wherein the at least one processor is configured to calculate an IPvX identifier for the computing device using a media access control (MAC) address of the computing device, calculate a IPvX for the device using the IPvX identifier and a unique identifier of at least one of a hardware component and software component of the computing device, store in the memory the IPvX in association with the computing device, compare the stored modified IPvX identifier to data received from the computing device upon an authentication of the computing device, and issue a signal of an authentication of the computing device upon indication that the stored modified IPvX matches the data received from the computing device.
  • MAC media access control
  • the system further includes a plurality of remote servers, and wherein the at least one processor is further configured to route a plurality of comparisons among the plurality of remote servers. In some embodiments, the at least one processor is further configured to scan at least one communication port of the computing device to detect more than a single MAC address. In some embodiments, at least one of the plurality of remote servers includes a memory configured to store at least one unique identifier of the computing device.
  • At least one of the plurality of remote servers is a virtual server.
  • the system may be installed in an access layer.
  • the system may be installed in a virtual private cloud.
  • the system further includes an encryption engine configured to encrypt at least one of a hardware identifier and a software identifier of the computing device and modify the IPvX identifier based on the output of the encryption.
  • FIG. 1 is a schematic illustration of a communication system in accordance with an embodiment of the invention.
  • FIG. 2 shows a flowchart for a method of indexing software and hardware identifiers and creating a key store for authentication, according to one embodiment of the present invention
  • FIG. 3 shows a flowchart of an authentication process, according to embodiments of the present invention.
  • FIG. 4. shows a flowchart for registration of computing device with corresponding key stores, according to embodiments of the present invention
  • FIG. 5 shows a flowchart for adding and/or removing devices from the server, according to embodiments of the present invention
  • Fig. 6 shows the structure of an IPvX data packet, according to embodiments of the present invention.
  • Fig. 7A shows a lookup table for an authentication process, according to embodiments of the present invention.
  • Fig. 7B shows a lookup table for another authentication process, according to embodiments of the present invention.
  • FIG. 8 shows an example for the indexing method in Fig. 7B, according to embodiments of the present invention.
  • FIG. 9 shows a flowchart for an authentication method, according to embodiments of the present invention.
  • FIG. 10 shows a flowchart for authentication confirmation, according to embodiments of the present invention.
  • Fig. 11 shows a block diagram of a device identification management system (DIMS), according to embodiments of the present invention.
  • DIMS device identification management system
  • FIG. 12 schematically illustrates the structure of virtual machine (VM) architecture, according to some embodiments.
  • FIG. 13 schematically illustrates the structure of secure containers, according to embodiments of the present invention.
  • Fig. 14 schematically illustrates the structure of Microsoft data center architecture, according to embodiments of the present invention.
  • Fig. 15 schematically illustrates the structure of Cisco secure data center architecture, according to embodiments of the present invention.
  • the terms “plurality” and “a plurality” as used herein may include, for example, “multiple” or “two or more”.
  • the terms “plurality” or “a plurality” may be used throughout the specification to describe two or more components, devices, elements, units, parameters, or the like.
  • the method embodiments described herein are not constrained to a particular order or sequence. Additionally, some of the described method embodiments or elements thereof can occur or be performed simultaneously, at the same point in time, or concurrently.
  • Embodiments of the invention may include an article such as a computer or processor non- transitory readable medium, or a computer or processor non-transitory storage medium, such as for example a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, cause the processor to carry out methods disclosed herein.
  • an article such as a computer or processor non- transitory readable medium, or a computer or processor non-transitory storage medium, such as for example a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, cause the processor to carry out methods disclosed herein.
  • Communication system 100 may include one or more first computing device 102 and second computing device 103 that are coupled to a network to transmit data such as packet data over a network 104 and/or other networks 106 (e.g., a cellular network).
  • Network 104 may be a communication network such as a cellular network, a wireless network, a local area network, and/or a wide area network such as the Internet.
  • Communication system 100 may include one or more server 108 such as application servers (physical and/or virtual servers) that may include one or more server processors 109.
  • Such processor 109 may be, for example, a central processing unit processor (CPU), a chip or any suitable computing or computational device, where server processor 109 may be configured to carry out methods as disclosed herein by for example executing code or software.
  • server processor 109 may be configured to carry out methods as disclosed herein by for example executing code or software.
  • one or more first computing device 102 and second computing device 103 may be directly connected to server 108.
  • Embodiments of the invention may include machine-readable executable code contained in a non-transitory storage medium for a computing device, wherein the executable code, when executed by the computing device, causes the computing device to perform a method of the invention.
  • the functions performed by server processor 109 may be performed by more than one server processor, which may be housed remotely from one another.
  • Communication system 100 may include one or more database 105 and/or information storage devices or memories 110, some or all of which may be in communication with network 106.
  • Database 105 and/or memory 110 may be or may include, for example, a Random Access Memory (RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD- RAM), a double data rate (DDR) memory chip, a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units.
  • Database 105 and/or memory 110 may be or may include a plurality of, possibly different memory units.
  • data storage or memories 110 may be housed remotely from one or more devices, and data may be stored in more than one memory 110.
  • Data may be stored in and/or loaded from database 105 and/or memory 110 where it may be processed by processor 109.
  • memory 110 may be a non-volatile memory having the storage capacity of database 105.
  • database 105 may be embedded or included in memory 110.
  • First computing device 102 may be or include a cellular telephone, smart phone, a personal computer, a desktop computer, a mobile computer, a laptop computer, a terminal, a workstation, a server computer, a Personal Digital Assistant (PDA) device, a tablet computer, a network device, network telephone, automobile, unmanned aerial vehicle (drone), autonomous surface, marine or aerial vehicle or other device that may communicate over for example wired and/or wireless networks.
  • PDA Personal Digital Assistant
  • First computing device 102 may include one or more device processors 112, one or more memory 114 units, one or more sensors 120, such as physical sensors (accelerometers, motion sensors, etc.), an electronic display 116 and an input device 118.
  • Input device 118 may be or may include a mouse, a keyboard, microphone, a touch screen or pad, fingerprint reader, credit card reader, image or voice recorder, or any suitable input device. It will be recognized that any suitable number of input devices may be operatively connected to computing device 102.
  • First computing device 102 may include one or more output devices such as displays, speakers and/or any other suitable output devices. It will be recognized that any suitable number of output devices may be operatively connected to computing device 102. Any applicable input/output (I/O) devices may be connected to computing device 102.
  • I/O input/output
  • Device 102 may include or be connected to one or more hardware components such as for example a SIM card, a memory storing a MAC address, an identification sensor or other hardware components 117.
  • Device 102 may also store, execute and run one or more software components 119 such as applications, programs or other executable collections of instructions.
  • software components 119 may include one or more unique sets of identifications data that may have been embedded in such components 117 or 119 by a manufacturer, or that may have been input into or associated with such component 117 or 119 by a user, vendor or some other person.
  • Software components 119 may include executable code, e.g., an application, a program, a process, task or script.
  • Such executable code may be executed by processor 112 possibly under control of an operating system. Where applicable, the executable code may carry out operations described herein in real-time.
  • First computing device 102 and the executable code of a software component 119 may be configured to update, process and/or act upon information at the same rate the information, or a relevant event, are received.
  • Software components 119 may include any code segment designed and/or configured to perform tasks (e.g., an operating system) involving coordination, scheduling, arbitration, supervising, controlling or otherwise managing operation of computing device 102, for example, scheduling execution of programs.
  • ⁇ ' may refer to Internet Protocol version 'X' (e.g., IPv6) as a version of the Internet Protocol (IP) as was developed by the Internet Engineering Task Force (IETF) to deal with the IPv4 address exhaustion.
  • IPv6 Internet Protocol version 6
  • IETF Internet Engineering Task Force
  • the destination address of the IPvX unlike IPv6, has no limitation in bits, therefore the IPvX address created from the hardware and software markers, as specified herein, may be equal or greater than 128bit.
  • Network Prefix in addition to its regular meaning, may refer to initial bits of an IPvX address that may be identical for all hosts in a network. The size of bits in an 'NP' may be separated with a ":::/”. For example, the network prefix of "2001:db8:ff00:42:8329::/64 is 2001 :db8".
  • the term 'markers' may, in addition to its regular meaning, refer to one or more of soft markers and hard markers, where soft markers may refer to software-related user identifiers, and hard markers may refer to hardware identifiers of one or more hardware components 117 associated with first computing device 102.
  • soft markers may include biometric features of the user (e.g., finger prints, facial recognition, voice recognition, etc.) as may have been collected and stored in one or more memories in or associated with first computing device 102.
  • soft markers may include cookies, usage patterns (e.g., browser fonts, frequently-used apps, languages, screen lock pattern, etc.), barcodes (e.g., QR or other visual unique identifiers), online payments service programs, protocols and identifiers (such as those that may be used in for example PayPalTM account, bank account, etc.), location indicators such as those as may be detected and delivered using a location detection device such as a GPS sensor.
  • usage patterns e.g., browser fonts, frequently-used apps, languages, screen lock pattern, etc.
  • barcodes e.g., QR or other visual unique identifiers
  • online payments service programs e.g., protocols and identifiers (such as those that may be used in for example PayPalTM account, bank account, etc.)
  • location indicators such as those as may be detected and delivered using a location detection device such as a GPS sensor.
  • hardware markers may include identifiers (that may be unique or not unique), such as a media access control (MAC) address, a type and model of first computing device 102, a network card, international mobile equipment identity (EVIEI), SIM number, credit card number or identifier, chassis ID of for example a car or other device, engine number, ECU, fuel card, or other identifier that may identify, authenticate or confirm an identity of first computing device 102 or a user of first computing device 102 to one or more other devices on the network.
  • identifiers that may be unique or not unique
  • MAC media access control
  • EVIEI international mobile equipment identity
  • SIM number SIM number
  • credit card number or identifier chassis ID of for example a car or other device
  • engine number engine number
  • ECU fuel card
  • one or more of such identifiers, hard markers and/or soft markers may be integrated with a MAC address and used as part of an IPvX identification process.
  • IKS Initial Key Store'
  • IPvX IPvX identifier by which first computing device 102 may be identified or derived in accordance with the IPvX protocol.
  • a first computing device 102 may be identified in a record of database 105 by, for example, "Initial Key Store" that may be derived in accordance with the IPvX protocol.
  • Such record may be further associated with soft markers and/or hard markers that are connected to, installed on, or associated with the first computing device 102.
  • Indication of all or some of Initial Key Store and indications of the hard markers and/or soft markers (as may be associated with the first computing device 102) may be stored in and/or associated with a record on database 105.
  • an Initial Key Store may be stored on database 105 upon a registration of first computing device 102 with the database 105 or with a program or application that may run or administer database 105.
  • a device registration management system (DRMS) 100 may include software (e.g., executed by processor 112) to allow initial registration of first computing device 102 for an online service (e.g., bank account, payment service such as PayPalTM, e-commerce account, electronic medical record, social network, etc.) in a network for identification purposes.
  • the DRMS 100 may allow users (or subscribers) to log in to the service from registered computing devices.
  • the DRMS 100 may include and/or may be associated with a management interface that allows adding or removing devices, and updating of device identifiers.
  • a MAC address, and/or in some embodiments other unique network identifier, of first computing device 102 may be transmitted from first computing device 102 to for example a server processor 109 (e.g., as shown in Fig. 1).
  • the MAC address may be considered as a unique network identifier.
  • the server processor may calculate a unique identifier (e.g., IPvX) of the transmitted MAC server (or number) in accordance with the known IPvX protocol.
  • the server processor may store the calculated unique identifier as an Initial Key Store in a record of database 105.
  • one or more hard markers and/or soft markers may be transmitted to for example server processor 109 or database 105.
  • one or more of such hard markers and/or soft markers may be stored in or indexed in database 105 in one or more records associated with the IPvX identifier calculated for the MAC of first computing device 102.
  • a new network prefix (NP) may be calculated and associated with the record, such as the record on database 105 that is associated with first computing device 102.
  • a new key store may be calculated that may include or be derived from one or more of the Initial Key Store and one or more of the hard markers and soft markers that may have been associated with first computing device 102. It should be noted that such new key store may, in some embodiments, be referred to as "IPvX", although other names or designations may be used.
  • a device may be logged into or otherwise connect with a system such as for example system 100 (e.g. as shown in Fig. 1).
  • a processor may request and receive from first computing device 102 one or more identifiers, such as for example a MAC address, from which may be derived an IPvX address, and one or more hard markers and one or more soft markers or other identifiers of components installed in or running on first computing device 102 (e.g., as shown in Fig. 1).
  • a server processor 109 may derive from the retrieved MAC address (or other identifier), an IPvX identifier using for example a standard IPvX protocol (e.g., IPv6).
  • the server processor may retrieve from database 105 the Initial Key Store that is associated with the MAC address.
  • the server processor may use one or more of the retrieved hard markers and/or soft markers, to calculate or derive an IPvX identifier.
  • the server processor may compare the IPvX identifier that was derived from the retrieved data, with the IPvX identifier that was stored on database 105.
  • the calculated IPvX identifier may be confirmed as present on database 105.
  • further hard markers and/or soft markers may be identified from first computing device 102 and used to derive an IPvX identifier that may be present in database 105 and associated with first computing device 102.
  • first computing device 102 may be logged out from a program or application, if for example its identification could not be confirmed and/or authenticated.
  • the first computing device 102 may be queried for a presence of more than one MAC address.
  • a program may log out the first computing device 102 if more than one MAC address or an external MAC address is detected.
  • one or more of the functions as is shown to be executed in the flowchart of Fig. 3 may be included in a module that may be referred to as device identification management system (DIMS).
  • DIMS device identification management system
  • one or more of the blocks of Fig. 3 with execution of the functions comparing the calculated IPvX identifier as was derived from data retrieved from device 102, to the IPvX identifier that may be stored in database 105 may be performed by a module that may be referred to as a comparison process manager (CPM).
  • CCM comparison process manager
  • other names may also be used.
  • the initial registration of device 400 may result in creation of an initial key store (IKS) if it is the first or only device, and n'th key store (KS(n)) if it is the n'th device registered for that particular service.
  • IKS initial key store
  • KS(n) n'th key store
  • Each device may have a unique IKS, so for any account, there may be a plurality of IKSs.
  • computing device 400 may need to login to the service.
  • the DRMS may check 408 whether other computing devices 400 were defined as a master device and whether a local application is installed on computing device 400.
  • a local application on computing device 400 may be performed (Option 1, 406), or the system may require access to specific computing device 400 soft and hard markers (Option 2, 404). Then the DRMS may call for the device soft and hard markers through the local application installed on computing device 400, and may generate the unique IPvX 410 of this particular computing device 400. This IPvX may make the IKS 412 of the master device, and this IKS may be sent to the database 414.
  • one of the devices used for accessing the online service may be defined in the DRMS as a master.
  • the addition and/or removal of computing devices 102 may be performed through the master device.
  • defining a new master device may require user authentication by other techniques (e.g., security questions, calling a service rep, etc.).
  • FIG. 5 shows a flowchart for adding and/or removing devices 102 from the DRMS, according to some embodiments of the invention.
  • computing device 500 may need to login to the service, in parallel the master device 504 may need to login to the service as well.
  • the DRMS may check 508 whether a local application is installed on computing device 500. If not, a local application on device 500 may be installed (Option 1, 512), or the system may require access to specific computing device 500 soft and hard markers (Option 2, 510). In some embodiments, the DRMS may call for the computing device soft and hard markers through the local application installed on computing device 500, and may generate the unique IPvX 514 of this particular computing device 500. In some embodiments, the DRMS may send an approval request 516 to the mater device. If request 516 is approved by the master device then IKS (of device 500) may be sent to the database 518. If request 516 is not approved by the master device then login of device 500 to the online service may be denied.
  • IKS of device 500
  • IPvX may refer to a memory packet 600 that may include a table or other collection of data associating at least one IPvX header with identification data stored in one or more software component 119 and/or hardware component 117 that may be installed in, running on or otherwise associated with a particular computing device 102.
  • IKS 601 of device 102 according to the IPvX protocol may include N number of bits, and no less than 128bits.
  • the corresponding IPvX destination address 602 may include at least 128bits.
  • MAC Address 702 calculated IKS (e.g., for IPv6) 704, with software markers (Sl ...Sn) 710, and hardware markers (Hl ...Hn) 708 of computing device 102 may be stored in a lookup table 700 upon initial registration (by for example the DRMS).
  • IKS e.g., for IPv6
  • Hl ...Hn hardware markers
  • the authentication process managed by the CPM may compare the MAC address 702 and a randomly or otherwise selected group of software and/or hardware markers of computing device 102 to the MAC address and software and or hardware markers in the lookup table.
  • MAC address 722, IKS (e.g., calculated for IPv6) 724, modified network prefix 'A' 728, modified network prefix 'B' 726, software markers (Sl ...Sn) 738, and hardware markers (Hl ...Hn) 740 of computing device 102 may bestored in a lookup table 720 upon initial registration (by for example DRMS).
  • Network prefix 'A' 732 may refer to the first part of the IPvX network prefix 730 that was mathematically manipulated to include also a representation of the hardware markers 740 stored in the database 105.
  • Network prefix 'B' 734 refers to the second part of the IPvX network prefix 730 that was mathematically manipulated (e.g., encrypted) to include also a representation of the software markers 738 stored in the database 105.
  • the mathematical manipulation may be any series of mathematical operations on the numerical representation of the hardware and software markers, 738 and 740, stored in the database 105.
  • a mathematical manipulation 810 may be performed by an encryption engine, which may be part of DIMS 1102 on hardware markers (HI ...Hn) 802 and software markers (SI ...Sn) 804 of computing device 102.
  • the EVIEI (HI) of device 102 may be encrypted by the encryption engine that applies in this example a mathematical manipulation of summing up the IMEI digits, where the product of this mathematical manipulation in this example may be '58'. Now in this example '58' becomes network prefix ' ⁇ '.
  • SI is a software marker 814 that may refer for instance to biometric identifier of the user (e.g. finger prints).
  • the encryption engine in DIMS 1102 may apply manipulation on SI, thereby producing a numerical output, for instance '87'.
  • network prefix "2001 :DB8" may become after the encryption "58001 :B887", and the modified IPvX in this case may be "58001 :B887:0:0:211 :22FFF:fe33:4455".
  • IPvX the modified IPvX is hereinafter referred to as IPvX.
  • the authentication process managed by the CPM may compare the IPvX that is stored in the database with the IPvX that is calculated for example in real-time from the software markers (Sl ...Sn), and hardware markers (HI ...Hn) of computing device 102.
  • the calculation of the IPvX may apply the same mathematical manipulation (e.g., encryption) on the software markers (SI ...Sn), and hardware markers (HI ...Hn) of computing device 102.
  • a unique network identifier of the computing device may be stored 910 in a memory.
  • a first identifier of the computing device may be determined 920 by the processor, the first identifier being a function of the unique network identifier and data from at least one of a hardware component and a software component associated with the device.
  • Data associated with the unique network identifier may be received 930 from the computing device, and receiving from the computing device the data from at least one of the hardware component and the software component associated with the device.
  • a second identifier may be determined 940 by the processor, the second identifier being a function of the unique network identifier and of the data from at least one of the hardware component and the software component associated with the computing device.
  • the first identifier may be compared 950 by the processor to the second identifier.
  • Fig. 10 shows a flowchart for authentication confirmation, according to some embodiments of the invention. If the resulting Key Store 1002 of IPvX 1006 (e.g., IPv6) matches the key store of the IPvX in the database 1004 then user and device authentication may be confirmed and/or validated.
  • IPvX 1006 e.g., IPv6
  • the authentication process may occur at a predetermined frequency.
  • This frequency, amount and combination of software markers (Sl ...Sn), and hardware markers (Hl ...Hn) of computing device 102 may determine the level of security of a network or an online service.
  • Fig. 11 shows a block diagram of a device identification management system (DIMS), according to some embodiments of the invention.
  • the DIMS 1112 may include for example one or more of the following components: DRMS 1102, IPvX calculator and encryption engine 1104, database 1106, and/or CPM 1108.
  • the IKS may be calculated from or derived as a function of the MAC and then stored in database 105.
  • a database may include hardware and software markers associated with computing device 102. Markers may be stored to allow efficient authentication process by the CPM such as through the following indexing processes for storing and retrieving hardware and/or software markers in the database. Other processes may also be possible.
  • FIGs. 12-15 illustrate the implementation of authentication, according to some embodiments of the invention, within a number of common architectures, so that with minimum changes network systems may benefit from adding multiple-layer security to protect the servers, and the software applications from unauthorized login.
  • Fig. 12 schematically illustrates the structure of virtual machine architecture, according to some embodiments of the invention.
  • the virtual machine (VM) or the DIMS may be installed on three layers: the DIMS 1220 may be installed on the server 1224 before server virtu alization with the Hyper- Visor 1218 to protect the server layer, the DIMS 1216 may be installed on the Hyper-V 1218 to protect guest operating system (OS) 1214, and the DIMS 1212 may be installed on guest OS 1214 to protect selected applications 1208 and related data and/or libraries 1210.
  • OS guest operating system
  • a container may be an alternative architecture to VM.
  • the DIMS may be installed on two layers: the DIMS 1314 may be installed on the server operating system 1316 before the docker 1308 to protect the server layer 1302, and/or the DIMS 1310 may be installed on top of the docker 1308 to protect selected applications 1306 and related data libraries 1312.
  • Fig. 14 schematically illustrates the structure of Microsoft data center architecture, according to some embodiments of the invention.
  • the DIMS may be installed on three layers: in the router system 1406 in order to provide better protection, installed directly in the access layer 1404, and/or installed under load balance with NLB or as part of the hardware cluster 1402 for maximum protection of data.
  • Fig. 15 schematically illustrates the structure of Cisco secure data center architecture, according to some embodiments of the invention.
  • the DIMS may be installed on four layers: the first layer may be under the data center core 1502, installed before the VDC in the Nexus 1504, the layer installed in a virtual private cloud VPC's 1506; and/or the layer may be installed as the last layer in the VSS directly 1508.
  • the CPM may be a software module that may control a comparison process of key stores of a computing device with an IKS of the computing device. At one or more instances, multiple comparison processes may be performed for different services on the computing device and for different users that have different end-devices.
  • the CPM may enable routing of comparison processes and IPvX calculations between multiple servers to optimize the processing time.
  • such routing may proceed on one of more of the following processes.
  • Calculation of IPvX may proceed on a server that may be separate from the server that compares a KS(n) with an IKS(n). The calculation of IPvX and the comparison process may be done at different times on a same server.
  • various servers may be utilized for calculation and comparison to ensure that a frequency requirement of comparisons is met. Comparison of KS(n) with IKS(n) may be done on more than one server at a given time. For example, soft markers may be compared on a first server while hard markers may be compared on a different server.
  • one or all of the processes executed by the DIMS and/or the CPM may be executed on one, some or all of the packets that are delivered from computing device 102 over network 106 (e.g., as shown in Fig. 1) and retrieved by a processor associated with an embodiment of the invention. Such comparison may be part of or included in a process of authentication of an identity of computing device 102 from data included in or derived from packets delivered by such computing device 102.
  • a frequency of authentication may be determined by and/or inputted by a user and/or administrator into for example a DIMS module. Such frequency may reflect of level or frequency or authentication strictness implemented data received from computing device 102.
  • a number, or specific nature of the hard markers and soft markers that are retrieved from computing device 102 and subject to the calculation of the IPvX identifier may also be determined by an administrator or by some other user. For example, an authentication of packets from a device may be performed on every packet received from the device, on a periodic basis, on a random basis or with some other frequency.
  • Hard markers may be retrieved only from for example a memory included in computing device 102 or from all or some of a memory, SIM card, IMEI card and/or other hardware installed in or on computing device 102.
  • Soft markers may be retrieved from some or all of biometric data, passwords, program versions or other software in and/or on computing device 102.
  • an application or program on computing device 102 may push or deliver one or more hard markers and soft markers to processor, or processor may call for and/or pull one more or more of such hard markers or soft markers from computing device 102 on a periodic or other basis.
  • an indication of authentication or confirmation of an identity and authorization of computing device 102 may be delivered or included in a signal to one or more other applications or services (such as for example, payment or transaction services, security services or other programs or stores of data that may be accessed).
  • a user may register one or more computing devices 102 in a device registration management system (DRMS) or module.
  • DRMS device registration management system
  • a user may register his cellphone device 102 and a laptop or desktop device 102 with the DRMS and may associate the two devices with his user information.
  • a registration of a device 102 may create an initial key store (IKS) for such computing device using for example a MAC address of such device, and may associate one or more soft markers and/or hard markers with the registered device to develop identifiers in a record of database 105.
  • IKS initial key store
  • One of registered computing devices 102 for the user may serve as a master device 102, so that changes to the record on data base 105, and/or adding of other computing devices 102 that may be associated with such computing device 102 may be authorized only if made by way of such device 102.
  • Such addition of other computing devices 102 may require a separate process such as for example calling a sales representative or other manual authentication procedures.
  • communication system 100 may allow anti-hacking protection of computing devices and/or networks, wherein a hacking attempt may be blocked if authentication fails (e.g., blocking the attack vector of the hacking attempt).

Landscapes

  • Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne des systèmes et des procédés permettant d'authentifier un dispositif informatique, lesdits procédés consistant à : déterminer un identifiant unique du dispositif informatique, l'identifiant unique correspondant à au moins une adresse de commande d'accès au support (MAC) du dispositif informatique; déterminer un identifiant IPv X pour le dispositif informatique, l'identifiant IPv X correspondant à l'identifiant unique déterminé du dispositif informatique; et authentifier l'identifiant IPv X déterminé avec les données reçues du dispositif informatique.
PCT/IL2017/050286 2016-03-08 2017-03-08 Système et procédé d'authentification de dispositif au moyen d'identifiants de matériel et de logiciel WO2017153990A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662304974P 2016-03-08 2016-03-08
US62/304,974 2016-03-08

Publications (1)

Publication Number Publication Date
WO2017153990A1 true WO2017153990A1 (fr) 2017-09-14

Family

ID=59789052

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2017/050286 WO2017153990A1 (fr) 2016-03-08 2017-03-08 Système et procédé d'authentification de dispositif au moyen d'identifiants de matériel et de logiciel

Country Status (1)

Country Link
WO (1) WO2017153990A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020205173A1 (fr) * 2019-04-04 2020-10-08 Micron Technology, Inc. Intégration de logiciels sur des dispositifs sécurisés afin de générer des identités de dispositif pour l'authentification avec des serveurs à distance
US11252570B2 (en) 2019-11-22 2022-02-15 John Junior Richardson Computer system and method for software authentication and single application enforcement
CN114338522A (zh) * 2020-11-27 2022-04-12 成都市合纵智联科技有限公司 基于标识管理的IPv6编址与组网方法

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294257A1 (en) * 2005-06-24 2006-12-28 Olympus Corporation IP address obtaining method
US8572366B1 (en) * 2012-05-18 2013-10-29 Google Inc. Authenticating clients
WO2015002545A1 (fr) * 2013-07-05 2015-01-08 Sgx As Procédé et système relatifs à l'authentification d'utilisateurs pour accéder à des réseaux de données
US8934490B2 (en) * 2013-01-31 2015-01-13 Telefonaktiebolaget L M Ericsson (Publ) Accelerated MAC address resolution for IPv6 traffic with IS-IS protocol
US9173129B2 (en) * 2010-10-22 2015-10-27 Intellectual Discovery Co., Ltd. IPV6 address management method and gateway performing the same

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060294257A1 (en) * 2005-06-24 2006-12-28 Olympus Corporation IP address obtaining method
US9173129B2 (en) * 2010-10-22 2015-10-27 Intellectual Discovery Co., Ltd. IPV6 address management method and gateway performing the same
US8572366B1 (en) * 2012-05-18 2013-10-29 Google Inc. Authenticating clients
US8934490B2 (en) * 2013-01-31 2015-01-13 Telefonaktiebolaget L M Ericsson (Publ) Accelerated MAC address resolution for IPv6 traffic with IS-IS protocol
WO2015002545A1 (fr) * 2013-07-05 2015-01-08 Sgx As Procédé et système relatifs à l'authentification d'utilisateurs pour accéder à des réseaux de données

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020205173A1 (fr) * 2019-04-04 2020-10-08 Micron Technology, Inc. Intégration de logiciels sur des dispositifs sécurisés afin de générer des identités de dispositif pour l'authentification avec des serveurs à distance
US11101984B2 (en) 2019-04-04 2021-08-24 Micron Technology, Inc. Onboarding software on secure devices to generate device identities for authentication with remote servers
US11252570B2 (en) 2019-11-22 2022-02-15 John Junior Richardson Computer system and method for software authentication and single application enforcement
CN114338522A (zh) * 2020-11-27 2022-04-12 成都市合纵智联科技有限公司 基于标识管理的IPv6编址与组网方法
CN114338522B (zh) * 2020-11-27 2024-04-05 成都市伏羲科技有限公司 基于标识管理的IPv6编址与组网方法

Similar Documents

Publication Publication Date Title
US10652226B2 (en) Securing communication over a network using dynamically assigned proxy servers
US20180295514A1 (en) Method and apparatus for facilitating persistent authentication
US10142308B1 (en) User authentication
JP2017535877A (ja) 条件付きログインプロモーション
EP3937040B1 (fr) Systèmes et procédés pour sécuriser un accès de connexion
WO2016188335A1 (fr) Procédé, appareil, et système de contrôle d'accès pour des données utilisateur
US20130246268A1 (en) Method and system for dedicated secure processors for handling secure processing in a handheld communication device
KR101441581B1 (ko) 클라우드 컴퓨팅 환경을 위한 다계층 보안 장치 및 다계층 보안 방법
US20190281053A1 (en) Method and apparatus for facilitating frictionless two-factor authentication
WO2017153990A1 (fr) Système et procédé d'authentification de dispositif au moyen d'identifiants de matériel et de logiciel
US11861582B2 (en) Security protection of association between a user device and a user
US9900300B1 (en) Protection against unauthorized cloning of electronic devices
US9143510B2 (en) Secure identification of intranet network
KR101619928B1 (ko) 이동단말기의 원격제어시스템
KR20140043071A (ko) 접속 시도 기기 인증 시스템 및 방법
Singh et al. Lightweight cryptography approach for multifactor authentication in internet of things
CN115037549B (zh) 应用防护方法、装置及存储介质
US20240104223A1 (en) Portable verification context
Lee et al. Security Threats to the Platform Identification
CN111711612A (zh) 通信控制方法、对通信请求进行处理的方法及其装置
CN115733674A (zh) 安全加固的方法、装置、电子设备、可读存储介质
Nagesh Security for Cloud Connectivity

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17762641

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 16.1.19)

122 Ep: pct application non-entry in european phase

Ref document number: 17762641

Country of ref document: EP

Kind code of ref document: A1