Management server
US-2015156058-A1 · Jun 4, 2015 · US
Secure authentication of remote equipment
US9998287B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9998287-B2 |
| Application number | US-201514640745-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 6, 2015 |
| Priority date | Mar 6, 2015 |
| Publication date | Jun 12, 2018 |
| Grant date | Jun 12, 2018 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An authentication server may use secure messaging with a remote device prior to authorizing non-secure communications between the remote device and a content server, thereby preventing unauthorized access to the content server. The secure messaging uses such security features as encryption, signatures with authentication certificates, a realm, and/or a nonce. Once non-secure communication is authorized, the remote device may act as a proxy between the content server and a user device connected to the remote device. The authentication server sends timeout notices to the remote device containing an interval and a key. To continue non-secure communications with the content server, the remote device must respond prior to the expiration of the interval by sending a keep-alive message containing the key to the authentication server.
First claim
Opening claim text (preview).
What is claimed: 1. A method comprising: receiving, by an authentication system, from a content server, a request to authenticate a network device; sending, by the authentication system and to the network device, an encrypted challenge message; receiving, by the authentication system and from the network device, an encrypted response to the encrypted challenge message, wherein the encrypted response comprises a digital signature of the network device, and wherein the encrypted response comprises an identifier of an unauthorized user device requesting to exchange data with the content server via the network device; verifying, by the authentication system based on the encrypted response, an authenticity of the network device; and authorizing, by the authentication system and based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized user device via the network device. 2. The method of claim 1 , further comprising: sending, by the authentication system and to the network device, an encrypted timeout notice that comprises an indication of a time interval; receiving, prior to the expiration of the indicated time interval, by the authentication system and from the network device, an encrypted keep-alive message; and reauthorizing, by the authentication system, the content server to exchange unencrypted data with the unauthorized user device via the network device. 3. The method of claim 2 , wherein: the encrypted challenge message comprises a realm and a nonce; the method further comprising, withholding authorization, by the authentication system, for the content server to exchange unencrypted data with the unauthorized user device via the network device if the encrypted response does not comprise the realm and the nonce. 4. The method of claim 3 , further comprising signing, by the authentication system using a first authentication certificate, the encrypted challenge message and the encrypted timeout notice. 5. The method of claim 4 , wherein: the encrypted response and the keep-alive message are signed using a second authentication certificate; the method further comprising, withholding authorization, by the authentication system, for the content server to exchange unencrypted data with the unauthorized user device via the network device, if the second authentication certificate is not recognized by the authentication system. 6. The method of claim 1 , wherein the identifier of the unauthorized user device is an Internet protocol source address, a media access control address, or a universal unique identifier. 7. An apparatus comprising: one or more processors; and a memory, the memory storing computer-executable instructions that, when executed by the one or more processors, cause the apparatus to: receive, from a content server, a request to authenticate a network device; send, to the network device, an encrypted challenge message; receive, from the network device, an encrypted response to the encrypted challenge message, the encrypted response comprising a digital signature of the network device, the encrypted response further comprising an identifier of an unauthorized user device requesting to exchange data with the content server; verify, based on the encrypted response, an authenticity of the network device; and authorize, based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized user device via the network device. 8. The apparatus of claim 7 , wherein the instructions further cause the apparatus to: send, to the network device, an encrypted timeout notice that comprises an indication of a time interval; receive, from the network device, an encrypted keep-alive message prior to the expiration of the indicated time interval; and send, to the content server, a reauthorization to exchange unencrypted data with the unauthorized user device via the network device. 9. The apparatus of claim 8 , wherein the instructions further cause the apparatus to sign, based on a first authentication certificate, the encrypted challenge message and the encrypted timeout notice. 10. The apparatus of claim 7 , wherein: the encrypted response and the encrypted keep-alive message are signed using a second authentication certificate; and the instructions further cause the apparatus to withhold the authorization if the second authentication certificate is not recognized by the apparatus. 11. The apparatus of claim 7 , wherein the encrypted challenge message comprises a realm and a nonce, and wherein the instructions further cause the apparatus to: determine whether the encrypted response includes the realm and the nonce; and withhold, if the encrypted response lacks either the realm or the nonce, the authorization. 12. The apparatus of claim 7 , wherein the identifier of the unauthorized user device is an Internet protocol source address, a media access control address, or a universal unique identifier. 13. A system comprising: a network device configured to provide network access to one or more user devices; a content server configured to communicate with the one or more user devices via the network device; and an authentication server configured to: receive, from the content server, a request to authenticate the network device; send, to the network device, an encrypted challenge message; receive, from the network device, an encrypted response to the encrypted challenge message, wherein the encrypted response comprises a digital signature of the network device, and wherein the encrypted response further comprises an identifier of an unauthorized one of the one or more user devices requesting to exchange data with the content server via the network device; and verify, based on the encrypted response, an authenticity of the network device; and authorize, based on successful verification of the authenticity of the network device, the content server to exchange unencrypted data with the unauthorized one of the one or more user devices via the network device. 14. The system of claim 13 , wherein the authentication server is further configured to: send, to the network device, an encrypted timeout notice that comprises an indication of a time interval; receive, from the network device, an encrypted keep-alive message prior to the expiration of the indicated time interval; and send, to the content server, a reauthorization to exchange unencrypted data with the unauthorized one of the one or more user devices via the network device. 15. The system of claim 14 , wherein the authentication server is further configured to sign, using a first authentication certificate, the encrypted challenge message and the encrypted timeout notice. 16. The system of claim 15 , wherein: the network device is configured to sign, using a second authentication certificate, the response and the encrypted keep-alive message; and the authentication server is further configured to withhold the authorization if the second authentication certificate is not recognized by the authentication server. 17. The system of claim 15 , wherein the encrypted challenge, the encrypted response, the encrypted timeout notice, and the encrypted keep-alive message are encrypted in accordance with an MD5 hash. 18. The system of claim 13 , wherein the authentication server is further configured to: include a realm and a nonce in the encrypted challenge message; determine whether the encrypted response includes the realm and the no
Assignees
Inventors
Classifications
Proxies · CPC title
Hash functions, e.g. MD5, SHA, HMAC or f9 MAC · CPC title
- H04L9/3271Primary
using challenge-response · CPC title
involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements (network architectures or network communication protocols for supporting authentication of entities using certificates in a packet data network H04L63/0823) · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9998287B2 cover?
- An authentication server may use secure messaging with a remote device prior to authorizing non-secure communications between the remote device and a content server, thereby preventing unauthorized access to the content server. The secure messaging uses such security features as encryption, signatures with authentication certificates, a realm, and/or a nonce. Once non-secure communication is au…
- Who is the assignee on this patent?
- Comcast Cable Comm Llc
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3271. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 12 2018 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).