[go: up one dir, main page]

HK1097669A - Methods and apparatus for providing application credentials - Google Patents

Methods and apparatus for providing application credentials Download PDF

Info

Publication number
HK1097669A
HK1097669A HK07103346.8A HK07103346A HK1097669A HK 1097669 A HK1097669 A HK 1097669A HK 07103346 A HK07103346 A HK 07103346A HK 1097669 A HK1097669 A HK 1097669A
Authority
HK
Hong Kong
Prior art keywords
credential
application
server
request
data
Prior art date
Application number
HK07103346.8A
Other languages
Chinese (zh)
Inventor
劳伦斯‧伦德布雷德
Original Assignee
高通股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 高通股份有限公司 filed Critical 高通股份有限公司
Publication of HK1097669A publication Critical patent/HK1097669A/en

Links

Description

Method and apparatus for providing application credentials
Technical Field
The present invention relates generally to credential systems, and more particularly, to methods and apparatus for providing application credentials to applications running on a device for authentication and security purposes.
Background
Technological advances have led to the development and deployment of a wide variety of data networks. These networks include public data networks, such as the internet, and private networks, such as wireless telecommunications networks. Users of these networks have the ability to access a wide variety of information and services available as network resources.
There is an example of an increasing need for network resources in a wireless network environment. In a wireless environment, various wireless devices, such as wireless telephones, Personal Digital Assistants (PDAs), and paging devices, communicate over a wireless network. The wireless network may also include a network server that operates to provide various network resources to the wireless devices. In addition, the wireless network may also be coupled to a public network (such as the internet) such that resources on the public network are available to wireless devices on the wireless network.
Typically, a wireless device may download an application from a wireless network. The application may be purchased for free downloads by the user of the wireless device, which is effective to obtain rights to use the application or content for a limited fixed or usage-based expiration period. During execution, the application may attempt to retrieve proprietary data from a data server. For example, the application may be a news retrieval application, and during runtime, the application requests news data from a proprietary news data server. Before transmitting the data, the data server needs to verify that the application is authenticated to receive the data. The application needs to be authenticated to the data server.
However, strong authentication is not possible unless there is a shared key between the device and a server distinct from each device. If this is not the case, reverse engineering of the application will display enough information to gain access to the server. The shared key should be distributed out-of-band and not on the network connection between the device and the server. One approach is to supply a separate key to each device at the time of manufacture or sale. This is how some systems operate to authenticate voice calls. However, this technique is not specified in terms of a large number of applications, does not work for applications that are downloaded after device purchase, and application vendors may not have access to the manufacturing or sales process.
Another technique is to issue separate passwords to each device user, where the passwords are assigned using voicemail, email, paper mail, or some other out-of-band means. This may provide a partial solution, however, this technique results in more user responsibility, more overhead for the application or content developer, and the need to create, assign, and maintain a password for each application used by each user.
What is needed, therefore, is a system that provides application credentials that can be used by applications running on a device to authenticate their requests for data from a proprietary data server, where the application credentials provide strong authentication without having multiple passwords for each device.
Disclosure of Invention
In one or more embodiments, a credential system is described that provides credentials to an application running on a device. In one embodiment, an application running on a device provides an application identifier in a request for credentials sent to a credential system. The credential system uses the application identifier and the master credential to generate an application credential for use by the application. After obtaining the application credential, the application sends a request for data to a data server, and the request includes the application credential and the application identifier. The data server receives the request and includes the application identifier in the request for the server credential, which is sent to a credential server. The credential server has a copy of the master credential. The credential server uses the application identifier and the master credential to generate a server credential, which is transmitted back to the data server. The data server then compares the application credential with the server credential, and if they match, the server sends the requested data to the application. Thus, the application may authenticate to the data server without using a particular password.
In another embodiment, the data server transmits the application identifier and the application credential in the request for credential verification to the credential server. The credential server generates a server credential using the application identifier and the master credential. The credential server compares the application credential with the server credential and determines whether the two credentials match. If the credentials match, the credential server transmits a positive indication to the data server, thereby approving the data server to transmit the requested data to the application.
In one embodiment, a method provides an application credential to an application running on a device, where the application credential is used by the application to authenticate to a data server. The method includes receiving a request to generate an application credential, wherein the request includes an application identifier. The method also includes generating an application credential using the application identifier and a master credential associated with the device.
In another embodiment, a provisioning apparatus operates to provision application credentials to an application running on a device, wherein the application credentials are used by the application to authenticate to a data server. The device includes receiving logic that operates to receive a request for an application credential, wherein the request includes an application identifier. The device also includes generation logic that operates to generate an application credential using the application identifier and a master credential.
In another embodiment, a provisioning apparatus operates to provision application credentials to an application running on a device, wherein the application credentials are used by the application to authenticate to a data server. The apparatus includes means for receiving a request for application credentials, wherein the request includes an application identifier. The apparatus also includes means for generating an application credential using the application identifier and a master credential.
In another embodiment, a computer-readable medium is provided that includes instructions that, when executed by a processor in a device, provide an application credential to an application running on the device, wherein the application credential is used by the application to authenticate to a data server. The computer-readable medium includes instructions for receiving a request for an application credential, wherein the request includes an application identifier. The computer-readable medium also includes instructions for generating application credentials using the application identifier and a master credential.
In another embodiment, a method is provided for operating a credential server to authenticate an application running on an apparatus, wherein the application transmits a request for data to a data server and the request includes an application credential. The method includes receiving an application identifier in a request for a server credential and generating the server credential using the application identifier and a master credential. The method also includes transmitting the server credential to a data server, wherein an application is authenticated if the server credential and the application credential match.
Other aspects, advantages, and features of the present invention will become apparent after review of the hereinafter set forth brief description of the drawings, detailed description of the invention, and the claims.
Drawings
The foregoing aspects and the attendant advantages of the embodiments described herein will become more readily apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings wherein:
FIG. 1 shows a data network including one embodiment of a credential system that provides application credentials to applications running on a wireless device;
FIG. 2 shows a functional block diagram illustrating one embodiment of the wireless device of FIG. 1, including one embodiment of a credential system that operates to provide application credentials to applications running on the device;
FIG. 3 shows one embodiment of a method for operating a credential system to provide application credentials to an application running on a device;
FIG. 4 shows a functional block diagram of a data server including an embodiment of a credential system that validates requests for data received from applications running on a device;
FIG. 5 shows one embodiment of a method for operating a data server in a credential system to verify an application credential provided by an application running on a device;
FIG. 6 shows a functional block diagram of another embodiment of a data server, including one embodiment of a credential system that validates requests for data received from applications running on a device;
FIG. 7 shows an embodiment of a credential server operating in a credential system to verify an application credential provided to an application running on a device;
FIG. 8 shows one embodiment of a method for operating a credential server in a credential system to verify application credentials provided by an application running on a device; and
FIG. 9 shows a functional block diagram of another embodiment of a credential server that includes one embodiment of a credential system that verifies requests for data received from applications running on a device.
Detailed Description
The following detailed description describes a credential system that provides credentials to an application running on a device. The device may be any type of computing device, such as a desktop computer, server, or other type of computer. The system is also suitable for use with portable devices such as tablet computers, PDAs, wireless telephones, email devices, pagers or any other type of portable device. Thus, although the system is suitable for use with a variety of devices, for clarity, embodiments of the invention are described herein with reference to wireless devices.
The device includes a copy of the master credential that is installed in the device during manufacture or through the use of some other secure procedure that protects the master credential from public disclosure. The master credential is also known to the credential server.
In one or more embodiments, the credential system and execution executing on a device for simplifying device operationsThe contexts interact, such as by providing generic calls for device specific resources. One such Runtime Environment is Binary Runtime Environment for Wireless, developed by QUALCOMM, Inc. of san Diego, CalifTM(BREWTM) And (3) a software platform. In the following description, it will be assumed that the device is executing a runtime environment, such as the BREW software platform. However, one or more embodiments of the credential system are suitable for use with other types of runtime environments to provide application credentials to applications running on a variety of wired and wireless devices.
Fig. 1 shows a data network 100 that includes one embodiment of providing application credentials to a credential system for applications running on a device. The network 100 includes a wireless device 102 that communicates with a data network 104 via a wireless communication channel 106. Network 100 may be any type of data network and include both wired and wireless components. The network 100 also includes a credential server 108 that operates to provide services to the wireless device 102 and other entities in communication with the network 104. For example, the wireless device 102 may be a wireless telephone and the credential server 108 may be part of a nationwide telecommunications network that provides telecommunications services to the device 102. A data server 110 is also in communication with the network 104. The data server 110 operates to provide data (such as multimedia content or other types of data) to devices in communication with the wireless network 104.
In one embodiment, the device 102 includes a master credential 114 that is installed in the device during manufacture or through the use of some other secure program. The master credential 114 may be any type of suitable credential that is not disclosed to allow the device 102 to authenticate to other entities, such as the credential server 108. The device 102 also includes credential generation logic 116. The credential generation logic 116 generates a credential based on specific input information. In one embodiment, the logic 116 uses a "one-way" generation technique such that the generated credential cannot be decoded or inverted to determine the input information used to generate the credential. For example, the logic 116 may generate the credential using a hash function.
During operation, the credential system operates to provide application credentials to an application running on the device 102 by performing one or more of the following steps.
1. An application 118 running on the device 102 requests an application credential from the credential system. The application includes an application Identifier (ID) in the request for the application credential. The request for the application credential is shown at 128.
2. The credential system uses the application ID and master credential 114 to generate an application credential for the application 118. The application credentials are returned to the application 118 as indicated at 130.
3. The application 118 sends the application credential, and optionally the ID, to the data server 110 along with a request to obtain the data. The request to obtain data is shown at 120.
4. The data server 110 sends the ID to the credential server 108 in a request for a server credential. The request for the server credential is shown at 122.
5. The credential server 108 uses the ID and the master credential 114 to generate a server credential using credential generation logic 116 located at the credential server 108. The resulting server credential is returned to the data server 110 as indicated at 124.
6. The data server 110 compares the application credential with the server credential and if the two match, the application request 120 for data is authenticated and the data server 110 transmits the requested data, as shown at 126.
Thus, because the application credentials may vary for each user, the system operates to authenticate both the user and the application.
FIG. 2 shows a functional block diagram 200 illustrating one embodiment of the device 102, including one embodiment of a credential system that provides application credentials to applications running on the device 102.
The device 102 includes an application/ID signature verifier 202, credential generation logic 206, a master credential 204, an application 210, an application ID 212, and a digital signature 214. The master credential 204 is stored in secure non-volatile memory or other secure logic so that it is protected from erasure and unauthorized disclosure. The signature 214 is created by some application signing service or authority and combines the application 210 with the application ID 212. In one or more embodiments, any type of modification detection technique may be used in place of signature 214.
The application/ID signature verifier 202 detects whether information encoded with the digital signature is modified. It also allows the handset to know in a strong way that the application is indeed the one assigned the specific application ID. For example, by providing the application 210, the ID 212, and the signature 214 to the verifier 202, the verifier 202 may determine whether the application 210 and/or the ID 212 have been changed or modified after the digital signature was created. In one or more embodiments, checker 202 operates through any type of modification detection technique.
The credential generation logic 206 generates a credential based on information received at its input. The generation logic 206 uses a "one-way" technique to generate the credential such that the credential cannot be decoded or reversed to determine the information used to create it.
During operation of an embodiment, the application 210 has an associated application ID 212 and a signature 214. The signature 214 binds the application 210 with the ID 212. The signature may be generated by the application developer or by a third party different from the application developer. The application 210 operates to retrieve data from a data server (e.g., the data server 110 of FIG. 1). However, to retrieve the data, the application 210 needs to obtain an application credential to authenticate to the data server. The following method describes how, in one embodiment, the credential system provides an application credential to the application 210 so that the application 210 can authenticate to a data server, such as the server 110.
FIG. 3 shows one embodiment of a method 300 for operating a credential system to provide application credentials to an application running on a device. For example, the method 300 will be described with reference to the device 102 shown in FIG. 2. Assume that the application 210 is running on the device 102 and that the application 210 requires application credential authentication to a data server to retrieve data.
In block 302, the device operates to determine whether the application 210 and/or its ID 212 have been modified or incorrectly associated. In one embodiment, the application 210, ID 212, and signature 214 are sent to the verifier 202, as shown by path 224. The verifier 202 operates to verify whether the application 210 and/or the ID 212 have been modified using any known technique.
At block 304, the application requests an application credential from the credential system so that the application can authenticate to the data server to retrieve the data. In one embodiment, the application's ID 212 is provided to the credential generation logic 206 as shown by path 216 in a request for an application credential. It should be noted that the application's ID 212, after verification, provides an ID that makes the application non-providable for credentials for other applications.
At block 306, an application credential is generated for the application. In one embodiment, the generation logic 206 generates the application credential 208 using the application ID 212 and the master credential 204. For example, in one embodiment, the generation logic 206 uses a hash function to generate the application credential 208 such that the application credential 208 cannot be decoded or reversed to discover the master credential 204. The application credential 208 is then returned to the application 210 as shown by path 218. Because the application credential 208 is generated using a "one-way" technique, the master credential 204 is not at risk of being discovered or revealed.
At block 308, the application credential is used by the application to authenticate to a data server to retrieve data for the device. For example, the application 210 transmits the credential 208 to the data server in a request for data, as shown by path 220. The request may also include the application's ID 212. For example, the request is transmitted to the data server 110 in FIG. 1. The data server 110 may already have access to the ID of the application and so the device may not need to transmit the ID to the data server.
At block 310, assume that the data request of the application is validated; the requested data is transmitted from the data server to the application 210 as shown by path 222. For example, the data server 110 receives a request from the application 210 and operates to authenticate the application before transmitting the requested data. A more detailed description of the authentication process performed by the data server is provided in another part of this document.
The method 300 is intended to be illustrative and not limiting of the operation of the various embodiments described herein. For example, those skilled in the art will readily appreciate that minor changes, additions or deletions may be made to any of the described methods. Furthermore, the described method steps may be combined, rearranged or reordered without deviating from the scope of the described embodiments.
FIG. 4 shows a functional block diagram 400 of the data server 110, which includes an embodiment of a credential system that validates requests for data received from applications running on a device. For example, the server 110 receives a request for data from the application 210 and the request includes the application credential 208 and the application ID 212. After the server 110 authenticates the request, it provides the requested data to the application 210. The server 110 includes a content server 404, content/data 406, credentials, and matching logic 402.
In one embodiment, the credential matching logic 414 operates to receive and compare application credentials and server credentials. The comparison result 418 is sent to the content server 404. The result 418 will typically be passed when the values of the credentials are equal. The essential difference between the application credential 208 and the server credential 414 is that the former is generated on the end-user device and the latter is generated on the server.
It should be noted that the configuration of the server 110 is only one configuration suitable for implementing an embodiment of the credential system. It is also possible to implement the credential system using other servers or server configurations within the scope of the invention.
FIG. 5 shows an embodiment of a method 500 for operating a data server in a credential system to verify an application credential provided by an application running on a device. For example, the method 500 will be described with reference to the server 110 shown in fig. 4. Assume that the application 210 is running on the device 102 and that the application 210 obtains the application credential 208 from a credential system. The application 210 submits the application credential 208 and the application ID 212 in a request for data to the data server 110.
At block 502, a data server receives a request for data from an application running on a device. The request for data includes the application credential 208 and the application ID 212.
At block 504, the data server requests server credentials from the credential server. For example, the application ID 212 and the authentication token 408 are sent (as shown at 410 and 412) to the credential server in a request for a server credential. For example, a request is transmitted to the credential server 108.
At block 506, a server credential is received from the credential server. For example, the credential server 108 generates the server credential 414 using the application ID 212 and a copy of the master credential 204 stored at the credential server 108. The server credential 414 is generated using the same credential generation techniques used to generate the application credential 208.
At block 508, a test is performed to determine if the server credential 414 matches the application credential 208, thereby verifying the application 210 as a data requestor. For example, matching logic 402 compares the two credentials using any type of matching technique. If the two credentials match, a positive indication is provided at match output 418. As a result, the application's 210 data request is authenticated and the content server 404 operates to transmit content/data 406 to the application 210 to satisfy the application's data request. If the two credentials do not match, a negative indication is provided at match output 418 and content server 404 does not provide any data in response to the data request.
The method 500 is intended to be illustrative and not limiting of the operation of the various embodiments described herein. For example, those skilled in the art will readily appreciate that minor changes, additions or deletions may be made to any of the described methods. Furthermore, the described method steps may be combined, rearranged or reordered without deviating from the scope of the described embodiments.
Fig. 6 shows a functional block diagram 600 of another embodiment of the data server 110, which includes one embodiment of a credential system that verifies requests for data received from applications running on a device. In the embodiment shown in FIG. 6, the server 110 includes a credential forwarder 602 that forwards the ID 212, the authentication token 408, and the application credential 208 (shown at 410, 412, and 604) to the credential server. The credential server generates a server credential and compares the server credential to the application credential 208. If the application credential matches the server credential, the credential server transmits a privilege 606 to the data server 110. The privilege is forwarded (via path 418) to the content server 404, which then operates to transmit the content/data 406 to the requesting application 210. Thus, in the embodiment shown in FIG. 6, the credential server operates to compare the application credential to the server credential, where in the embodiment of FIG. 4, the data server 110 performs this comparison.
FIG. 7 shows one embodiment of the credential server 108 that operates in a credential system to verify an application credential provided to an application running on a device. The credential server 108 includes verification logic 702, master credential 204 and credential generation logic 706.
FIG. 8 shows an embodiment of a method 800 for operating a credential server in a credential system to verify application credentials provided by an application running on a device. For example, the method 800 will be described with reference to the credential server 108 shown in FIG. 7. Assume that the data server 110 has sent a request to the credential server 108 to obtain a server credential that can be matched to the application credential 208. The request for the server credential received by the credential server 108 includes the application ID 212 and the authentication token 408.
At block 802, the credential server 108 receives a request from the data server to obtain a server credential. For example, the data server 110 transmits a request to the credential server 108 to obtain a server credential, and the request includes the application ID 212 and the authentication token 408.
At block 804, the credential server 108 uses the authentication token 408 to authenticate the request at the verification logic 702. This authentication serves to ensure that a request is made for a given application ID 212 from a data server that is allowed to access the server credentials 414 belonging to the application indicated by the application ID 212.
At block 806, after the request is verified, the credential generation logic 706 uses the application ID 212 and the master credential 204 to generate the server credential 414. The credential generation 706 logic will in most embodiments be functionally identical to the logic 206 on the end device 102.
At block 808, the credential server transmits the server credential 414 to the data server (as shown by path 704) so that the data server can use the server credential to authenticate a data request from an application running on a device.
The method 800 is intended to be illustrative, but not limiting, of the operation of various embodiments described herein. For example, it will be apparent to those skilled in the art that minor changes, additions or deletions may be made to any of the described methods. Furthermore, the described method steps may be combined, rearranged or reordered without deviating from the scope of the described embodiments.
FIG. 9 shows a functional block diagram 900 of another embodiment of the credential server 108, which includes an embodiment of a credential system that verifies requests for data received from applications running on a device. In the embodiment shown in FIG. 9, the server 108 receives the application credentials 208 and includes credential matching logic 902.
During operation, the credential generation logic 706 generates the server credential 414, which is then compared to the application credential 208 at the credential matching logic 902. If the application credential 208 matches the server credential 414, the credential server transmits the privilege 606 to the data server 110. Thus, in the embodiment shown in FIG. 9, the credential server 108 operates to compare the application credential 208 with the server credential 414, where in the embodiment of FIG. 7, the data server 110 performs this comparison.
Detailed description of the preferred embodiments
The above-described system includes interconnected functional elements that may be embodied in various implementations. For example, any of the described elements may comprise a CPU, processor, gate array, hardware logic, memory, software, or any combination of hardware and software. Each system further includes logic to execute machine-readable instructions to perform the functions described herein.
In one or more embodiments, machine-readable instructions are stored on a computer-readable medium that interfaces to any described system such that the instructions can be downloaded into the system for execution to perform the functions described. The computer-readable medium includes floppy disks, hard disks, flash memory, RAM, ROM, CDROM, or any other type of computer-readable medium that can contain instructions for execution by the systems described herein.
A credential system is described that includes methods and apparatus to provide credentials to applications running on a device. The system is suitable for use with all types of devices and is particularly suitable for use with wireless devices, such as cell phones, to provide application credentials to applications that need to be authenticated to a data server or other system.
Thus, while one or more embodiments of methods and apparatus for a credential system have been illustrated and described herein, it will be appreciated that various changes can be made to the embodiments without departing from their spirit or essential characteristics. Accordingly, the disclosures and descriptions herein are intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims (45)

1. A method for providing an application credential for an application running on a device, wherein the application credential is used by the application to authenticate to a data server, the method comprising:
receiving a request to generate the application credential, wherein the request includes an application identifier; and generating the application credential using the application identifier and a master credential associated with the device.
2. The method of claim 1 wherein the step of generating the application credential includes a one-way generation technique such that the application identifier and the master credential cannot be discovered from the application credential.
3. The method of claim 1, further comprising using a modification detection and verification technique to determine whether the application or the application identifier has been modified and to prove that the application is associated with the application identifier.
4. The method of claim 3, wherein the modification detection technique is generated by a server distinct from a provider of the application.
5. The method of claim 4, wherein the modification detection technique is a digital signature.
6. The method of claim 1, wherein the apparatus is a wireless apparatus.
7. An apparatus operative to provide an application credential to an application running on the device, wherein the application credential is used by the application to authenticate to a data server, the apparatus comprising:
receiving logic operative to receive a request for the application credential, wherein the request includes an application identifier; and
generating logic operative to generate the application credential using the application identifier and a master credential.
8. The apparatus of claim 7, wherein the generation logic uses a one-way credential generation technique such that the application identifier and the master credential cannot be discovered from the application credential.
9. The device of claim 8, further comprising a modification detection and verification technique operative to determine whether the application or the application identifier has been modified and to prove that the application is associated with the application identifier.
10. The device of claim 9, wherein the modification detection technique is generated by a server different from a provider of the application.
11. The apparatus of claim 10, wherein the modification detection technique is a digital signature.
12. The apparatus of claim 7, wherein the device is a wireless device.
13. An apparatus operative to provide an application credential to an application running on the device, wherein the application credential is used by the application to authenticate to a data server, the apparatus comprising:
means for receiving a request for the application credential, wherein the request comprises an application identifier; and
means for generating the application credential using the application identifier and a master credential.
14. The device of claim 13, further comprising means for generating the application credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the application credential.
15. The device of claim 13, further comprising means for using a modification detection and verification technique to determine whether the application or application identifier has been modified and to prove that the application is associated with the application identifier.
16. The device of claim 15, wherein the modification detection technique is generated by a server different from a provider of the application.
17. The device of claim 16, wherein the modification detection technique is a digital signature.
18. A computer-readable medium comprising instructions, which when executed by a processor in an apparatus, provide an application credential to an application running on the apparatus, wherein the application credential is used by the application to authenticate to a data server, the computer-readable medium comprising:
instructions for receiving a request for the application credential, wherein the request includes an application identifier; and
instructions for generating the application credential using the application identifier and a master credential.
19. The computer-readable medium of claim 18, including instructions for using a modification detection and verification technique to determine whether the application or the application identifier has been modified and to prove that the application is associated with the application identifier.
20. The computer-readable medium of claim 19, wherein the modification detection technique is generated by a server that is different from a provider of the application.
21. The computer-readable medium of claim 20, wherein the modification detection technique is a digital signature.
22. The computer-readable medium of claim 18, further comprising instructions for generating the application credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the application credential.
23. The computer-readable medium of claim 18, wherein the apparatus is a wireless apparatus.
24. A method for operating a credential server to authenticate an application running on an apparatus, wherein the application transmits a request for data to a data server and the request includes an application credential, the method comprising:
receiving an application identifier in a request for a server credential;
generating the server credential using the application identifier and a master credential; and
transmitting the server credential to the data server, wherein the application is authenticated if the server credential and the application credential match.
25. The method of claim 24, further comprising receiving an authentication token that proves that the request is associated with the application identifier.
26. The method of claim 24, further comprising:
receiving the application credential;
comparing the application credential to the server credential; and
transmitting a privilege to the data server to satisfy the data request if the application credential matches the server credential.
27. The method of claim 24 wherein the generating step comprises generating the server credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the server credential.
28. An apparatus for use with a credential server to authenticate an application running on a device, wherein the application transmits a request for data to a data server and the request includes an application credential, the apparatus comprising:
first receiving logic operative to receive an application identifier in a request for a server credential;
generating logic operative to generate the server credential based on the application identifier and a master credential; and
transmission logic operative to transmit the server credential to the data server, wherein the data server compares the server credential to the application credential to authenticate the application.
29. The device of claim 28, further comprising receiving an authentication token that proves that the request is associated with the application identifier.
30. The device of claim 28, wherein the generation logic comprises logic to generate the server credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the server credential.
31. The device of claim 28, further comprising:
second receiving logic operative to receive the application credential; and
matching logic that operates to compare the application credential to the server credential and transmit a privilege to the data server to satisfy the data request if the application credential matches the server credential.
32. An apparatus for use with a credential server to authenticate an application running on a device, wherein the application transmits a request for data to a data server and the request includes an application credential, the apparatus comprising:
means for receiving an application identifier in a request for a server credential;
means for generating the server credential based on the application identifier and a master credential; and
means for transmitting the server credential to the data server, wherein the data server compares the server credential to the application credential to authenticate the application.
33. The device of claim 32, further comprising receiving an authentication token that proves that the request is associated with the application identifier.
34. The device of claim 32, wherein the means for generating comprises means for generating the server credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the server credential.
35. The device of claim 32, further comprising:
means for receiving the application credential; and
means for comparing the application credential to the server credential; and
means for transmitting a privilege to the data server to satisfy the data request if the application credential matches the server credential.
36. A computer-readable medium comprising instructions, which when executed by a processor in a credential server, operate to authenticate an application running on a device, wherein the application transmits a request for data to a data server and the request comprises an application credential, the computer-readable medium comprising:
instructions for receiving the application identifier in a request for a server credential;
instructions for generating the server credential based on the application identifier and a master credential; and
instructions for transmitting the server credential to the data server, wherein the data server compares the server credential to the application credential to authenticate the application.
37. The computer-readable medium of claim 36, further comprising receiving an authentication token that proves that the request is associated with the application identifier.
38. The computer-readable medium of claim 36, wherein the instructions for generating comprise instructions for generating the server credential using a one-way generation technique such that the application identifier and the master credential cannot be discovered from the server credential.
39. The computer-readable medium of claim 36, further comprising:
instructions for receiving the application credential; and
instructions for comparing the application credential to the server credential; and
instructions for transmitting a privilege to the data server to satisfy the data request if the application credential matches the server credential.
40. A method for processing an application credential associated with an application running on a device, wherein the application credential is used by the application to authenticate to a data server, the method comprising:
receiving a request to generate the application credential, wherein the request includes an application identifier;
generating the application credential using the application identifier and a master credential;
transmitting a request for data to a data server, wherein the request includes the application credential;
requesting a server credential from a credential server, wherein the request for the server credential includes the application identifier and a token by which the data server authenticates itself;
generating the server credential using the application identifier and the master credential;
transmitting the server credential to the data server;
comparing the server credential to the application credential, wherein the application is authenticated if the two credentials match; and
transmitting the data to the application.
41. The method of claim 40 wherein the application credential and the server credential are generated using a one-way generation technique such that the application identifier and the master credential cannot be discovered.
42. The method of claim 40, further comprising using a modification and verification technique to determine whether the application identifier has been modified and to prove that the application is associated with the application identifier.
43. The method of claim 42, wherein the modification detection technique is a digital signature.
44. The method of claim 40, further comprising receiving an authentication token at the credential server that proves that the request is associated with the application identifier.
45. The method of claim 40, wherein the apparatus is a wireless apparatus.
HK07103346.8A 2003-10-29 2004-10-28 Methods and apparatus for providing application credentials HK1097669A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/697,397 2003-10-29

Publications (1)

Publication Number Publication Date
HK1097669A true HK1097669A (en) 2007-06-29

Family

ID=

Similar Documents

Publication Publication Date Title
CN1875564A (en) Method and apparatus for providing application credentials
CN1409836A (en) Computer system for application by accreditation access
CN1879071A (en) Method and system for the authentication of a user of a data processing system
CN1722658A (en) Effective and secure authentication of computer systems
CN1645288A (en) Ensuring that a software update may be installed or run only on a specific device or class of devices
CN1659495A (en) Validation of inclusion of a platform within a data center
CN1823513A (en) Method and system for stepping up to certificate-based authentication without breaking an existing ssl session
CN1922845A (en) Token authentication system and method
CN1679066A (en) Network attached encryption
CN101065716A (en) Method and device for verifying the integrity of platform software of an electronic device
CN111355726A (en) Identity authorization login method and device, electronic equipment and storage medium
CN108880822A (en) A kind of identity identifying method, device, system and a kind of intelligent wireless device
CN111404859A (en) A client authentication method, apparatus and computer-readable storage medium
CN1929381A (en) Network based software protection method
CN1833459A (en) Method and apparatus for initiating content provider authentication
CN116248351A (en) Resource access method, device, electronic device and storage medium
WO2004079483A2 (en) Method and apparatus for authorizing execution for applications in a data processing system
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
CN100342383C (en) System and method for generating a secure state indicator on a display
CN1822541A (en) Device and method for controlling computer login
HK1097669A (en) Methods and apparatus for providing application credentials
CN1780209A (en) Internet safety verification
CN101080695A (en) Method and device for permitting secure use of program modules
CN118646594B (en) A smart parking management platform authentication method and system
CN1705265A (en) Authentication with credentials in JAVA messaging service