Synchronization of security-related data
US-2015365439-A1 · Dec 17, 2015 · US
Fast smart card logon
US10021088B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10021088-B2 |
| Application number | US-201514870435-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 30, 2015 |
| Priority date | Sep 30, 2014 |
| Publication date | Jul 10, 2018 |
| Grant date | Jul 10, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Fast smart card logon may be used to reduce latency and improve security. For example, the system may reduce the number of operations (e.g., interactions) between a server device used for authentication and the client device. These operations may include fetching a user certificate from the smart card or signing data. Fast smart card logon may also improve security by optionally avoiding PIN (or other credential) transmission over networks, and to enable single sign on from an authentication event (e.g., Secure Sockets Layer (SSL) or Transport Layer Security (TLS) authentication) using a smart card to the domain logon without resorting to PIN caching.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: receiving, at a server device and from a client device, a request to authenticate the client device based on a smart card at the client device; in response to receiving the request, initiating an authentication session for the client device; generating a Personal Computer/Smart Card (PC/SC) layer connection between the server device and the client device; generating a virtual channel between the server device and the client device, wherein the virtual channel is at a higher level than the PC/SC layer connection; during the authentication session for the client device, determining that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation provided by the smart card at the client device; in response to the determining, sending, from the server device, to the client device, and via the virtual channel at the higher level than the PC/SC layer connection, a request for one or more of the signature, the certificate, the list of certificates, or the decryption operation; and determining, via communications received by the server device via the virtual channel, that the smart card at the client device was removed. 2. The method of claim 1 , further comprising: after receiving the request to authenticate the client device, selecting, by a credential provider at the server device, a key storage provider at the server device to perform one or more cryptographic operations during the authentication session. 3. The method of claim 1 , further comprising: after receiving the request to authenticate the client device, selecting, by a credential provider at the server device, a cryptographic service provider at the server device to perform one or more cryptographic operations during the authentication session. 4. The method of claim 3 , wherein: the determining that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation comprises the cryptographic service provider intercepting the operation during the authentication session that uses one or more of the signature, the certificate, the list of certificates, or the decryption operation provided by the smart card at the client device, and the sending the request comprises the cryptographic service provider sending the request in response to intercepting the operation. 5. The method of claim 4 , further comprising: in response to determining that an operation during the authentication session does not use the smart card at the client device, requesting, by the cryptographic service provider, a second cryptographic service provider to perform the operation that does not use the smart card. 6. The method of claim 1 , wherein: the determining that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation comprises determining that the operation during the authentication session uses the signature provided by the smart card at the client device, and the sending the request comprises sending a request for the client device to perform a signing operation using a private key of the smart card. 7. The method of claim 1 , wherein: the determining that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation comprises determining that the operation during the authentication session uses the decryption operation provided by the smart card at the client device, and the sending the request comprises sending a request for the client device to perform the decryption operation using a private key of the smart card. 8. The method of claim 1 , wherein the smart card comprises one or more of a physical smart card or a virtual smart card. 9. The method of claim 1 , further comprising: receiving, at the server device and from the client device, a PIN corresponding to the smart card; and storing, at a cryptographic service provider at the server device, the PIN. 10. An apparatus comprising: a processor; and memory storing computer-executable instructions that, when executed by the processor, cause the apparatus to: receive, from a client device, a request to authenticate the client device based on a smart card at the client device; in response to receiving the request, initiate an authentication session for the client device; generate a Personal Computer/Smart Card (PC/SC) layer connection between the apparatus and the client device; generate a virtual channel between the apparatus and the client device, wherein the virtual channel is at a higher level than the PC/SC layer connection; during the authentication session for the client device, determine that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation provided by the smart card at the client device; in response to the determining, send, to the client device and via the virtual channel at the higher level than the PC/SC layer connection, a request for one or more of the signature, the certificate, the list of certificates, or the decryption operation; and determine, via communications received by the apparatus via the virtual channel, that the smart card at the client device was removed. 11. The apparatus of claim 10 , wherein the memory stores computer-executable instructions that, when executed by the processor, cause the apparatus to: after receiving the request to authenticate the client device, select, by a credential provider at the apparatus, a service provider at the apparatus to perform one or more cryptographic operations during the authentication session. 12. The apparatus of claim 11 , wherein: the determining that an operation during the authentication session uses one or more of a signature, a certificate, a list of certificates, or a decryption operation comprises the service provider intercepting the operation during the authentication session that uses one or more of the signature, the certificate, the list of certificates, or the decryption operation provided by the smart card at the client device, and the sending the request comprises the service provider sending the request in response to intercepting the operation. 13. The apparatus of claim 12 , wherein the memory stores computer-executable instructions that, when executed by the processor, cause the apparatus to: in response to determining that an operation during the authentication session does not use the smart card at the client device, request, by the service provider, a second service provider to perform the operation that does not use the smart card. 14. The apparatus of claim 10 , wherein the smart card comprises one or more of a physical smart card or a virtual smart card. 15. A method comprising: sending, from a client device to a server device, a request to authenticate the client device based on a smart card at the client device; generating a Personal Computer/Smart Card (PC/SC) layer connection between the server device and the client device; generating a virtual channel between the server device and the client device, wherein the virtual channel is at a higher level than the PC/SC layer connection; in response to the request, performing operations during an authentication session for the client device; and during the authentication session for the client device, receiving, by the client device and via the virtual channel at the higher
Assignees
Inventors
Classifications
One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
- H04L63/0823Primary
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
for key exchange, e.g. in peer-to-peer networks (cryptographic mechanisms or cryptographic arrangements for key agreement H04L9/0838) · CPC title
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10021088B2 cover?
- Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Fast smart card logon may be used to reduce latency and improve security. For example, the system may reduce the number of operations (e.g., interactions) between a server device used for authentication and the client device…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0823. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 10 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).