In many cases, authentication of a client identity takes place with symmetric credentials provided over an encrypted interface. For example, it is common for secure clients to set up a secure connection with a server and then prove user identity through a user name and password. In other cases, a client sends a registration message to a server where the registration message is encrypted with the server's public key and contains client identity and symmetric credentials, such as a password or a pin code. As used herein, the term “symmetric credentials” has its common meaning in the art and generally refers to information which is intended to prove the indentity of a particular client device or a subscriber. Symmetric credentials may include a MAC Address, serial number, IMEI, etc. and usually also includes some secret information such as a password, a pincode or an activation code provided by a network or system operator. These credentials are called “symmetric” because they are generally shared between a client and a system infrastructure component such as a server.
It would be desirable to upgrade and improve these type of systems to verify client identity. In such a case, for example, a database of all client symmetric credentials would not be necessary in the infrastructure and there could be a reduced threat to a database being compromised. When asymmetric credentials are used, the infrastructure would only need a database of public keys that do not require heightened protection.
Also, when public keys are put into a digital certificate, it will not be necessary to pre-provision a database of client keys in the infrastructure. Therefore, the use of asymmetric credentials can simplify system initialization and provisioning. However, existing systems that employ symmetric credentials to validate client identity can be difficult to re-design and upgrade, to support asymmetric authentication. Normally, an existing system would have to be completely re-architected which is not practical.
It would also be considered an improvement in the art, if existing legacy systems which authenticate clients based on symmetric credentials, could be upgraded to use asymmetric credentials or identities as well.
Known conventional prior art legacy systems use symmetric authentication that typically forward client's symmetric credentials to a separate credentials verification system. Instead of using symmetric credentials, it would be considered an improvement in the art to be able to use an asymmetric key cryptographic identity, with for example, a customer identifier, an AINFO field with a client's digital signature and device certificate chain, for authentication. Because the client identity is encrypted together with the rest of the registration message, it would be difficult to perform a cut-and-paste attack and attach these credentials or identity, to some other client's registration request. It would be considered an improvement to be able to upgrade existing legacy systems to be able to authenticate clients based on symmetric credentials and asymmetric key cryptographic identity, in a cost effective and reliable manner.
It would also be considered beneficial, if legacy systems could be easily upgraded to provide and support DRM client authentication based on new or popular device certificates, such as X.509 device certificates.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions and/or relative positioning of some of the elements in the figures may be exaggerated relative to other elements to help to improve the understanding of various embodiments of the present invention. Also, common but well-understood elements that are useful or necessary in a commercially feasible embodiment are often not depicted in order to facilitate a less obstructed view of these various embodiments of the present invention. It will further be appreciated that certain actions and/or steps may be described or depicted in a particular order of occurrence while those skilled in the art will understand that such specificity with respect to sequence is not actually required. It will also be understood that the terms and expressions used herein have the ordinary meaning as is accorded to such terms and expressions with respect to their corresponding respective areas of inquiry and study except where specific meanings have otherwise been set forth herein.