News Column

"System and Method for Out-Of-Band Application Authentication" in Patent Application Approval Process

January 30, 2014



By a News Reporter-Staff News Editor at Computer Weekly News -- A patent application by the inventors Sade, Yair (Herzelia, IL); Dulkin, Andrey (Herzelia, IL), filed on June 6, 2013, was made available online on January 16, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application has not been assigned to a company or institution.

The following quote was obtained by the news editors from the background information supplied by the inventors: "An inherent function of many applications is sending requests to other applications and receiving responses from other applications. These requests include access to network resources, requests for specific information, access to various APIs (Application Programming Interfaces) and many other needs. This architecture is generally known as client-server, where a first (requesting) application acting as a client sends a request to a second (receiving) application acting as a server. The receiving application (known as the server), needs to authenticate the requesting application, to validate that the request should be granted. Specifically, the receiving application needs to validate that the request is legitimate, i.e. originated in the permitted application, and was not sent by an impersonator (human or application user purporting to be the legitimate application).

"Application authentication is known as a topic of interest in the computer field. Application authentication is required both when the application acts on behalf of a user (for example, a browser application accessing a web server) and when the application acts independently (for example, when an application accesses a database to perform a scheduled task) or a batch process. There are also cases when the application acts on behalf of a user, while also authenticating to a network resource with dedicated credentials, separate from those used by the user (for example, a user connects through an application, which also accesses a database to retrieve some information). Conventionally, the problem of authentication is addressed by a combination of the following conventional techniques:

"These conventional techniques are lacking in several aspects. In the first technique, credentials are stored within an application or in the application's environment, and are used when needed. However, this technique exposes the stored credentials to other parties (human or programmatic) who have permissions to operate in the same environment. These parties can, potentially, access and use the credentials to be falsely authenticated as the intended application.

"The second technique addresses the above-mentioned problem by performing checks on the application before providing it with the necessary credentials. However, these steps are performed on the request before the request reaches the network resource or server, thus the network server has no effective way of validating that these checks were indeed performed. The network server receives the request from the application and the credentials, and has no way to validate further that the application was indeed the source of the request.

"The third technique (NAC) mainly identifies the environment in which the application is running and is usually employed to validate that only specific environments have access to organizational network. This technique is not designed to identify, and does not identify, the specific application requesting access to network resources.

"A related field of authentication is that of human user authentication, which deals with authenticating a user of a specific application. Several solutions in this field employ 'out-of-band' authentication (OOBA), such as basing their decision on something the user has (for example, possession of a mobile phone), knows (additional information, such as mother's maiden name) or is (for example, biometrics).

"Examples of conventional OOBA techniques include US application 2012/0159603 to Tobias Queck for Mobile Out-Of-Band Authentication Service. Queck teaches enabling authentication of an application session at a client machine by using authentication values and user-identification values that are received from a mobile communication device. The mobile communication device provides an out-of-band channel for validating the session and enables secure authentication for a variety of applications. Queck solves the problem of stronger user authentication by adding authentication of the user's platform (in this case the user's mobile communication device). This additional/second authentication is done by sending a token to the purposed originating device and checking whether it is received and responded to accordingly. While Queck adds another layer of conventional authentication, this teaching does not suggest a solution for application authentication, as this technique only verifies the device (that is, the environment) of the application and not the application itself.

"Another conventional authentication technique is taught in US application 2012/0030742 to Laurence Lundblade for Methods and apparatus for providing application credentials. Lundblade teaches providing an application credential for an application running on a device, wherein the application credential is used by the application to authenticate to a data server. The method includes receiving a request to generate the application credential, wherein the request includes an application identifier. The method also includes generating the application credential using the application identifier and a master credential associated with the device. While Lundblade does discuss application authentication, this technique is conventional in-band authentication, and hence suffers from the same problems as other in-band techniques. Specifically, other parties can impersonate the original application, send the request to generate the application credential, and falsely complete the authentication process.

"Another known technique is described in US application 2008/0196101 to Yair Sade (assigned to Cyber-Ark Software, Ltd.) for Methods and Systems for Solving Problems with Hard-Coded Credentials. Sade teaches methods for handling hard-coded credentials, and provides methods for intercepting credential usage, mapping to other credentials, and replacing the credentials with valid application credentials. This is an example of the provider technique mentioned above. The request is intercepted and valid credentials are placed into the request, which is then sent to the server. However, the server has no independent way of validating the source of the request and must rely on the validity of the served credentials.

"There is therefore a need for a system and method of application authentication that is out-of-band and provides increased security compared to current techniques, specifically, authenticating both the application credentials and the fact that the credentials are indeed presented by the authenticated application."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "According to the teachings of the present embodiment there is provided a system for authentication including: a server machine configured to: receive, via a first channel, a request from a client machine, the request associated with a client application on the client machine; connect, via a second channel that is separate from the first channel, to the client machine to request authentication information; receive, via the second channel, the authentication information; validate, based on the authentication information, the request, and a client machine configured to: collect the authentication information, wherein the authentication information is associated with a component of the system selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"In an optional embodiment, the server machine is further configured to effect a preliminary request validation of the request prior to connecting via the second channel to the client machine, the connecting being contingent on a success of the preliminary request validation.

"In another optional embodiment, the server machine is further configured to: initiate a transmission, in response to the request from the client machine, of an authentication agent to the client machine; and receive the authentication information from the authentication agent.

"According to the teachings of the present embodiment there is provided a system for authentication including: a server machine configured to: receive, via a first channel, a request from a client machine, the request associated with a client application on the client machine; receive, via a second channel that is separate from the first channel, authentication information; wherein the authentication information is associated with a component of the system selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"In an optional embodiment, the server machine is further configured to connect, via the second channel, between the server machine and the client.

"In another optional embodiment, the server machine is further configured to connect from the server machine to the client machine via the second channel to request the authentication information.

"In another optional embodiment, the server machine is further configured to effect a preliminary request validation of the request prior to connecting via the second channel to the client machine, the connecting being contingent on a success of the preliminary request validation

"In another optional embodiment, the server machine is further configured to: initiate a transmission, in response to the request from the client machine, of an authentication agent to the client machine; and the authentication information from the authentication agent.

"According to the teachings of the present embodiment there is provided a system for authentication including: a client machine configured to collect authentication information for authenticating a request sent from a client application, wherein the client machine is configured to send the request via a first channel; wherein the client machine is configured to send the authentication information via a second channel; wherein the authentication information is associated with a component of the system selected from the group consisting of: the request sent from the client machine; and the client application on the client machine, and wherein the authentication information is collected independent of interaction with the client application.

"According to the teachings of the present embodiment there is provided a method for authentication including the steps of: receiving at a server machine, via a first channel, a request from a client machine, the request associated with a client application on the client machine; connecting, via a second channel that is separate from the first channel, between the server machine and the client machine; collecting the authentication information on the client machine; sending the authentication information from the client machine via the second channel to the server machine; and receiving at the server machine, via the second channel, authentication information from the client machine, wherein the authentication information is associated with a component of the system selected from the group consisting of the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"In an optional embodiment, the connecting is from the server machine to the client machine to request the authentication information.

"In another optional embodiment, further including the step of: effecting a preliminary request validation of the request prior to connecting via the second channel to the client machine, the connecting being contingent on a success of the preliminary request validation.

"In another optional embodiment, further including the step of: initiating a transmission, in response to the receiving of the request from the client machine, of an authentication agent to the client machine; wherein the receiving of the authentication information is from the authentication agent.

"In another optional embodiment, further including the step of: validating the request based on the authentication information.

"According to the teachings of the present embodiment there is provided a method for authentication including the steps of: receiving at a server machine, via a first channel, a request from a client machine, the request associated with a client application on the client machine; and receiving at the server machine, via a second channel that is separate from the first channel, from the client machine, authentication information; wherein the authentication information is associated with a component of the system selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"In another optional embodiment, further including the step of: connecting, via the second channel, between the server machine and the client machine.

"In another optional embodiment, the connecting is from the server machine to the client machine to request the authentication information.

"In another optional embodiment, further including the step of: effecting a preliminary request validation of the request prior to connecting via the second channel to the client machine, the connecting being contingent on a success of the preliminary request validation.

"In another optional embodiment, the further including the steps of: initiating a transmission, in response to the receiving of the request from the client machine, of an authentication agent to the client machine; and receiving the authentication information from the authentication agent.

"In another optional embodiment, the further including the step of: validating the request based on the authentication information.

"According to the teachings of the present embodiment there is provided a method for authentication including the steps of: sending a request from a client application on a client machine via a first channel to a server machine; and sending authentication information from the client machine via a second channel to the server machine, wherein the authentication information is associated with a component selected from the group consisting of: the request; and the client application, and, wherein the authentication information is collected independent of interaction with the client application.

"In another optional embodiment, the authentication information is provided by an authentication agent selected from the group consisting of: an agent pre-installed on the client machine; an agent transmitted to and executed on the client machine, following a connection from the server machine to the client machine, the agent remaining on the client machine after the agent sends the authentication information to the server machine; and an agent transmitted to and executed on the client machine, following a connection from the server machine to the client machine, the agent removed from the client machine after the agent transmits the authentication information to the server machine.

"In another optional embodiment, the authentication information is provided by an operating system of the client machine.

"In another optional embodiment, the authentication information is provided from one or more query responses to one or more corresponding queries independent of interaction with the client application.

"In another optional embodiment, the authentication information is provided from one or more query responses to one or more corresponding queries to components of the client machine other than the client application.

"In another optional embodiment, the request is for access credentials to network resources or other server machines.

"According to the teachings of the present embodiment there is provided a computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code including program code for: receiving at a server machine, via a first channel, a request from a client machine, the request associated with a client application on the client machine; connecting, via a second channel that is separate from the first channel, between the server machine and the client machine; collecting the authentication information on the client machine; sending the authentication information from the client machine via the second channel to the server machine; and receiving at the server machine, via the second channel, authentication information from the client machine, wherein the authentication information is associated with a component of the system selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"According to the teachings of the present embodiment there is provided a computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code including program code for: receiving at a server machine, via a first channel, a request from a client machine, the request associated with a client application on the client machine; and receiving at the server machine, via a second channel that is separate from the first channel, from the client machine, authentication information; wherein the authentication information is associated with a component of the system selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independently of interaction with the client application.

"According to the teachings of the present embodiment there is provided a computer-readable storage medium having embedded thereon computer-readable code for authentication, the computer-readable code including program code for: sending a request from a client application on a client machine via a first channel to a server machine; and sending authentication information from the client machine via a second channel to the server machine, wherein the authentication information is associated with a component selected from the group consisting of: the request; and the client application, and wherein the authentication information is collected independent of interaction with the client application.

"According to the teachings of the present embodiment there is provided a computer program that can be loaded onto a server machine connected through a network to a client machine, so that the server running the computer program constitutes a server machine in a system according to the current description.

"According to the teachings of the present embodiment there is provided a computer program that can be loaded onto a client machine connected through a network to a server machine, so that the machine running the computer program constitutes a client machine in a system according to the current description.

BRIEF DESCRIPTION OF FIGURES

"The embodiment is herein described, by way of example only, with reference to the accompanying drawings, wherein:

"FIG. 1 is a simplified diagram of conventional authentication.

"FIG. 2 is a diagram of out-of-band application authentication.

"FIG. 3 is a diagram of an exemplary implementation of out-of-band application authentication.

"FIG. 4 is a high-level block diagram of a processing system for embodiments of a server machine."

URL and more information on this patent application, see: Sade, Yair; Dulkin, Andrey. System and Method for Out-Of-Band Application Authentication. Filed June 6, 2013 and posted January 16, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=87&p=2&f=G&l=50&d=PG01&S1=20140109.PD.&OS=PD/20140109&RS=PD/20140109

Keywords for this news article include: Patents.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Computer Weekly News


Story Tools