`Etchegoyen
`
`(16) Patent N6;
`(45) Date of Patent:
`
`US 8,316,421 B2
`Nov. 20, 2012
`
`US008316421B2
`
`(54) SYSTEM AND METHOD FOR DEVICE
`AUTHENTICATION WITH BUILT-IN
`TOLERANCE
`
`(75) Inventor: Craig S. Etchegoyen, Irvine, CA (US)
`
`(73) Assignee: Uniloc Luxembourg S.A., Luxembourg
`(LU)
`
`AU
`
`5,113,518 A *
`5,210,795 A
`5,291,598 A
`
`5/1992 Durst et a1. ................... .. 726/29
`5/ 1993 LiPIIer et a1~
`3/1994 Grundy
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`673935
`6/1997
`(Continued)
`
`OTHER PUBLICATIONS
`
`( * ) Notice:
`
`Subject' to any disclaimer,~ the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 133 days.
`
`(21) Appl. No.: 12/903,948
`
`(22) Filed:
`
`Oct. 13, 2010
`
`(65)
`
`Prior Publication Data
`Us 2011/0093920 A1
`Apr' 21, 2011
`
`Related US. Application Data
`(60) Provisional application NO_ 61 /2 5 2,960’ ?led on Oct
`19, 2009
`
`(51) Int C]_
`(200601)
`H04L 29/06
`(52) us. Cl. ......... .. 726/4; 726/1; 726/2; 726/3; 726/16;
`726/17; 726/21; 726/26; 726/27; 726/30;
`713/168; 713/176; 713/177; 713/180; 713/187;
`
`(58) Field of Classi?cation Search ................ .. 726/li4
`726/16i21 22*30 713/168i170 180*187?
`’
`’ 709/217i219’ 223*229’
`See a p pl 1 C ati O n ?le for C 0 mp1 et e Search hist’ory
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`4,351,982 A
`9/1982 Miller et al.
`4,658,093 A
`4/1987 Hellman
`4,704,610 A 11/1987 Smith et al.
`4,796,220 A
`1/1989 Wolfe
`
`Ef?cient Fingerprint-based User Authentication for Embedded Sys
`tems by Gupta et a1; Date: Jun. 2005; Publisher: ACM.*
`
`(Continued)
`
`Primary Examiner * Taghi Arani
`AssisZanZExaminer i Madhuri HerZog
`(74) Allorrley, Agent, or Firm * Sean D. Burdick
`
`ABSTRACT
`(57)
`A system for building tolerance into authentication of a com
`puting device includes a means for executing, from a com
`puter-readable medium, computer-implementable steps of:
`(a) receiving and storing a ?rst digital ?ngerprint of the device
`during a ?rst boot of an authenticating software on the device,
`‘he ?rst digital ?ngerpn'm based on a ?rst Set of device Com
`ponents; (b) receiving a second digital ?ngerprint from the
`device at a subsequent time, (c) comparing the second digital
`?ngerprint
`a plurality Of stored
`?ngerprints Of
`known devices’ (‘1) in response to the Comparison indicating
`a mismatch betWeen the second digital ?ngerprint and the
`plurality of stored digital ?ngerprints, generating a request
`code comprising instructions for the device to generate a third
`digital ?ngerprint using the ?rst set of device components, (e)
`sending the request code to the remote device, (1) receiving
`the third digital ?ngerprint from the remote device in
`response to the request code, and (g) authenticating the device
`based on a comparison of the ?rst and third digital ?nger
`prints.
`
`6 Claims, 7 Drawing Sheets
`
`'- 5530
`
`IA1004
`
`Page 1 of 19
`
`
`
`US 8,316,421 B2
`Page 2
`
`US. PATENT DOCUMENTS
`.
`5/1995 Takahash‘
`5,414,269 A
`5/1995 Kaufman ‘ital
`5,418,854 A
`8/1995 Bfillovmetal'
`5,440,635 A
`“996 Rlchardson’m
`5,490,216 A
`Z4133; vKVaufman
`2,322,332
`5,1998 1352f;
`5,754,763 A
`’
`’
`$41333 gileycftal'
`2,522’???
`5,974,150 A 10,1999 Kagll‘lletal
`’
`’
`'
`6,009,401 A 12/1999 Horslmann
`Egg/33;:
`1345888
`etal
`6,167,517 A * 12/2000 Gilchrist etal. ............ .. 713/186
`.
`Egg/g2? g1
`Z588} 2321mm etal'
`6,243,468 B1
`6/2001 Pearce et al.
`6,294,793 B1
`9/2001 Brunfeldetal.
`6,330,670 B1
`12/2001 England etal.
`6,449,645 B1
`9/2002 Nash
`6,536,005 B1
`3/2003 Augarten
`6,785,825 B2
`8/2004 Colvin
`6,859,793 B1
`2/2005 Lambiase
`6,920,567 B1
`7/2005 Doherty et al.
`6,976,009 B2 12/2005 Tadayon etal.
`7,032,110 B1
`4/2006 sir etal.
`7,069,440 B2
`6/2006 Aull
`7,069,595 B2
`6/2006 Cogrnignietal.
`7,085,741 B2
`8/2006 Lao etal.
`7,111,167 B1
`9/2006 Yeung
`7,188,241 B2
`3/2007 Cronce etal.
`7,203,966 B2
`4/2007 Abburietal.
`7,206,765 B2
`4/2007 Gilliametal.
`7,272,728 B2
`9/2007 Pierson etal.
`7,302,590 B2 11/2007 Dublish etal.
`7,319,987 B1
`1/2008 Hoffman etal.
`7,327,280 B2
`2/2008 Bachelderetal.
`7,337,147 B2
`2/2008 Chen etal.
`7,343,297 B2
`3/2008 Bergleretal.
`7,420,474 B1
`9/2008 Elks et al.
`7,463,945 B2 12/2008 Kieseletal.
`7,653,899 B1
`1/2010 Lindahletal.
`7,779,274 B2
`8/2010 Dublish etal.
`7,934,250 B2
`4/2011 Richardson, 111
`2001/0034712 A1 10/2001 Colvin
`gughes et a1~
`
`2007/0234409 A1 10/2007 Eisen
`2007/0234427 A1 10/2007 Gardner etal.
`2007/0239606 A1 10/2007 Eisen
`2007/0282615 A1 12/2007 Hamilton etal.
`2008/0005655 A1
`1/2008 Sankaranetal.
`2008/0065552 A1
`3/2008 Elezaretal.
`2008/0086423 A1
`4/2008 Waites
`2008/0147556 A1
`6/2008 Smith etal.
`2008/0212846 A1* 9/2008 Yamamoto etal. ......... .. 382/115
`2008/0228578 A1
`9/2008 Mashinsky
`2008/0320607 A1 12/2008 Richardson
`2009/0083730 A1
`3/2009 Richardson
`2009/0089869 A1
`4/2009 Varghese
`2009/0138975 A1
`5/2009 Richardson
`gggggigggig 2} $5883 gill?“
`goyen et al.
`2010/0235241 A1
`9/2010 Wang etal.
`FOREIGN PATENT DOCUMENTS
`
`1637 958
`EP
`1637 961
`EP
`1670188
`EP
`2 267 629
`EP
`2 270 737
`EP
`2 273 438
`EP
`1978454
`EP
`2434724
`GB
`WO 92/20022
`W0
`WO 93/01550
`W0
`WO 95/35533
`W0
`WO 98/42098
`W0
`W0 WO2005/104686
`W0 WO 2007/060516
`W0 WO 2008/013504
`W0 W0 Zoos/127431
`W0 W0 Zoos/157639
`W0 WO 2009/039504
`W0 WO 2009/065135
`W0 WO 2009/076232
`W0 WO 2009/105702
`W0 WO 2009/143115
`W0 WO 2009/158525
`W0 WO 2010/093683
`W0 WO 2010/104928
`
`3/2006
`3/2006
`6/2006
`12/2010
`V2011
`1/2011
`4/2011
`8/2007
`11/1992
`1/1993
`12/1995
`9/1998
`11/2005
`5/2007
`V2008
`10/2008
`12/2008
`3/2009
`5/2009
`6/2009
`8/2009
`11/2009
`12/2009
`8/2010
`9/2010
`
`OTHER PUBLICATIONS
`PrimetimeBioScreenWebEnabledKiosekbyTimeware;Year: 2005;
`
`anesan
`
`-
`
`,
`
`-
`
`*
`
`2002/0082997 A1
`
`6/2002 Kobata etal.
`coleyet
`200% Edmark et a1
`2003/003354l A1
`400% Wiley
`'
`2003/00659l8 A1
`500% Abburi et a1
`2003/0084306 A1
`2/2004 Sam et a1‘
`'
`2004/0024860 A1
`2/2004 Merkle et 31‘
`2004/0030912 A1
`3/2004 Rodgers et a1‘
`2004/0059929 A1
`7/2004 Ligeti et a1‘
`2004/0143746 A1
`2004/0177354 A1* 9/2004 Gunyaktietal. ........... .. 717/174
`2004/0187018 A1
`9/2004 Owen et a1‘
`2005/0004954 A1* 1/2005 Soule, 111 .................... .. 707/203
`2005/0050531 A1
`3/2005 Lee
`2005/010g173 A1
`5/2005 Ste?k et 31,
`2005/0138155 A1
`6/2005 Lewis
`2005/0172280 A1
`8/2005 Ziegler et al.
`2006/0072444 A1
`4/2006 Engle et al.
`2006/0095454 A1
`5/2006 Shankar et al.
`2006/0161914 A1
`7/2006 Morrison etal.
`2006/0169777 A1* 55/2006 Colson et a1~ ~~~~~~~~~~~~~~~ ~~ 235/386
`2006/0230317 A1 10/2006 Andfirson
`2006/0265337 A1 11/2006 Weslnger, Jr.
`2006/0265446 A1* 11/2006 Elgressyetal. ............ .. 709/200
`2006/0282660 A1 12/2006 Varghese etal.
`2007/0l00690 Al
`5/2007 Hopkins
`2007/0113090 A1* 5/2007 Villela ““““““““““““ “ 713/l70
`2007/0136726 A1
`6/2007 Freeland et a1‘
`2007/0168288 A1
`7/2007 BoZeman
`2007/0198422 A1
`8/2007 Prahlad et a1,
`2007/0203846 A1
`8/2007 Kavuriet al.
`2007/0219917 A1
`9/2007 Liu et al.
`
`b
`1d .
`h .
`th d f
`t.
`.
`gubhsher'fTflmewarelllnc' t
`surveyo orens1-cc 3.1110 er1Z-a 1OI1II1€ O S Ol‘p ys1ca ev1ces y
`Khanna et al; Publlsher: Elsev1er Ltd.;Year: 2006.*
`Wikipedia: “Software Extension,” May 28, 2009, Internet Article
`retrieved on Oct. 11, 2010. XP002604710.
`“Technical Details on Microsoft Product Activation for Windows
`XP,” Internet Citation, XP002398930, Aug. 13, 2001.
`Angha et al.; “Securing Transportation Network Infrastructure with
`Patented Technology of Device LockingiDeveloped by Uniloc
`USA”,
`httpr?wwwdkflséoclatesson/admn?paper?le/
`ITS%20World%20Paper%20Subm1ss1oniUn1loc%20i2i.pdf;
`O9t~24_,2006-
`_
`_
`_
`Econol1te; Econol1te and Un1loc Partner to Br1ng Unmatched Infra
`structure Security to Advanced Traf?c Control Networks with
`Launch to StrongPoint; http://www.econolite.com/docs/press/
`20080304iEconoliteiStronPoint.pdf; Mar. 4, 2008.
`Williams, R., “A Painless Guide to CRC Error Detection Algo
`rithms,” Aug. 13, 1993, 33 pages, www.ross.net/crc/download/crci
`vgm,
`Johnson et a1. “Dimensions of Online Behavior: Toward a User
`Typology,” Cyberpsycology and Behavior, vol. 10, No. 6, pp. 773
`779 2007‘XP002317349‘
`L 11’
`“Ch
`- V1 , S -lN b ,,C d P . H: b 17
`‘1 ‘ms’ .ang‘ng our?“ em um er’
`0 e r01“ e' ’
`2008, retre1ved from the 1nternet on Dec. 14, 2010. XP002614149.
`Lee P, “Oracle Adaptive ACCeSS Manager Reference Guide, Release
`10g (10.1.45),” May 2009, Internet Article retrieved on Sep. 27,
`2010~XP002603489~
`Williams et a1., “Web Database Applications with PHP&MySQL,”
`O’ReillyMedia Chapter 1. DatabaseApplications and the Web Mar.
`2002, Internet Article retrieved on Sep. 21, 2010. XP002603488.
`
`IA1004
`
`Page 2 of 19
`
`
`
`US 8,316,421 B2
`Page 3
`
`Wikipedia: “Device Fingerprint,” May 5, 2009, Internet Article
`retrieved on Sep. 28, 2010. XP002603492.
`Beverly, Robert, “A Robust Classi?er for Passive TCP/IP Finger
`printing,” Proceedings of the 5th Passive and Active Measurement
`Workshop, Apr. 2004, Juan-les-Pins, France, pp. 158-167.
`Eckersley, Peter, “How Unique isYour Web Browser?” Lecture Notes
`in Computer Science, 2010, DOI: l0.l007/978-3-542-l4527-8il,
`pp. 1-18.
`G. Wiesen, “What is a Device Fingerprint?”, WiseGeek, 2003.
`Kohno et al., “Remote Physical Device Fingerprinting,” IEEE Trans
`actions on Dependable and Secure Computing, vol. 2, No. 2, Apr.
`Jun. 2005, pp. 93-108.
`
`Martone et al., “Characterization of RF Devices Using Two-tone
`Probe Signals,” School of Electrical and Computer Engineering,
`Purdue University, West Lafayette, Indiana, 2007.
`Muncaster et al., “Continous Multimodal Authentication Using
`Dynamic Baysian Networks,” Second Workshop on Multimodal
`User Authentication, Toulouse, France, May 11-12, 2006.
`XP55003041.
`Salo, Timothy J ., “Multi-Factor Fingerprints for Personal Computer
`Hardware,” Military Communications Conference, Piscataway, New
`Jersey, Oct. 29, 2007, 7 pages. XP03l23275l.
`Williath, “Future Grid Portal,” VampirTrace, Dec. 23, 2010.
`
`* cited by examiner
`
`IA1004
`
`Page 3 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 1 of7
`
`US 8,316,421 B2
`
`IA1004
`
`Page 4 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 2 of7
`
`US 8,316,421 B2
`
`WG. 2
`
`IA1004
`
`Page 5 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 3 of7
`
`US 8,316,421 B2
`
`I
`
`IA1004
`
`Page 6 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 4 of7
`
`US 8,316,421 B2
`
`mag; wag 2,2225% mama
`amam saga ‘$212.2 :
`
`iirgzw
`
`3m
`
`IA1004
`
`Page 7 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 5 on
`
`US 8,316,421 B2
`
`IA1004
`
`Page 8 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 6 of7
`
`US 8,316,421 B2
`
`IA1004
`
`Page 9 of 19
`
`
`
`US. Patent
`
`Nov. 20, 2012
`
`Sheet 7 on
`
`US 8,316,421 B2
`
`HQ 6
`
`IA1004
`
`Page 10 of 19
`
`
`
`US 8,316,421 B2
`
`1
`SYSTEM AND METHOD FOR DEVICE
`AUTHENTICATION WITH BUILT-IN
`TOLERANCE
`
`This application claims priority to Us. Provisional Appli
`cation No. 61/252,960 Which Was ?led Oct. 19, 2009 and
`Which is fully incorporated herein by reference.
`
`BACKGROUND
`
`1. Field of the Invention
`The present invention is directed toWard a method and
`system for building tolerance into comparisons of device
`?ngerprints When authenticating a device.
`2. Description of the Related Art
`Controlling access to a secured netWork is one of the big
`gest challenges for critical infrastructure. Since the majority
`of existing infrastructures use computers to connect to the
`Ethernet or Internet, there is an increased possibility for secu
`rity breaches into such infrastructures. One Way to reduce
`security breaches is to strictly enforce authentication methods
`such as comparison of passWord, personal information, secret
`question, machine identi?er, etc. against various stored data
`and passWord information. HoWever, in certain approaches, if
`there is even a slight or minor difference betWeen a device
`identi?er or ?ngerprint for a device that seeks to be authen
`ticated versus a database of knoWn ?ngerprints corresponding
`to knoWn authoriZed devices, then the request for authentica
`tion is rejected or denied.
`From a practical standpoint, it is quite possible for a user of
`given knoWn device (e.g., a device that is knoWn and autho
`riZed to access a secured network), to upgrade, replace, or
`otherWise modify one or more components of the device. If
`the device ?ngerprint may be based on or generated from
`various device components, including upgraded or modi?ed
`components, it is quite possible that the knoWn device may no
`longer have a ?ngerprint or identi?er that Will be recogniZed
`by the authentication system. For example, a valid device and
`machine may inadvertently be denied an authenticated status
`because of upgrade(s) to typical components such as memory,
`video card, etc. Accordingly, it Would be desirable to provide
`an authentication method With built in ?exibility or tolerance
`to alloW for some upgrades or changes to the device.
`
`SUMMARY
`
`The folloWing presents a simpli?ed summary of one or
`more embodiments in order to provide a basic understanding
`of such embodiments. This summary is not an extensive over
`vieW of all contemplated embodiments, and is intended to
`neither identify key or critical elements of all embodiments
`nor delineate the scope of any or all embodiments. Its sole
`purpose is to present some concepts of one or more embodi
`ments in a simpli?ed form as a prelude to the more detailed
`description that is presented later.
`In accordance With one or more embodiments and corre
`sponding disclosure thereof, various aspects are described in
`connection With a method for alloWing tolerance in the
`authentication process of a digital ?ngering of a device. By
`building in tolerance into the authentication process, the risk
`of rejecting a valid device is reduced. Some tolerance is
`needed because users may upgrade their hardWare and/or
`softWare, thus changing the environment of their devices.
`Once the environment is changed, the authentication soft
`Ware/client one the device may generate a different digital
`?ngerprint. Thus, Without built in tolerance, a valid device
`may be rejected once an upgrade is made to the device.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`In accordance With one or more embodiments and corre
`sponding disclosure thereof, various aspects are described in
`connection With a method for building tolerance into authen
`tication of a device, the method comprising: receiving and
`storing ?rst digital ?ngerprint of the device during a ?rst boot
`of an authenticating softWare on the device, the ?rst digital
`?ngerprint being based on a ?rst set of device components;
`receiving a second digital ?ngerprint from the device at a
`subsequent time; comparing the second digital ?ngerprint
`With a plurality of stored digital ?ngerprints of knoWn
`devices; in response to the comparison indicating a mismatch
`betWeen the second digital ?ngerprint and the plurality of
`stored digital ?ngerprints, generating a request code compris
`ing instructions for the device to generate a third digital
`?ngerprint using the ?rst set of device components; sending
`the request code to the remote device; receiving the third
`digital ?ngerprint from the remote device in response to the
`request code; and authenticating the device based on a com
`parison of the ?rst and third digital ?ngerprints.
`In the foregoing method, the ?rst digital ?ngerprint may be
`generated using speci?c components, such as a typical-up
`grade list and a non-typical-upgrade list. The typical-upgrade
`list may comprise one or more components such as graphic
`card, random access memory, sound card, netWork adaptor,
`hard drive, CD/ DVD drive, and Ethernet controller. The non
`typical-upgrade list may comprise one or more components
`such as motherboard, USB host controller, central micropro
`cessor, PCI Bus, and System CMOS Clock.
`The foregoing method may also include the process of
`receiving component list of the device at the ?rst boot of the
`authenticating software on the device. This list of components
`may be used to generate the request code, Which may exclu
`sively comprise components from the list. In this Way, a
`control digital ?ngerprint may be generated to be compared
`With the ?rst digital ?ngerprint.
`In one embodiment, the authentication process may further
`include: generating a control metric by comparing differ
`ences betWeen the ?rst and second digital ?ngerprints. The
`control metric may identify ?ngerprint portions and their
`respective components of the device that generated the dif
`ferences betWeen the ?rst and second digital ?ngerprints. The
`control metric may help identify components missing and/or
`Was upgraded in the device. A second metric may also be
`generated by comparing differences betWeen the ?rst and
`third digital ?ngerprints. Each metric may comprise data
`identifying a ?ngerprint portion and associated component
`that caused the difference. The device may be validly authen
`ticated When the associated component of the control metric
`and the associated component of the second metric are iden
`tical. This means the difference found in the comparison may
`be caused by a single component. When this is the case, there
`is a high probability that the changed in the digital ?ngerprint
`is caused by an upgrade rather than being caused by an
`entirely different device.
`In the foregoing method, in one embodiment, the authen
`tication server may be con?gured to parse out the digital
`?ngerprint into a plurality of logical portions. Each logical
`portion may represent a component corresponding to a ?n
`gerprint portion. During the comparison of a received digital
`?ngerprint from the device With stored digital ?ngerprints of
`knoWn devices, the authentication server may ?ag each por
`tion for Which it failed to ?nd a match. When the comparison
`process is completed, the device may be validly authenticated
`if there are matching portions for at least 75% of the logical
`portions of the received ?ngerprint. It should be noted that
`other percentages could be implemented.
`
`IA1004
`
`Page 11 of 19
`
`
`
`US 8,3 16,421 B2
`
`3
`In accordance With yet another embodiment of the present
`invention a computer readable medium is provided. The com
`puter readable medium having stored thereon, computer
`executable instructions that, if executed by a device, cause the
`device to perform a method comprising: receiving a ?rst
`digital ?ngerprint from a device having a plurality of digital
`?ngerprint portions, each ?ngerprint portion being associated
`With a component of the device; authenticating the received
`digital ?ngerprint against stored digital ?ngerprints; ?agging
`each digital ?ngerprint portion creating an error during
`authentication; categorizing associated component of each
`?ngerprint portion as a typical-upgrade component or a non
`typical-upgrade component; and granting the digital ?nger
`print a valid authenticated status When the ?agged ?ngerprint
`portions have a predetermined typical-upgrade/non-typical
`upgrade ratio.
`In accordance With yet another embodiment of the present
`invention, a computer readable medium is provided. The
`computer readable medium may have stored thereon, com
`puter executable instructions that, When executed by a device,
`cause the device to perform a method comprising: receiving
`and storing ?rst digital ?ngerprint of the device during a ?rst
`boot of an authenticating software on the device, the ?rst
`digital ?ngerprint being based on a ?rst set of device compo
`nents; receiving a second digital ?ngerprint from the device at
`a subsequent time; comparing the second digital ?ngerprint
`With a plurality of stored digital ?ngerprints of knoWn
`devices; in response to the comparison indicating a mismatch
`betWeen the second digital ?ngerprint and the plurality of
`stored digital ?ngerprints, generating a request code compris
`ing instructions for the device to generate a third digital
`?ngerprint using the ?rst set of device components; sending
`the request code to the remote device; receiving the third
`digital ?ngerprint from the remote device in response to the
`request code; and authenticating the device based on a com
`parison of the ?rst and third digital ?ngerprints.
`In accordance With one or more embodiments and corre
`sponding disclosure thereof, various aspects are described in
`connection With a method for authenticating a device, the
`method comprising: comparing the received digital ?nger
`print With stored digital ?ngerprints of knoWn devices; ?ag
`ging each digital ?ngerprint portion that creates an error
`during authentication; categoriZing associated component of
`each ?ngerprint portion as a typical-upgrade component or a
`non-typical-upgrade component; and granting the digital ?n
`gerprint a valid authenticated status When the ?agged ?nger
`print portions exceed a predetermined typical-upgrade/non
`typical-upgrade ratio.
`To the accomplishment of the foregoing and related ends,
`the one or more embodiments comprise the features herein
`after fully described and particularly pointed out in the
`claims. The folloWing description and the annexed draWings
`set forth in detail certain illustrative aspects of the one or more
`embodiments. These aspects are indicative, hoWever, of but a
`feW of the various Ways in Which the principles of various
`embodiments may be employed and the described embodi
`ments are intended to include all such aspects and their
`equivalents.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The present invention, in accordance With one or more
`various embodiments, is described in detail With reference to
`the folloWing ?gures. The draWings are provided for purposes
`of illustration only and merely depict typical or example
`embodiments of the invention. These draWings are provided
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`to facilitate the reader’s understanding of the invention and
`shall not be considered limiting of the breadth, scope, or
`applicability of the invention.
`FIG. 1 is a block diagram illustrating an exemplary envi
`ronment Within Which a method for authenticating remote
`devices may be implemented according to one embodiment
`of the present invention.
`FIG. 2 is a block diagram representing memory allocation
`for a device identi?er used in accordance With principles of
`the present invention.
`FIG. 3A is a process How chart illustrating one embodi
`ment of a method according to the invention for device
`authentication With built-in tolerance.
`FIG. 3B is a continuation of the process How diagram of
`FIG. 3A.
`FIG. 4 is a process How chart illustrating another embodi
`ment of a method according to the invention for device
`authentication With built-in tolerance.
`FIG. 5 is a block diagram illustrating a system Within
`Which softWare components can be executed to perform a
`method for authenticating a device according to one or more
`embodiments of the present invention.
`FIG. 6 is a block diagram illustrating another systemWithin
`Which softWare components can be executed to perform a
`method for authenticating a device according to one or more
`embodiments of the present invention.
`
`DETAILED DESCRIPTION
`
`Users frequently upgrade their devices With neW softWare
`and hardWare components to keep their devices up to date
`With current technology. But in upgrading their devices, users
`may inadvertently make their devices invalid to a digital
`?ngerprint authentication process. During an authentication
`process, according to one embodiment of the present inven
`tion, a digital ?ngerprint is generated using information from
`the environment of the device. The information used to gen
`erate the digital ?ngerprint may include information regard
`ing hardWare and softWare components, hardWare con?gura
`tions or statuses, and softWare version, etc.
`By building in tolerance into the authentication process,
`the risk of rejecting a valid device is reduced. Some tolerance
`is needed because users may upgrade their hardWare and/or
`softWare, thus changing the environment of their devices.
`Once the environment is changed, the authentication client
`may generate a different digital ?ngerprint. Thus, Without
`tolerance a valid device may be rejected once an upgrade is
`made to the device.
`According to embodiments of the present invention, a
`method for authenticating a device is described beloW. The
`method described beloW can also be implemented in a system
`or a computer apparatus. To authenticate a device, the user
`may install a standalone authentication client or module on
`the device. The authentication client may also be an applet
`application or a softWare plug-in of another softWare appli
`cation, such as, for example, a Web broWser. On the ?rst install
`or run of the authentication client, a digital ?ngerprint (“?rst
`boot ?ngerprint”) is generated using information collected on
`the device’s hardWare and softWare environment. The ?rst
`boot ?ngerprint may then be stored for later comparison With
`neWly received digital ?ngerprints during future authentica
`tion processes.
`The ?rst boot ?ngerprint may be generated using the over
`all environmental information collected by the authentication
`module. Alternatively, the ?rst boot ?ngerprint may be gen
`erated using speci?c components of the device as predeter
`mined by the authentication client. The speci?c components
`
`IA1004
`
`Page 12 of 19
`
`
`
`US 8,316,421 B2
`
`5
`may include components from a typical-up grade components
`list or a non-typical-upgrade components list. The typical
`upgrade components list may include components such as:
`graphic card, random access memory, sound card, netWork
`adaptor, hard drive, CD/DVD drive, Ethernet controller, or
`other routinely upgraded components. The non-typical-up
`grade components list may include components such as:
`motherboard, USB host controller, central microprocessor,
`PCI Bus, System CMOS Clock, etc.
`In one embodiment, at the ?rst boot of the authentication
`client, tWo different digital ?ngerprints are generated. One of
`the ?ngerprints may be generated using only components
`information from the non-typical-upgrade list, While the
`other digital ?ngerprint may be generated using standard
`technique. This may involve using the information of com
`ponents from both typical and non-typical upgrade lists or
`environmental information of the device as a Whole to gen
`erate the ?ngerprint instead of using speci?c components.
`Once the authentication client generates the digital ?nger
`prints, they may be sent to an authentication server to register
`the device, if this is the ?rst run of the authentication client. In
`one embodiment, When the authentication client is not at the
`?rst run, only one ?ngerprint is generated and sent to the
`authentication server for veri?cation.
`Where the device is registering With the authenticating
`server for the ?rst time, the received digital ?ngerprints are
`stored. In a subsequent communication and When the authen
`tication server receives another ?ngerprint, the later received
`?ngerprint is compared to the stored ?ngerprint. If a match is
`found betWeen the latest received ?ngerprint and one of the
`stored ?ngerprints, the device may be validly authenticated.
`The authentication process may also request the user to enter
`a username and a passWord in addition to the veri?cation of
`the response code.
`According to another embodiment of the present invention,
`the authenticating server may generate a request code, to be
`transmitted to the device, representing one or more ?nger
`prints of one or more components of a device. The request
`code may be con?gured to represent one or more portions of
`?ngerprints of components located in the device. The request
`code may be transmitted to the device using Wireless com
`munication standard such as WiMAX, WiFi, HomeRF,
`CDMA, or other Wireless communication protocol.
`The request code may be con?gured such that When it is
`read by the device, a response code is generated by the device.
`The response code comprises one or more portions of the
`requested ?ngerprints of components inside the device. For
`example, the request code may request the folloWing: the ?rst
`?ve digits of the serial number of the device; the version of the
`operating system; and/or the last four digits of the serial
`number of a microprocessor. In receiving the above request
`code, the device may collect the requested portions of ?nger
`prints and generate a response code. The response code may
`be generated using a hash function such as a one-Way hash or
`a tWo-Way hash function using the information gathered in
`response to the request code.
`The response code may be transmitted to an authenticating
`server via email or short messaging system (SMS). Where
`SMS is used, the device may be con?gured to automatically
`transmit the response code to the authenticating server after
`receiving and processing the request code. The device may
`also request a con?rmation from the user prior to sending the
`response code to the authenticating server.
`Once the response code is received at the authenticating
`server, the authenticating server may compare each of the one
`or more portions of ?ngerprints With predetermined code(s)
`or previously stored code(s). Where the device is registering
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`With the authenticating server for the ?rst time, the response
`code may be translated and stored. If a match is found
`betWeen the response code and one of the stored codes, the
`device may be validly authenticated. The authenticating pro
`cess may also request the user to enter a username and a
`passWord in addition to the veri?cation of the response code.
`Alternatively, the veri?cation of the response code alone is
`suf?cient and veri?cation of the username and passWord is
`bypassed. When the device is registering for the ?rst time, the
`user may be required to enter the username and passWord.
`Before describing the invention in further detail, it is useful
`to describe an example environment With Which the invention
`can be implemented. FIG. 1 is a diagram illustrating an
`example environment 100 With Which the online commerce
`restriction, system, and apparatus is implemented according
`to one or more embodiments of the present invention. The
`illustrated example environment 100 includes devices 110a
`and 110b, a netWork 115, a server 120, and a softWare/hard
`Ware module 130. Devices 110 may include a security client
`(not shoWn) con?gured to authenticate the device to an
`authenticating server as generally described above. The secu
`rity client may comprise a stand-alone application or an
`applet running Within a Web broWser on the device 110 (e. g.,
`an applet comprising executable code for a Java Virtual
`Machine). The security client may be embedded in or asso
`ciated With another softWare application, including but not
`limited to a Web broWser. For example, the security client may
`be embedded in or associated With a tool bar of a softWare
`application, such as, for example, a Web broWser. The security
`client may prompt the user to register With an online softWare
`registration service, or may run in the background With little
`or no interaction With the user of device 110.
`The security client may also be digitally distributed or
`streamed from one or more servers. Network 115 may com
`prise the Internet, a local area network, or other form of
`communication netWork.
`Referring again to FIG. 1, computing devices 110a-b may
`be in operative communication With authenticating server
`120. While only one computing device 110 is illustrated, it
`Will be understood that a given system may comprise any
`number of computing devices. Computing device 110 may
`be, but is not limited to, a mobile phone, netbook, a mobile
`game console, mobile computing device, a tablet computer, a
`personal digital assistant, a Wireless communication device,
`an onboard vehicle computer, or any other device capable of
`communication With a computer netWork.
`Per the request code received from the authenticating
`server or manually entered by the user of the device, the
`security client may collect information regarding computing
`device 110, as instructed by the request code. The request
`code may comprises information or instruction telling the
`security client to collect a number of parameters Which are
`expected to be unique to the computing device environment.
`The parameters collected may include, for example, hard disk
`volume name, user name, device name, user passWord, hard
`disk initialiZation date, etc. The collected information may
`include information that identi?es the hardWare comprising
`the platform on Which