[go: up one dir, main page]

WO2019160545A1 - A service entity - Google Patents

A service entity Download PDF

Info

Publication number
WO2019160545A1
WO2019160545A1 PCT/US2018/018197 US2018018197W WO2019160545A1 WO 2019160545 A1 WO2019160545 A1 WO 2019160545A1 US 2018018197 W US2018018197 W US 2018018197W WO 2019160545 A1 WO2019160545 A1 WO 2019160545A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
service entity
application
root certificate
entity
Prior art date
Application number
PCT/US2018/018197
Other languages
French (fr)
Inventor
Surender PANUGANTI
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to US16/498,984 priority Critical patent/US11366914B2/en
Priority to PCT/US2018/018197 priority patent/WO2019160545A1/en
Publication of WO2019160545A1 publication Critical patent/WO2019160545A1/en

Links

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01RELECTRICALLY-CONDUCTIVE CONNECTIONS; STRUCTURAL ASSOCIATIONS OF A PLURALITY OF MUTUALLY-INSULATED ELECTRICAL CONNECTING ELEMENTS; COUPLING DEVICES; CURRENT COLLECTORS
    • H01R13/00Details of coupling devices of the kinds covered by groups H01R12/70 or H01R24/00 - H01R33/00
    • H01R13/02Contact members
    • H01R13/15Pins, blades or sockets having separate spring member for producing or increasing contact pressure
    • H01R13/18Pins, blades or sockets having separate spring member for producing or increasing contact pressure with the spring member surrounding the socket
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01RELECTRICALLY-CONDUCTIVE CONNECTIONS; STRUCTURAL ASSOCIATIONS OF A PLURALITY OF MUTUALLY-INSULATED ELECTRICAL CONNECTING ELEMENTS; COUPLING DEVICES; CURRENT COLLECTORS
    • H01R13/00Details of coupling devices of the kinds covered by groups H01R12/70 or H01R24/00 - H01R33/00
    • H01R13/02Contact members
    • H01R13/15Pins, blades or sockets having separate spring member for producing or increasing contact pressure
    • H01R13/17Pins, blades or sockets having separate spring member for producing or increasing contact pressure with spring member on the pin
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01RELECTRICALLY-CONDUCTIVE CONNECTIONS; STRUCTURAL ASSOCIATIONS OF A PLURALITY OF MUTUALLY-INSULATED ELECTRICAL CONNECTING ELEMENTS; COUPLING DEVICES; CURRENT COLLECTORS
    • H01R13/00Details of coupling devices of the kinds covered by groups H01R12/70 or H01R24/00 - H01R33/00
    • H01R13/02Contact members
    • H01R13/10Sockets for co-operation with pins or blades
    • H01R13/11Resilient sockets
    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01RELECTRICALLY-CONDUCTIVE CONNECTIONS; STRUCTURAL ASSOCIATIONS OF A PLURALITY OF MUTUALLY-INSULATED ELECTRICAL CONNECTING ELEMENTS; COUPLING DEVICES; CURRENT COLLECTORS
    • H01R13/00Details of coupling devices of the kinds covered by groups H01R12/70 or H01R24/00 - H01R33/00
    • H01R13/02Contact members
    • H01R13/193Means for increasing contact pressure at the end of engagement of coupling part, e.g. zero insertion force or no friction

Definitions

  • a computing device may be installed with one or more applications. Such applications may be used for performing a variety of functions. While using such computing devices, the applications may utilize services being offered by other devices, which are referred to as service entities. Examples of such a service entity includes, but is not limited to, a print device which provides printing as a service. In certain cases, not ail applications may be permitted or authorized for availing the services being offered by the service entity. Various mechanisms may be implemented for controlling which applications are permitted and which are not permitted from using such services.
  • FIG. 1 is a diagram of an example service entity to authenticate applications to allow access to a service being offered;
  • FIG.2 is a diagram of another example service entity to authenticate applications to allow access to a service being offered;
  • FIG. 3 depicts a flow diagram depicting various stages of application registration to authenticate applications to allow access to a service, as per an example
  • FIG. 4 depicts a flow diagram depicting communication between a client device and a service entity to authenticate applications to allow access to a service being offered by a service entity, as per an example;
  • FIG.5 depicts an example method for authenticating applications to allow access to a service being offered by a service entity
  • FIG. 6 depicts another example method for authenticating app!ications to allow access to a service being offered by a service entity
  • FIG, 7 is a block diagram of an example system implementing a non-transitory computer-readable medium, to authenticate applications to allow access to a service being offered by a service entity.
  • Any client computing device may be installed wHh one or more applications.
  • such applications may seek to utilize services by connecting with an appropriate service entity.
  • a service entity refers to any device offering a service.
  • An example of such a service entity includes, but is not limited to, a print device with the service being a print service.
  • client computing devices also referred to as client devices
  • the access of services by applications may be controlled.
  • a network administrator may allow or whitelist selected applications installed on a client device.
  • whitelisted applications may be permitted to access and avail services from a service entity, for example, print services from print devices. In this manner, the whitelisted or permitted applications may access the service offered by the service entity to the exclusion of other applications, which would be unable to access such services.
  • a variety of approaches are generally utilized for allowing such applications to access and avail the services offered by the service entity. For instance, to authenticate any application, a message from the application may have to hashed and digitally signed for accessing the resource. The message may then be verified at the service entity based on the digital signature to permit the application to use the service. As would be generally known, before such a message exchange is affected, a handshake session is implemented. During such a handshake session all information required by the client device and the service entity to eventually exchange application data is shared.
  • the approaches as described may involve an initial registration phase.
  • an application developer at the time of developing an application may create a private-public key pair.
  • the public key may be submitted to a registering authority.
  • the registration involves creating a self-signed root certificate for the application being developed.
  • the root certificate may specify an application identifier, uniquely identifying an application.
  • a client certificate for the public key is issued.
  • the client certificate is further signed by the root certificate created for the application being developed.
  • the application may be considered as registered.
  • the application Once the application is ready for distribution, the application may be uploaded onto an application repository along with the client certificate and the root certificate.
  • a user intending to install the application may download the same from the application repository. Therefore, the client certificate is available with the client device, when the application is installed thereupon.
  • the application repository may be an application store for distributing the application to one or more user.
  • an administrator may intend to control applications that may utilize services of a service entity.
  • the administrator may obtain the root certificate corresponding to an application which is to be controlled.
  • the root certificate may be subsequently retrieved from the application repository and imported into the service entity.
  • a setting pertaining to client authentication may be enabled at the service entity.
  • an application installed on a client device may request for a service from a service entity over a handshake session which adheres to a security protocol.
  • a handshake session may be considered as a session during which exchange of information required by the client device and the service entity to eventually exchange application data occurs,
  • the security protocol may include one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS or SSL handshake session.
  • the service entity may request a client certificate, which is available along with the installed application on the client device.
  • the client certificate had been initially signed by the root certificate created for the application which is to be authenticated.
  • the service entity on receiving the client certificate may obtain the information pertaining to the root certificate.
  • the service entity may then determine whether the corresponding root certificate is installed therein. If the root certificate of the present application is available on the service entity, the service request is processed and allowed. If the root certificate is not available on the service entity, the service request is denied and a corresponding indication may be communicated to the user.
  • the process for authenticating the application which may be permitted to avail and access the service is performed during the handshake session (such as the TLS handshake session). Therefore, any additional handshake sessions or authentication at application layer may not be performed. Moreover, any security vulnerability reported in future may be fixed as part of the security protocol update, and no modification may be required at application level.
  • FIG. 1 illustrates an example service entity 102 for authenticating applications to allow access to a service being offered by it.
  • the service entity 102 may be considered as any processor enable device which performs one or more functions (i.e., services) in response to requests from one or more applications that may be installed on client device(s) 104.
  • An example of such a service entity 102 may include a print device. Such a print device may provide a service involving printing content on a print media in response to one or more requests or commands from client device(s) 104.
  • the service entity 102 and client device(s) 104 may be in communication with each other through a computing network 106.
  • the client device(s) 104 may further include applications) 110 installed therein.
  • the appiication(s) 110 may communicate with the service entity 102 for availing services being rendered by the service entity 102.
  • the service entity 102 may further include service engine(s) 108.
  • the service engine(s) 108 authenticates application ⁇ ) 110 to allow access to a service being offered by the service entity 102; As would be explained in the foregoing description, only requests from application(s) 110 which have been authenticated, may be processed. As a result of the authentication, only few or all the application(s) 110 installed on the client devices to avail and access the services being offered by the service entity 102.
  • the authentication is based on a root certificate 112 which is installed within the service entity 102.
  • Users of client device(s) 104 may, through appiication(s) 110 installed on the client device(s) 104, request for a service from the service entity 102.
  • a handshake session may be implemented.
  • Such a handshake session may adhere to a security protocol, such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL).
  • TLS Transport Layer Security
  • SSL Secure Sockets Layer
  • the security protocol may include one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session.
  • the service entity 102 may receive a request from application ⁇ ) 110 installed on the client device(s) 104.
  • the service engine(s) 108 may process the request during the handshake session and determine whether a corresponding root certificate 112 is installed on the service entity 102. If the service engine(s) 108 determines that the root certificate 112 is installed on the service entity 102, the request is allowed, and the service entity 102 provides the service in response to such request. Conversely, if the service engine(s) 108 determines that a corresponding root certificate 112 is not present in the service entity 102, the request for availing and accessing the service is denied. Accordingly, an appropriate indication may be provided to the user of the client devices) 104.
  • the authentication of the appiication(s) 110 is carried out during the handshake session at a security protocol layer. Consequently, no changes may be made at the underlying application layer or in the applications themselves. Furthermore, no additional authentications may be implemented over and above the handshake session.
  • FIG. 2 illustrates an example service entity 102 to authenticate applications to allow access to a service being offered by the service entity 102.
  • the service entity 102 may be implemented as a standalone computing system ft a device communicatively connected through a network to other devices.
  • the service entity 102 includes interface(s) 202 and memory 204.
  • the interface(s) 202 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, network devices, and the like.
  • the interface(s) 202 facilitate communication between the service entity 102 and various computing devices connected in a networked environment in one example, the interface(s) 202 may provide an interface for communication between the service entity 102 and the client device(s) 104 (as depicted in FIG 1).
  • the memory 204 may store one or more computer-readable instructions, which may be fetched and executed to authenticate applications to allow access to a service being offered by a service entity.
  • the memory 204 may include any non-transitory computer-readable medium including, for example, volatile memory such as RAM, or nonvolatile memory such as EPROM, flash memory, and the like.
  • the service entity 102 further includes engine(s) 206 and data 208:
  • the engine(s) 206 may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the engine(s) 206.
  • programming for the engine(s) 206 may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the engine(s) 206 may include a processing resource (for example, one or more processors), to execute such instructions.
  • the machine-readable storage medium may store instructions that, when executed by the processing resource, implement engtne(s) 206.
  • the service entity 102 may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to service entity 102 and the processing resource.
  • engine(s) 206 may be implemented by electronic circuitry.
  • the data 208 includes data that is either stored or generated as a result of the functionalities implemented by any of the engine(s) 206.
  • the engine(s) 206 include the service engthe(S) 108, dommunlcatlOil engine ⁇ 210 and other engine(s) 212.
  • the other engine(s) 212 may implement functionalities that supplement applications or functions performed by the service entity 102 or engine(s) 206.
  • the data 208 may include root certificate ⁇ ) 112, protocol data 214, and other data 216.
  • FIGS. 3-4 illustrate various steps preceding the authentication of applications to allow access to the services being offered by the service entity 102.
  • FIG. 3 illustrates various steps and entities which may be involved in registering applications for implementing the present subject matter.
  • FIG. 3 depicts various steps involving a registration server 302, an application developer 304, an application store 306, an administrator 308 and the service entity 102.
  • an application may be in the process of being developed by an application developer 304. Initially, the application developer 304 may generate a public- private key pair. Thereafter, the application developer 304 may submit the public key to a registration server 302 as part of the registration process (step 310). The registration server 302 on receiving the public key generates a serf-signed root certificate for the application being developed.
  • the application may be any one (or more) of the application(s) 110.
  • the registration server 302 generates a root certificate(s) 112.
  • the root certificate ⁇ ) 112 corresponds to the application(s) 110 being developed and may specify an application identifier, uniquely identifying the application(s) 110.
  • the root certificate(s) 112 may be generated by a certifying authority issuing digital certificates.
  • the registration server 302 may further generate a client certificate ⁇ ) 312 tor the public key that was submitted by the application developer 304 signed by the root certificate ⁇ ) 112.
  • the root certificate ⁇ ) 112 and the client certificate ⁇ ) 312 are communicated to the application developer 304 (step 314).
  • the application developer 304 may proceed and develop the applicatbn(s) 110 using the client certificate ⁇ ) 312.
  • the applications) 110 once developed may be communicated and uploaded onto the application store 306 along with the root certtficate(s) 112 and the client certificate ⁇ ) 312 (step 316).
  • the application store 306 may be considered as a digital repository for storing machine-readable and executable files, and data corresponding to one or more applicatioh(s) 110.
  • the application store 306 may be accessible through a communication network (not shown in FIG. 3). In an example, any user may access the application store 306 to download the desired appiication(s) 110.
  • the application ⁇ ) 110 Is accompanied with the client certificate(s) 312.
  • an administrator 308 may wish to restrict and control applications which may avail and access services being provided by the service entity 102 (step 318).
  • the administrator 308 may request the application store 306 to provide the root certiffcate(s) 112 for the application which is to be controlled.
  • the request communicated to the application store 306 may specify the name or any other identifier of the application which is to be controlled.
  • the administrator 308 receives the root certificate(s) 112 (step 320).
  • the root certificate ⁇ ) 112 obtained by the administrator 308 is subsequently imported or installed into the service entity 102 (step 322).
  • the administrator 308 may enable client authentication.
  • the client authentication may allow the service entity 102 to authenticate the client device(s) 104 in case any request for availing the services is received, as per the applicable security protocol.
  • FIG. 4 depicts interactions between the service entity 102 and the client device(s) 104.
  • the service entity 102 is installed with the root certificate ⁇ ) 112.
  • the service engine(s) 108 of the service entity 102 may be monitoring tor incoming requests for accessing and availing service which are being offered.
  • the client device(s) 104 may send a request for accessing and availing the service being provided by the service entity 102 (step 402).
  • the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client devtce(s) 104 (step 404).
  • an application installed oh a client device may request for a service from a service entity over a handshake session which adheres to a security protocol.
  • a handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs.
  • the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a US/SSL handshake session.
  • TLS Transport Layer Security
  • SSL Secure Sockets Layer
  • FIG. 4 the communication and exchanges between the service entity 102 and the client device(s) 104, are depicted in dotted line for sake of illustration.
  • the handshake session may be initiated based on information stored in protocol data 214.
  • the service entity 102 may request the client device ⁇ s) 104 for client certificate® 312 (step 406).
  • the client certificate® 312 is signed by the root certificate ⁇ ) 112.
  • the client certificate® 312 is received by the service entity 102 and processed by the service engine(s) 108 (step 408).
  • the service engine(s) 108 on processing the client certificate® 312 determines information pertaining to the root certificate® 112 which may have been used to sign. Once such information pertaining to the root certificate(s) 112 is determined, the service engine® 108 may further determine whether a corresponding root certificate(s) 112 is installed within the service entity 102 (block 410).
  • the service engine(s) 108 may compare the information gathered from the client certificate® 312 to information indicating whether any root certificate is installed within the service entity 102. On determining that a corresponding root certificate® 112 is installed within the service entity 102, the service engine(s) 108 may process the service request received from the client devices) 104, and allow the client device(s) 104 to access and avail the service being offered. If, however, the service engine(s) 108 determines that no corresponding root certificate(s) 112 is present in the service entity 102, the request for accessing and availing the requested is service is not processed, and hence, denied (step 412). Once the applications) 110 is authenticated further communication may be accordingly affected.
  • the authentication of the applications) 110 for availing and accessing the services being offered by the service entity 102 is implemented during the handshake session, in one example, the handshake session may be carried out over the TLS security protocol, which in turn may be implemented in a session layer of the Open Systems Interconnection model (OS! model).
  • OS! model Open Systems Interconnection model
  • the present approaches may also be implemented to subsequently control one or more application ⁇ ) 110 which were previously authenticated, from accessing and availing services being offered by the service entity 102.
  • the administrator 308 may, at a later stage, delete root certificate ⁇ ) 112 installed within the service entity 102. in such a case, subsequent request for services would not be processed owing to the absence of the root certificate ⁇ ) 112.
  • FIGS. 5-6 illustrate example methods 500 and 600, respectively, for authenticating applications to allow access to a service being offered by a service entity.
  • the order in which the methods are described is not intended to be construed as a limitation, and any number of the described method blocks may be combined in any order to implement the methods, or an alternative method.
  • methods 500 and 600 may be implemented by processing resource or computing device(s) through any suitable hardware, non-transitory machine readable instructions, or combination thereof.
  • methods 500 and 600 may be performed by programmed computing devices, such as service entity 102 as depicted in FIGS. 1-4. Furthermore, the methods 500 and 600 may be executed based on instructions stored in a non-transitory computer readable medium, as will be readily understood.
  • the non-transitory computer readable medium may include, tor example, digital memories, magnetic storage media, such as one or more magnetic disks and magnetic tapes, hard drives, or optically readable digital data storage media.
  • the methods 500 and 600 are described below with reference to service entity 102 as described above; other suitable systems for the execution of these methods may also be utilized. Additionaly, implementation of these methods is not limited to such examples.
  • a service entity obtains a root certificate from a source repository.
  • the application is to request a service being provided by the service entity.
  • the root certificate corresponds to the application installed on a client device.
  • die service entity 102 may be installed with root certificate ⁇ ) 112 corresponding to a certain appiication(s) 110.
  • the root certificates) 112 may have been installed either manually or may have been configured automatically, in one example, the root certrfleale(s) 112 corresponds to the appficatiofi(s) 110 being developed and may specify an application identifier, uniquely identifying the application(s ⁇ 110.
  • a command to enable client authentication on the service entity may be received.
  • the client authentication is based on the root certificate.
  • the service entity 102 may be configured by ah administrator, such as the administrator 308, and is subsequently imported or installed into the service entity 102.
  • incoming requests from the application over a handshake session adhering to a security protocol are monitored.
  • the service engine(s) 108 of the service entity 102 may be monitoring for incoming requests for accessing and availing service which are being offered.
  • the client device(s) 104 may send a request for accessing and availing the service being provided by the service entity 102.
  • the incoming request is authenticated based on the root certificate.
  • the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client device(s) 104.
  • the service engine(s) 108 may process the request during the handshake session and determine whether a corresponding root certificate 112 in installed on the service entity 102. If the service engine(s) 108 determines that the root certificate 112 is installed on the service entity 102, the request is allowed, and the service entity 102 provides the service in response to such request. Conversely, if the service engine(s) 108 determines that a corresponding root certificate 112 is not present in the service entity 102, the request for availing and accessing the service is denied.
  • FIG. 6 provides another example method for metering storage usage within a storage volume.
  • a service request from an application installed on a Client device is received by a service entity.
  • application ⁇ ) 110 installed on client device(s) 104 on intending to avail services from the service entity 102 may communicate a request to the service entity 102.
  • a service entity 102 may be any device which is configured to provide services, such as a print service, in response to commands or requests from applications) 110 installed on client device(s) 104.
  • An example of such a client device(s) 104 includes, but is not limited to, a handheld device like mobile phone.
  • a handshake session with the client device based on protocol data ⁇ nespottding to the security protcx ⁇ ) being implemented is initialized.
  • the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client device(s) 104 based on protocol data 214.
  • the handshake session in turn may adhere to a security protocol.
  • a handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs.
  • the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session.
  • a client certificate from the client device is requested during the handshake session.
  • the service engine(s) 108 within the service entity 102 may request the client device(s) 104 for client certificate(s) 312.
  • the client certificate ⁇ ) 312 as discussed previously, is signed by the root certificate(s) 112.
  • information from the client certificate pertaining to a root certificate is obtained.
  • the service engine(s) 108 may process the client certificate ⁇ ) 312 received from the client device ⁇ s) 104.
  • the client certificate(s) 312 is such that it had been signed using the root certiflcate(s) 112 at the time of registering any application, such as applications) 110.
  • the information indicating the root certificate(s) 112 which has signed the client certificates) 312 is determined.
  • the service engine(s) 108 may further determine whether a corresponding root certificate(s) 112 is installed within the service entity 102.
  • the information pertaining to the root certificate ⁇ s) 112 installed within the service entity 102 may be available in other data 216.
  • the service request from the application installed on the client device is authenticated.
  • the application may utilize the service being offered by the service entity.
  • the service engine(s) 108 may determine whether a root certificate corresponding to the application from which is the service request is received, is present. On determining that the root ceftificate(s) 112 is present in the service entity 102, the service engine(s) 108 may process the service request and allow the application(s) 110 to avail services from the service entity 102, in case the root certificate($) 112 is not installed, the service engine(s) 108 may deny the request for availing the service offered by the service entity 102.
  • FIG. 7 illustrates a system environment 700 to authenticate applications to allow access to a service being offered, according to an example of the present disclosure.
  • the system environment 700 may comprise at least a portion of a public networking environment or a private networking environment, or a combination thereof.
  • the system environment 700 includes a processing resource 702 communicatively coupled to a computer readable medium 704 through a communication link 706.
  • the processing resource 702 can include one or more processors of a computing device.
  • the computer readable medium 704 may be, for example, an internal memory device of the computing device or an external memory device, in one implementation, the communication (ink 706 may be a direct communication link, such as any memory read/write interface. In another implementation, the communication link 706 may be an indirect communication link, such as a network interface. In such a case, the processing resource 702 can access the computer readable medium 704 through a network 708.
  • the network 708 may be a single network or a combination of multiple networks and may use a variety of different communication protocols.
  • the processing resource 702 and the computer readable medium 704 may also be coupled to data sources 710 through the communication link 706, and/or to communication devices 712 over the network 708.
  • the coupling with the data sources 710 enables in receiving the data in an offline environment
  • the coupling with the communication devices 712 enables in receiving the data in an online environment.
  • the computer readable medium 704 includes a set of computer readable instructions, implementing a service module(s) 714.
  • the service module(s) 714 may be implemented within service entity 102.
  • the instructions implementing service modute(s) 714 may, in one example, be executable code for authenticating applications to allow access to a service being offered.
  • the set of computer readable instructions within medium 704 may be accessed by the processing resource 702 through the communication link 706 and subsequently executed to process data communicate with the data sources 710 for affecting the approaches as discussed previously.
  • a root certificate ⁇ ) 112 may be received.
  • the service module(s) 714 may obtain the root certificate ⁇ ) 112 thus obtained and import it into the service entity 102.
  • the root certificate ⁇ ) 112 is such that it identifies and corresponds to a specific application, such as one of the application ⁇ ) 110.
  • the applicatton(s) 110 in turn are those applications installed on client device(s) 104 which may have to be authenticated so that they may avail the services being offered by the service entity(s) 102.
  • the root certificate(s) 112 may subsequently be installed by the service module(s) 714. Once the root certificate(s) 112 is installed, the service modules) 714 may further enable client authentication on the service entity 102 to be performed in the event of receiving a request for providing service from any of the client device(s) 104.
  • the service module(s) 714 may monitor incoming requests for services from application(s) 110 installed on the client device(s) 104.
  • the communication engine(s) 210 of the service module(s) 714 initiates a handshake session with the client device(s) 104.
  • a handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs.
  • the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session.
  • the service module(s) 714 may request the client device(s) 104 for client certificate ⁇ ) 312 corresponding to the application requesting access to the services.
  • the service module(s) 714 on processing the client certificate(s) 312 determines information pertaining to the root certificates) 112 which may have been used to sign. Once such information pertaining to the root certificate(s) 112 is determined, the service modu!e(s) 714 may further determine whether a corresponding root certificate(s) 112 is installed within the service modu!e(s) 714 (block 410).
  • the service moduie(s) 714 may compare the information gathered from the client certificate ⁇ ) 312 to information indicating whether any root certificate is installed within the service entity 102. On determining that a corresponding root certificate(s) 112 is installed within the service entity 102, the service modules) 714 may process the service request received from the client device(s) 104, and allow the client device(s) 104 to access and avail the service being offered. If, however, the service moduie(s) 714 determines that no corresponding root certificate ⁇ s) 112 is present, the request tor accessing and availing the requested service is not processed, and hence, denied. Once the applications) 110 is authenticated, further communication may be accordingly affected.
  • the authentication of the purseication(s) 110 for availing and accessing the services being offered by the service module(s) 714 is implemented during the handshake session.
  • the handshake session may be carried out over the TLS security protocol, which in turn may be implemented in a session layer of the Open Systems Interconnection model (OSi model).
  • OSi model Open Systems Interconnection model

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer And Data Communications (AREA)

Abstract

Examples for authenticating applications to allow access to a service being offered by a service entity, are described. In one example, a request from an application for accessing services is received over a handshake session adhering to a security protocol. It is determined whether a root certificate corresponding to the application is installed in the service entity. Based on the determination, the request is authenticated to allow access to the services. The authenticating is performed in the handshake session.

Description

A SERVICE ENTITY
BACKGROUND
(0001] Generally, a computing device may be installed with one or more applications. Such applications may be used for performing a variety of functions. While using such computing devices, the applications may utilize services being offered by other devices, which are referred to as service entities. Examples of such a service entity includes, but is not limited to, a print device which provides printing as a service. In certain cases, not ail applications may be permitted or authorized for availing the services being offered by the service entity. Various mechanisms may be implemented for controlling which applications are permitted and which are not permitted from using such services.
BRIEF DESCWPTIOH OF THE DRAWINGS
[00021 The following detailed description references the drawings, wherein:
{0003] FIG. 1 is a diagram of an example service entity to authenticate applications to allow access to a service being offered;
{0004] FIG.2 is a diagram of another example service entity to authenticate applications to allow access to a service being offered;
(0005] FIG. 3 depicts a flow diagram depicting various stages of application registration to authenticate applications to allow access to a service, as per an example;
[0000] FIG. 4 depicts a flow diagram depicting communication between a client device and a service entity to authenticate applications to allow access to a service being offered by a service entity, as per an example;
[0007] FIG.5 depicts an example method for authenticating applications to allow access to a service being offered by a service entity;
[0008] FIG. 6 depicts another example method for authenticating app!ications to allow access to a service being offered by a service entity; and
{0009] FIG, 7 is a block diagram of an example system implementing a non-transitory computer-readable medium, to authenticate applications to allow access to a service being offered by a service entity. DETAILED DESCRIPTION
fOOiOj Any client computing device may be installed wHh one or more applications. Within a computing network, such applications may seek to utilize services by connecting with an appropriate service entity. At present, owing to rapid increase of mobile devices, such as smartphones, and tablets, there has also been a rapid Increase in the number of applications which may be regularly used by users, of which some may attempt to access and avail the services being offered by a service entity. A service entity refers to any device offering a service. An example of such a service entity includes, but is not limited to, a print device with the service being a print service.
(0011] For client computing devices (also referred to as client devices) which are present within an organization, the access of services by applications may be controlled. For example, a network administrator may allow or whitelist selected applications installed on a client device. Such whitelisted applications may be permitted to access and avail services from a service entity, for example, print services from print devices. In this manner, the whitelisted or permitted applications may access the service offered by the service entity to the exclusion of other applications, which would be unable to access such services.
{0012] A variety of approaches are generally utilized for allowing such applications to access and avail the services offered by the service entity. For instance, to authenticate any application, a message from the application may have to hashed and digitally signed for accessing the resource. The message may then be verified at the service entity based on the digital signature to permit the application to use the service. As would be generally known, before such a message exchange is affected, a handshake session is implemented. During such a handshake session all information required by the client device and the service entity to eventually exchange application data is shared.
[0013] In addition to authentication performed during a handshake session, other exchanges for negotiating on techniques to be used for signing the messages may have to be still performed, since the client device and the resource may not always use the same techniques for signing such messages. These approaches may involve multiple hashing and digital signature generations and corresponding communication exchanges. Such mechanisms for permitting applications to access services are often complex, may involve multiple steps, are resource intensive, and cumbersome. [0014] Approaches to authenticate applications installed on a client device to allow access to a service being offered by a service entity, are described. Such authentication is implemented during a handshake session corresponding to a security protocol. In one example, the application may be authenticated based on a root certificate issued by a certifying authority.
[0015] The approaches as described may involve an initial registration phase. During registration, an application developer, at the time of developing an application may create a private-public key pair. For registering the application, the public key may be submitted to a registering authority. In one example, the registration involves creating a self-signed root certificate for the application being developed. The root certificate may specify an application identifier, uniquely identifying an application. Once the root certificate is generated, a client certificate for the public key is issued. The client certificate is further signed by the root certificate created for the application being developed. At this stage, the application may be considered as registered. Once the application is ready for distribution, the application may be uploaded onto an application repository along with the client certificate and the root certificate. A user intending to install the application, may download the same from the application repository. Therefore, the client certificate is available with the client device, when the application is installed thereupon. In one example, the application repository may be an application store for distributing the application to one or more user.
[9016] At later stages, it may be the case that an administrator may intend to control applications that may utilize services of a service entity. To this end, the administrator may obtain the root certificate corresponding to an application which is to be controlled. The root certificate may be subsequently retrieved from the application repository and imported into the service entity. At the same time, a setting pertaining to client authentication may be enabled at the service entity.
[0017] In operation, an application installed on a client device may request for a service from a service entity over a handshake session which adheres to a security protocol. A handshake session may be considered as a session during which exchange of information required by the client device and the service entity to eventually exchange application data occurs, in one example, the security protocol may include one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS or SSL handshake session.
|0018] In the present example, since the client authentication is enabled at the service entity, the service entity may request a client certificate, which is available along with the installed application on the client device. As would be understood, the client certificate had been initially signed by the root certificate created for the application which is to be authenticated. The service entity on receiving the client certificate may obtain the information pertaining to the root certificate. The service entity may then determine whether the corresponding root certificate is installed therein. If the root certificate of the present application is available on the service entity, the service request is processed and allowed. If the root certificate is not available on the service entity, the service request is denied and a corresponding indication may be communicated to the user.
10019] As would be understood, the process for authenticating the application which may be permitted to avail and access the service is performed during the handshake session (such as the TLS handshake session). Therefore, any additional handshake sessions or authentication at application layer may not be performed. Moreover, any security vulnerability reported in future may be fixed as part of the security protocol update, and no modification may be required at application level.
[0020] These and other aspects are described in conjunction with FIGS. 1-7. FIG. 1 illustrates an example service entity 102 for authenticating applications to allow access to a service being offered by it. The service entity 102 may be considered as any processor enable device which performs one or more functions (i.e., services) in response to requests from one or more applications that may be installed on client device(s) 104. An example of such a service entity 102 may include a print device. Such a print device may provide a service involving printing content on a print media in response to one or more requests or commands from client device(s) 104. The service entity 102 and client device(s) 104 may be in communication with each other through a computing network 106. The client device(s) 104 may further include applications) 110 installed therein. The appiication(s) 110 may communicate with the service entity 102 for availing services being rendered by the service entity 102.
[0021] Continuing with the present example, the service entity 102 may further include service engine(s) 108. The service engine(s) 108 authenticates application^) 110 to allow access to a service being offered by the service entity 102; As would be explained in the foregoing description, only requests from application(s) 110 which have been authenticated, may be processed. As a result of the authentication, only few or all the application(s) 110 installed on the client devices to avail and access the services being offered by the service entity 102. In one example, the authentication is based on a root certificate 112 which is installed within the service entity 102.
[0022] Users of client device(s) 104 may, through appiication(s) 110 installed on the client device(s) 104, request for a service from the service entity 102. To initiate communication between the service entity 102 and the client device(s) 104, a handshake session may be implemented. Such a handshake session may adhere to a security protocol, such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL). During such a handshake session, information required by the service entity 102 and the dent device{s) 104 to eventually engage with each other and exchange application data, occurs. In one example, the security protocol may include one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session.
[0023] In operation, the service entity 102 may receive a request from application^) 110 installed on the client device(s) 104. In the present example, the service engine(s) 108 may process the request during the handshake session and determine whether a corresponding root certificate 112 is installed on the service entity 102. If the service engine(s) 108 determines that the root certificate 112 is installed on the service entity 102, the request is allowed, and the service entity 102 provides the service in response to such request. Conversely, if the service engine(s) 108 determines that a corresponding root certificate 112 is not present in the service entity 102, the request for availing and accessing the service is denied. Accordingly, an appropriate indication may be provided to the user of the client devices) 104. It should be noted that the authentication of the appiication(s) 110 is carried out during the handshake session at a security protocol layer. Consequently, no changes may be made at the underlying application layer or in the applications themselves. Furthermore, no additional authentications may be implemented over and above the handshake session.
[0024] FIG. 2 illustrates an example service entity 102 to authenticate applications to allow access to a service being offered by the service entity 102. The service entity 102 may be implemented as a standalone computing system ft a device communicatively connected through a network to other devices. The service entity 102 includes interface(s) 202 and memory 204. The interface(s) 202 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, network devices, and the like. The interface(s) 202 facilitate communication between the service entity 102 and various computing devices connected in a networked environment in one example, the interface(s) 202 may provide an interface for communication between the service entity 102 and the client device(s) 104 (as depicted in FIG 1).
[0025] The memory 204 may store one or more computer-readable instructions, which may be fetched and executed to authenticate applications to allow access to a service being offered by a service entity. The memory 204 may include any non-transitory computer-readable medium including, for example, volatile memory such as RAM, or nonvolatile memory such as EPROM, flash memory, and the like. The service entity 102 further includes engine(s) 206 and data 208:
[0026] The engine(s) 206 may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the engine(s) 206. In examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the engine(s) 206 may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the engine(s) 206 may include a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the machine-readable storage medium may store instructions that, when executed by the processing resource, implement engtne(s) 206. In such examples, the service entity 102 may include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to service entity 102 and the processing resource. In other examples, engine(s) 206 may be implemented by electronic circuitry.
[0027] The data 208 includes data that is either stored or generated as a result of the functionalities implemented by any of the engine(s) 206. In an example, the engine(s) 206 include the service engthe(S) 108, dommunlcatlOil engine^} 210 and other engine(s) 212. The other engine(s) 212 may implement functionalities that supplement applications or functions performed by the service entity 102 or engine(s) 206. Further, the data 208 may include root certificate^) 112, protocol data 214, and other data 216. The functioning of the service entity 102 is further described in conjunctions with FIGS. 3-4 which illustrate various steps preceding the authentication of applications to allow access to the services being offered by the service entity 102. For example, FIG. 3 illustrates various steps and entities which may be involved in registering applications for implementing the present subject matter.
[0028] FIG. 3 depicts various steps involving a registration server 302, an application developer 304, an application store 306, an administrator 308 and the service entity 102. In one example, an application may be in the process of being developed by an application developer 304. Initially, the application developer 304 may generate a public- private key pair. Thereafter, the application developer 304 may submit the public key to a registration server 302 as part of the registration process (step 310). The registration server 302 on receiving the public key generates a serf-signed root certificate for the application being developed. The application may be any one (or more) of the application(s) 110.
[0029] Returning to the registration process, the registration server 302 generates a root certificate(s) 112. The root certificate^) 112 corresponds to the application(s) 110 being developed and may specify an application identifier, uniquely identifying the application(s) 110. In one example, the root certificate(s) 112 may be generated by a certifying authority issuing digital certificates. Once the root certificate^) 112 is generated, the registration server 302 may further generate a client certificate^) 312 tor the public key that was submitted by the application developer 304 signed by the root certificate^) 112. The root certificate^) 112 and the client certificate^) 312 are communicated to the application developer 304 (step 314). The application developer 304 may proceed and develop the applicatbn(s) 110 using the client certificate^) 312. The applications) 110 once developed may be communicated and uploaded onto the application store 306 along with the root certtficate(s) 112 and the client certificate^) 312 (step 316). The application store 306 may be considered as a digital repository for storing machine-readable and executable files, and data corresponding to one or more applicatioh(s) 110. The application store 306 may be accessible through a communication network (not shown in FIG. 3). In an example, any user may access the application store 306 to download the desired appiication(s) 110. In the present example, the application^) 110 Is accompanied with the client certificate(s) 312.
[0030] At a later instance, an administrator 308 may wish to restrict and control applications which may avail and access services being provided by the service entity 102 (step 318). To this end, the administrator 308 may request the application store 306 to provide the root certiffcate(s) 112 for the application which is to be controlled. The request communicated to the application store 306 may specify the name or any other identifier of the application which is to be controlled. In response to the request, the administrator 308 receives the root certificate(s) 112 (step 320). The root certificate^) 112 obtained by the administrator 308 is subsequently imported or installed into the service entity 102 (step 322). In one example, while the root certtficate(s) 112 is being installed in the service entity 102, the administrator 308 may enable client authentication. The client authentication may allow the service entity 102 to authenticate the client device(s) 104 in case any request for availing the services is received, as per the applicable security protocol.
[0031] The manner in which the applications, such as application® 110 may be controlled is described in conjunction with FIG. 4. FIG, 4 depicts interactions between the service entity 102 and the client device(s) 104. In continuation to the example as described in conjunction with FIG. 3, the service entity 102 is installed with the root certificate^) 112. In operation, the service engine(s) 108 of the service entity 102 may be monitoring tor incoming requests for accessing and availing service which are being offered. The client device(s) 104 may send a request for accessing and availing the service being provided by the service entity 102 (step 402). in one example, the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client devtce(s) 104 (step 404). in operation, an application installed oh a client device may request for a service from a service entity over a handshake session which adheres to a security protocol. A handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs. In one example, the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a US/SSL handshake session. In FIG. 4 the communication and exchanges between the service entity 102 and the client device(s) 104, are depicted in dotted line for sake of illustration. The handshake session may be initiated based on information stored in protocol data 214.
[0032] Continuing with the ongoing example, once the handshake session has been initialized, the service entity 102 may request the client device{s) 104 for client certificate® 312 (step 406). As discussed previously, the client certificate® 312 is signed by the root certificate^ ) 112. The client certificate® 312 is received by the service entity 102 and processed by the service engine(s) 108 (step 408). The service engine(s) 108 on processing the client certificate® 312 determines information pertaining to the root certificate® 112 which may have been used to sign. Once such information pertaining to the root certificate(s) 112 is determined, the service engine® 108 may further determine whether a corresponding root certificate(s) 112 is installed within the service entity 102 (block 410).
{0033] The service engine(s) 108 may compare the information gathered from the client certificate® 312 to information indicating whether any root certificate is installed within the service entity 102. On determining that a corresponding root certificate® 112 is installed within the service entity 102, the service engine(s) 108 may process the service request received from the client devices) 104, and allow the client device(s) 104 to access and avail the service being offered. If, however, the service engine(s) 108 determines that no corresponding root certificate(s) 112 is present in the service entity 102, the request for accessing and availing the requested is service is not processed, and hence, denied (step 412). Once the applications) 110 is authenticated further communication may be accordingly affected. It should be noted that the authentication of the applications) 110 for availing and accessing the services being offered by the service entity 102, is implemented during the handshake session, in one example, the handshake session may be carried out over the TLS security protocol, which in turn may be implemented in a session layer of the Open Systems Interconnection model (OS! model). The present examples may have been described with respect to an application(s) 110 and a client device(s) 104. However, the above described approaches would also fee applicable for a combination of application(s) 110 and client device(s) 104.
[0034] The present approaches may also be implemented to subsequently control one or more application^) 110 which were previously authenticated, from accessing and availing services being offered by the service entity 102. For example, the administrator 308 may, at a later stage, delete root certificate^) 112 installed within the service entity 102. in such a case, subsequent request for services would not be processed owing to the absence of the root certificate^) 112.
[0035] FIGS. 5-6 illustrate example methods 500 and 600, respectively, for authenticating applications to allow access to a service being offered by a service entity. The order in which the methods are described is not intended to be construed as a limitation, and any number of the described method blocks may be combined in any order to implement the methods, or an alternative method. Furthermore, methods 500 and 600 may be implemented by processing resource or computing device(s) through any suitable hardware, non-transitory machine readable instructions, or combination thereof.
[0036] It may also be understood that methods 500 and 600 may be performed by programmed computing devices, such as service entity 102 as depicted in FIGS. 1-4. Furthermore, the methods 500 and 600 may be executed based on instructions stored in a non-transitory computer readable medium, as will be readily understood. The non-transitory computer readable medium may include, tor example, digital memories, magnetic storage media, such as one or more magnetic disks and magnetic tapes, hard drives, or optically readable digital data storage media. The methods 500 and 600 are described below with reference to service entity 102 as described above; other suitable systems for the execution of these methods may also be utilized. Additionaly, implementation of these methods is not limited to such examples.
[0037] Returning to FIG. 5, at block 502 by a service entity obtains a root certificate from a source repository. The application is to request a service being provided by the service entity. The root certificate corresponds to the application installed on a client device. For example, die service entity 102 may be installed with root certificate^) 112 corresponding to a certain appiication(s) 110. The root certificates) 112 may have been installed either manually or may have been configured automatically, in one example, the root certrfleale(s) 112 corresponds to the appficatiofi(s) 110 being developed and may specify an application identifier, uniquely identifying the application(s} 110.
[0038] At block 504, a command to enable client authentication on the service entity may be received. It should be noted that the client authentication is based on the root certificate. For example, the service entity 102 may be configured by ah administrator, such as the administrator 308, and is subsequently imported or installed into the service entity 102.
[0039] At block 506, incoming requests from the application over a handshake session adhering to a security protocol, are monitored. For example, the service engine(s) 108 of the service entity 102 may be monitoring for incoming requests for accessing and availing service which are being offered. The client device(s) 104 may send a request for accessing and availing the service being provided by the service entity 102.
[0040] At block 508, the incoming request is authenticated based on the root certificate. For example, the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client device(s) 104. In the present example, the service engine(s) 108 may process the request during the handshake session and determine whether a corresponding root certificate 112 in installed on the service entity 102. If the service engine(s) 108 determines that the root certificate 112 is installed on the service entity 102, the request is allowed, and the service entity 102 provides the service in response to such request. Conversely, if the service engine(s) 108 determines that a corresponding root certificate 112 is not present in the service entity 102, the request for availing and accessing the service is denied.
[0041] FIG. 6 provides another example method for metering storage usage within a storage volume. At block 602, a service request from an application installed on a Client device is received by a service entity. For example, application^) 110 installed on client device(s) 104 on intending to avail services from the service entity 102, may communicate a request to the service entity 102. A service entity 102 may be any device which is configured to provide services, such as a print service, in response to commands or requests from applications) 110 installed on client device(s) 104. An example of such a client device(s) 104 includes, but is not limited to, a handheld device like mobile phone.
[0042] At block 604, a handshake session with the client device based on protocol data ∞nespottding to the security protcx^) being implemented, is initialized. For example, the communication engine(s) 210 of the service entity 102 initiates a handshake session with the client device(s) 104 based on protocol data 214. The handshake session in turn may adhere to a security protocol. A handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs. In one example, the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session.
[0043] At block 606, a client certificate from the client device is requested during the handshake session. For example, the service engine(s) 108 within the service entity 102 may request the client device(s) 104 for client certificate(s) 312. The client certificate^) 312 as discussed previously, is signed by the root certificate(s) 112.
[0044] At block 608, information from the client certificate pertaining to a root certificate is obtained. For example, the service engine(s) 108 may process the client certificate^) 312 received from the client device{s) 104. The client certificate(s) 312 is such that it had been signed using the root certiflcate(s) 112 at the time of registering any application, such as applications) 110. The information indicating the root certificate(s) 112 which has signed the client certificates) 312 is determined.
[0045] At block 610, based on information gathered from client certificate, it is determined whether a corresponding root certificate is present in the service entity. For example, the service engine(s) 108 may further determine whether a corresponding root certificate(s) 112 is installed within the service entity 102. In one example, the information pertaining to the root certificate{s) 112 installed within the service entity 102 may be available in other data 216.
[0046] At block 612, based on information gathered from the client certificate, the service request from the application installed on the client device is authenticated. As a result, the application may utilize the service being offered by the service entity. For example, the service engine(s) 108 may determine whether a root certificate corresponding to the application from which is the service request is received, is present. On determining that the root ceftificate(s) 112 is present in the service entity 102, the service engine(s) 108 may process the service request and allow the application(s) 110 to avail services from the service entity 102, in case the root certificate($) 112 is not installed, the service engine(s) 108 may deny the request for availing the service offered by the service entity 102.
(0047] FIG. 7 illustrates a system environment 700 to authenticate applications to allow access to a service being offered, according to an example of the present disclosure. The system environment 700 may comprise at least a portion of a public networking environment or a private networking environment, or a combination thereof. In one implementation, the system environment 700 includes a processing resource 702 communicatively coupled to a computer readable medium 704 through a communication link 706.
[0048] For example, the processing resource 702 can include one or more processors of a computing device. The computer readable medium 704 may be, for example, an internal memory device of the computing device or an external memory device, in one implementation, the communication (ink 706 may be a direct communication link, such as any memory read/write interface. In another implementation, the communication link 706 may be an indirect communication link, such as a network interface. In such a case, the processing resource 702 can access the computer readable medium 704 through a network 708. The network 708 may be a single network or a combination of multiple networks and may use a variety of different communication protocols.
[0040] The processing resource 702 and the computer readable medium 704 may also be coupled to data sources 710 through the communication link 706, and/or to communication devices 712 over the network 708. The coupling with the data sources 710 enables in receiving the data in an offline environment, and the coupling with the communication devices 712 enables in receiving the data in an online environment.
[0050] In one implementation, the computer readable medium 704 includes a set of computer readable instructions, implementing a service module(s) 714. The service module(s) 714 may be implemented within service entity 102. The instructions implementing service modute(s) 714 may, in one example, be executable code for authenticating applications to allow access to a service being offered. The set of computer readable instructions within medium 704 may be accessed by the processing resource 702 through the communication link 706 and subsequently executed to process data communicate with the data sources 710 for affecting the approaches as discussed previously.
[0051] in one example, a root certificate^) 112 may be received. The service module(s) 714 may obtain the root certificate^) 112 thus obtained and import it into the service entity 102. The root certificate^) 112 is such that it identifies and corresponds to a specific application, such as one of the application^) 110. The applicatton(s) 110 in turn are those applications installed on client device(s) 104 which may have to be authenticated so that they may avail the services being offered by the service entity(s) 102. The root certificate(s) 112 may subsequently be installed by the service module(s) 714. Once the root certificate(s) 112 is installed, the service modules) 714 may further enable client authentication on the service entity 102 to be performed in the event of receiving a request for providing service from any of the client device(s) 104.
[00523 Thereafter, the service module(s) 714 may monitor incoming requests for services from application(s) 110 installed on the client device(s) 104. In one example, the communication engine(s) 210 of the service module(s) 714 initiates a handshake session with the client device(s) 104. A handshake session may be considered as a session during which exchange of information utilized by the client device(s) 104 and the service entity 102 to eventually exchange application data occurs. In one example, the security protocol may be one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the session may be a TLS/SSL handshake session. Continuing with the ongoing example, once the handshake session has been initialized, the service module(s) 714 may request the client device(s) 104 for client certificate^) 312 corresponding to the application requesting access to the services. The service module(s) 714 on processing the client certificate(s) 312 determines information pertaining to the root certificates) 112 which may have been used to sign. Once such information pertaining to the root certificate(s) 112 is determined, the service modu!e(s) 714 may further determine whether a corresponding root certificate(s) 112 is installed within the service modu!e(s) 714 (block 410).
[0053} The service moduie(s) 714 may compare the information gathered from the client certificate^) 312 to information indicating whether any root certificate is installed within the service entity 102. On determining that a corresponding root certificate(s) 112 is installed within the service entity 102, the service modules) 714 may process the service request received from the client device(s) 104, and allow the client device(s) 104 to access and avail the service being offered. If, however, the service moduie(s) 714 determines that no corresponding root certificate{s) 112 is present, the request tor accessing and availing the requested service is not processed, and hence, denied. Once the applications) 110 is authenticated, further communication may be accordingly affected. It should be noted that the authentication of the apoiication(s) 110 for availing and accessing the services being offered by the service module(s) 714, is implemented during the handshake session. In one example, the handshake session may be carried out over the TLS security protocol, which in turn may be implemented in a session layer of the Open Systems Interconnection model (OSi model). The present examples may have been described with respect to an application^) 110 and a dient devices) 104. However, the above described approaches would also be applicable for a combination of application(s) 110 and dient device(s) 104.
{0054] Although examples tor the present disclosure have been described in language specific to structural features and/or methods, it should be understood that the appended daims are not necessarily limited to the specific features or methods described. Rather, the specific features and methods are disclosed and explained as examples of the present disdosure.

Claims
We claim: ί . A service entity comprising:
a service engine to provide a service in response to request from an application installed on a client device, wherein the service engine is to:
receive a request from the application for accessing the service;
determine whether a root certificate corresponding to the application is installed in the service entity; and
authenticate the request based on the determining, wherein the authenticating is performed in a handshake session between the service entity and the client device, with the handshake session adhering to a security protocol.
2v The service entity as claimed in claim 1, wherein to authenticate, the service engine is to process the request to provide access of the service to the application, on determining that the root certificate is installed in the service entity.
3. The service entity as claimed in claim 1, wherein to authenticate, the service engine is to deny the request from the application to access the service provided by the service entity, on determining that the root certificate is not installed in the service entity.
4. The service entity as claimed in claim 1 , wherein the service engine, to determine whether the root certificate is installed, is to:
request a client certificate from the client device, with the client certificate corresponding to the application, wherein the client certificate is signed by the root certificate;
retrieve information associated with the root certificate; and
based on the information, identify whether the root certificate is installed on the service entity.
5. The service entity as claimed in claim 1, wherein the security protocol is one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL).
6. The service entity as claimed in claim 5, wherein the handshake session is a TLS handshake session between the service entity and the client device.
7. The service entity as claimed in claim 1, wherein the root certificate specifies a unique application identifier for the application which may access the service provided by the service entity.
8. The service entity as claimed in claim 1 , wherein the root certificate is uninstallable to subsequently deny the application access to the service.
9. A method comprising:
obtaining by a service entity, a root certificate from a source repository, wherein the root certificate corresponds to an application installed on a client device;
receiving command to enable client authentication on the service entity, wherein the client authentication is based on the root certificate;
monitoring incoming requests for a service being provided by the service entity from the application over a handshake session adhering to a security protocol; and
authenticating the incoming requests based on the root certificate.
10. The method as claimed in claim 9, wherein the root certificate is a public key certificate to identify a root certificate authority and a unique application identification.
11. The method as claimed in claim 9, wherein the method comprises enabling client authentication conforming to the security protocol.
12. The method as claimed in claim 9, wherein the authenticating comprises:
identifying, based on the incoming request, the application requesting access to the service;
determining whether a corresponding root certificate is installed within the service entity; and on determining that the fool certificate is present, allowing the application access to access the service offered by the service entity.
13. The method as claimed in claim 12, the method further comprising:
uninstalling the root certificate from the service entity;
monitoring incoming requests from the application to access the service; and denying access to the incoming request.
14. The method as claimed in claim 9, wherein the service entity is a print device.
15. A non-transitory computer-readable medium comprising instructions executable by a processing resource to:
import a root certificate into a service entity providing a service, wherein the root certificate corresponds to the application installed on a client device;
enable client authentication on the service entity;
authenticate the incoming requests based on the root certificate wherein the incoming requests are received from the application over a handshake session present adhering to a security protocol; and
grant access to the service provided by the service entity based on the authenticating.
PCT/US2018/018197 2017-04-14 2018-02-14 A service entity WO2019160545A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/498,984 US11366914B2 (en) 2017-04-14 2018-02-14 Authenticating access of service of service entity to application of client device based on whether root certificate corresponding to application is installed in service entity
PCT/US2018/018197 WO2019160545A1 (en) 2018-02-14 2018-02-14 A service entity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2018/018197 WO2019160545A1 (en) 2018-02-14 2018-02-14 A service entity

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/002,128 Continuation US11411336B2 (en) 2018-02-26 2020-08-25 Spring-actuated electrical connector for high-power applications

Publications (1)

Publication Number Publication Date
WO2019160545A1 true WO2019160545A1 (en) 2019-08-22

Family

ID=67618861

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/018197 WO2019160545A1 (en) 2017-04-14 2018-02-14 A service entity

Country Status (1)

Country Link
WO (1) WO2019160545A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016964A1 (en) * 2000-03-30 2002-02-07 Shuntaro Aratani Information processing apparatus and method, data broadcasting receiving apparatus, and printer
US20100056106A1 (en) * 2006-11-20 2010-03-04 Teliasonera Ab Authentication in mobile interworking system
US20140244998A1 (en) * 2010-11-09 2014-08-28 Secure64 Software Corporation Secure publishing of public-key certificates
US20150365400A1 (en) * 2014-06-12 2015-12-17 Nadapass, Inc. Password-less authentication system and method
US20170019381A1 (en) * 2012-06-15 2017-01-19 Roger I. Khazan Optimized transport layer security
US20170134424A1 (en) * 2013-11-14 2017-05-11 Avi Networks Network devices using tls tickets for session persistence

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016964A1 (en) * 2000-03-30 2002-02-07 Shuntaro Aratani Information processing apparatus and method, data broadcasting receiving apparatus, and printer
US20100056106A1 (en) * 2006-11-20 2010-03-04 Teliasonera Ab Authentication in mobile interworking system
US20140244998A1 (en) * 2010-11-09 2014-08-28 Secure64 Software Corporation Secure publishing of public-key certificates
US20170019381A1 (en) * 2012-06-15 2017-01-19 Roger I. Khazan Optimized transport layer security
US20170134424A1 (en) * 2013-11-14 2017-05-11 Avi Networks Network devices using tls tickets for session persistence
US20150365400A1 (en) * 2014-06-12 2015-12-17 Nadapass, Inc. Password-less authentication system and method

Similar Documents

Publication Publication Date Title
US10440151B2 (en) Service authorization handshake
US9294468B1 (en) Application-level certificates for identity and authorization
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
US8799639B2 (en) Method and apparatus for converting authentication-tokens to facilitate interactions between applications
EP3694175B1 (en) System and method for delegating authority through coupled devices
US9286455B2 (en) Real identity authentication
US20110162057A1 (en) Access control based on user and service
US10270757B2 (en) Managing exchanges of sensitive data
CN111783068A (en) Device authentication method, system, electronic device and storage medium
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
CN105450582A (en) Business processing method, terminal, server and system
WO2023124958A1 (en) Key update method, server, client and storage medium
CN106302497A (en) The authority control method of micro services and device
CN113765655A (en) Access control method, device, equipment and storage medium
WO2019114098A1 (en) Blockchain-based storage system download method
CN116192483A (en) Authentication method, device, equipment and medium
EP3975015A1 (en) Applet package sending method and device, electronic apparatus, and computer readable medium
CN114065183A (en) Authority control method and device, electronic equipment and storage medium
US9680871B2 (en) Adopting policy objects for host-based access control
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform
CN112738005A (en) Access processing method, device, system, first authentication server and storage medium
US11177958B2 (en) Protection of authentication tokens
CN115276998A (en) IoT authentication method, device and IoT device
US11366914B2 (en) Authenticating access of service of service entity to application of client device based on whether root certificate corresponding to application is installed in service entity
WO2019160545A1 (en) A service entity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18906118

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18906118

Country of ref document: EP

Kind code of ref document: A1