[go: up one dir, main page]

WO2018190969A1 - Système et procédés permettant d'identifier des dispositifs connectés à internet de façon univoque - Google Patents

Système et procédés permettant d'identifier des dispositifs connectés à internet de façon univoque Download PDF

Info

Publication number
WO2018190969A1
WO2018190969A1 PCT/US2018/020819 US2018020819W WO2018190969A1 WO 2018190969 A1 WO2018190969 A1 WO 2018190969A1 US 2018020819 W US2018020819 W US 2018020819W WO 2018190969 A1 WO2018190969 A1 WO 2018190969A1
Authority
WO
WIPO (PCT)
Prior art keywords
connected device
internet connected
unique identifier
application
service
Prior art date
Application number
PCT/US2018/020819
Other languages
English (en)
Inventor
Amos Yaacov ANGELOVICI
Dror Yaffe
Original Assignee
Adswapper Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Adswapper Inc. filed Critical Adswapper Inc.
Publication of WO2018190969A1 publication Critical patent/WO2018190969A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/02Marketing; Price estimation or determination; Fundraising
    • G06Q30/0241Advertisements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled

Definitions

  • the invention relates to systems and methods for uniquely identifying internet connected devices, and more specifically to uniquely identifying internet connected devices through a third-party web-service.
  • Internet connected devices such as smartphones, tablets, smartwatches, Smart Televisions, various Internet of Things (IoT) devices, or any other device supporting Hypertext Transfer Protocol (HTTP), etc.
  • DUTD Device Unique Identifier
  • the DUTD is a unique identification string generated for each device.
  • SDK Software Development Kit
  • Advertisers are interested in uniquely identifying devices (associated with corresponding users) across applications, in order to better target the users, and to control the frequency of exposure of the users to an advertisement.
  • application developers can request an advertiser to provide an advertisement by either embedding an SDK (optionally an SDK of the advertiser) in the application code, or by embedding an advertiser tag (i.e. a code snippet inserted within the code where an ad is due to be displayed) in the code.
  • an advertiser tag i.e. a code snippet inserted within the code where an ad is due to be displayed
  • application developers prefer embedding an advertiser tag over embedding an SDK in their code, from various reasons, including ease of development and maintenance.
  • a request for a campaign is received, the request including an application title, an access endpoint, a campaign duration, and a list of a plurality of communication network operators.
  • a special rating request is sent to each communications network operator on the list.
  • the special rating request requests that a predetermined data rate be applied to data associated with the access endpoint for the campaign period.
  • the data associated with the access endpoint is made available at the predetermined data rate on a communications network.
  • advertising may be provided that communicates that the application is available for download and for use on the communications network at the predetermined data rate.
  • a communications device stores a set of device credentials for activating the communications device for a service on a network; and sends an access request to the network, the access request including the set of device credentials.
  • US Patent No. 9,503,460 (Gladstone et al.) published on November 22, 2016, discloses a method in one example embodiment and includes identifying a network location of an endpoint, which is attempting to initiate an application; identifying whether the endpoint is operating in an enterprise environment; determining whether the application is trusted based on metadata associated with the application; and provisioning a tunnel for data traffic associated with the application.
  • the tunnel can be provisioned if the application is trusted and the endpoint is outside of an enterprise environment.
  • the tunnel can be provisioned if the application is untrusted and the endpoint is within an enterprise environment.
  • a mobile device that is connected to private network may determine that one of its mobile applications is requesting to communicate with a private network.
  • the mobile device may intercept one or more system calls to communicate with the private network issued by the mobile application.
  • the mobile device may generate a communication link to a virtual private network (VPN) server on a port of the mobile device through which to transmit communications from the mobile application to the private network.
  • the mobile device may instruct the VPN server to transmit one or more messages from the mobile application to an access gateway for forwarding to the private network.
  • VPN virtual private network
  • US Patent No. 9,450,951 (Nadeltchev et al.) published on September 20, 2016, discloses a device and a services provisioning system establish an over-the-air connection with each other, and perform device posture validation to obtain a unique identification (ID) of the device at the provisioning system.
  • the device and provisioning system then participate in device and user authentication in response to a confirmed unique ID by a backend access control system, where the device generates a secure key pair after successful user authentication.
  • the provisioning system provides a root certificate to the device, and the device sends a certificate enrollment request back to the provisioning system.
  • the provisioning system In response to a certificate authority signing the certificate request, the provisioning system returns a valid certificate to the device, and the valid certificate is installed on the device.
  • US Patent No. 7,444,508 Korean et al. published on October 28, 2008, discloses a mobile or other device connects to a server via a publicly accessible network such as the Internet. After installation upon the device, a virtual private network (VPN) client connects to the server and downloads a VPN profile.
  • the device creates public/private key pairs and requests enrollment of a digital certificate.
  • a digital certificate and public/private key pairs are provided. The device also receives a digital certificate from the server and verifies the server certificate by requesting the user to supply a portion of a fingerprint for the certificate.
  • the invention further includes an automatic content updating (ACU) client that downloads a user profile for the VPN, requests certificate enrollment, and updates the VPN client and other applications when new content is available.
  • a security service manager (SSM) server includes, or is in communication with, a Web server, multiple databases, an enrollment gateway and an internal certification authority (CA).
  • a VPN policy manager application creates and manages VPN profiles and/or policies and communicates with the SSM server.
  • the SSM server which may reside on an enterprise intranet, may further communicate with one or more external CAs.
  • a method for uniquely identifying, by a third-party web-service, an internet connected device having a device unique identifier, wherein the device unique identifier is inaccessible by an application installed on the internet connected device and calling the third party-web service when executed comprising: receiving, by the third-party web-service, a request originating from the application; sending, by the third-party web-service, a response to the application, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN), thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, the device unique identifier to an authentication server; and receiving, by the third-party web-service the device unique identifier obtained from the authentication server, thereby uniquely identifying, by the third-party web-service, the internet connected device.
  • VPN Virtual Private Network
  • the method further comprises: receiving, by the web -service, additional information originating from the application; and sending, by the web- service, the additional information to a second application installed on the internet connected device, other than the application, thereby enabling transferring the additional information from the application to the second application.
  • the method further comprises sending, by the web-service, a unique identifier uniquely identifying the internet connected device, to the application, thereby enabling the application to locally store the unique identifier, in a location accessible by the application on the internet connected device.
  • the unique identifier is the device unique identifier.
  • the unique identifier is a web-service generated unique identifier, generated by the web-service for uniquely identifying the internet connected device.
  • the executable code is configured to check if the unique identifier is locally stored before attempting to communicate with the server.
  • the server is an HTTP server.
  • the internet connected device includes a configuration of the
  • the device unique identifier is sent by the internet connected device to the authentication server via a VPN server.
  • the internet connected device is a mobile device.
  • a method for uniquely identifying, by a third-party web-service, an internet connected device having a device unique identifier, wherein the device unique identifier is inaccessible by an application installed on the internet connected device and calling the third party-web service when executed comprising: sending, by the application, a request to the web-service; receiving, by the application, a response to the request, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN); and executing, by the application, the executable code, thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, the device unique identifier to an authentication server, thereby enabling the authentication server to send the device unique identifier to the web-service.
  • VPN Virtual Private Network
  • the method further comprises: sending, by the application, additional information to the web-service; and receiving, by a second application installed on the internet connected device, other than the application, the additional information, thereby enabling transferring the additional information from the application to the second application.
  • the method further comprises: receiving, by the application, from the web-service, a unique identifier uniquely identifying the internet connected device; and locally storing, by the application, the unique identifier, in a location accessible by the application on the internet connected device.
  • the unique identifier is the device unique identifier.
  • the unique identifier is a web-service generated unique identifier, generated by the web-service for uniquely identifying the internet connected device.
  • the executable code is configured to check if the device unique identifier is locally stored before attempting to communicate with the server.
  • the server is an HTTP server.
  • the internet connected device includes a configuration of the
  • the internet connected device is a mobile device.
  • a method for uniquely identifying, by a third-party web-service, an internet connected device comprising: receiving, by the web-service, a request originating from an application installed on the internet connected device, the request including a current Internet Protocol (IP) address of the internet connected device; generating, by the web-service, a unique identifier for the internet connected device; storing, by the web-service, the unique identifier in association with the current IP address of the internet connected device; sending, by the web -service, the unique identifier to the application, thereby enabling the application to store the unique identifier in a local storage of the internet connected device, accessible by the application; receiving, by the web-service, from the application, upon a change of the current IP address of the internet connected device, a new IP address and the unique identifier; and updating the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • the method further comprises: receiving, by the web-service, a unique identifier request originating from the application installed on the internet connected device, the request including the current Internet Protocol (IP) address of the internet connected device; and sending, by the web-service, the unique identifier to the application, enabling the application to store the unique identifier in the local storage of the internet connected device, accessible by the application.
  • IP Internet Protocol
  • the internet connected device is a mobile device.
  • a method for uniquely identifying, by a third-party web-service, an internet connected device comprising: sending, by an application installed on the internet connected device, to the web-service, a unique identification request including a current Internet Protocol (IP) address of the internet connected device; receiving, by the application, a unique identifier, uniquely identifying the internet connected device, from the web-service, the device unique identifier being associated with the current IP address; detecting, by the application, a change of the current IP address of the internet connected device to a new IP address; and sending, by the application, the new IP address and the unique identifier, thereby enabling the web-service to update the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • the method further comprises: sending, by the application, a unique identifier request to the web-service, the request including the current Internet Protocol (IP) address of the internet connected device; and receiving, by the application, the unique identifier, thereby enabling the application to store the unique identifier in the local storage of the internet connected device, accessible by the application.
  • IP Internet Protocol
  • the internet connected device is a mobile device.
  • a web-service server having a processor configured to: receive a request originating from an application installed on an internet connected device; send a response to the application, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN), thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, a device unique identifier to an authentication server, wherein the device unique identifier is inaccessible by the application; and receive the device unique identifier obtained from the authentication server, thereby uniquely identifying the internet connected device.
  • VPN Virtual Private Network
  • the processor is further configured to: receive additional information originating from the application; and send the additional information to a second application installed on the internet connected device, other than the application, thereby enabling transferring the additional information from the application to the second application.
  • the processor is further configured to send a unique identifier uniquely identifying the internet connected device, to the application, thereby enabling the application to locally store the unique identifier, in a location accessible by the application on the internet connected device.
  • the unique identifier is the device unique identifier.
  • the unique identifier is a web-service generated unique identifier, generated by the web-service for uniquely identifying the internet connected device.
  • the executable code is configured to check if the unique identifier is locally stored before attempting to communicate with the server.
  • the server is an HTTP server.
  • the internet connected device includes a configuration of the
  • the device unique identifier is sent by the internet connected device to the authentication server via a VPN server.
  • the internet connected device is a mobile device.
  • an internet connected device having a device unique identifier inaccessible by an application installed on the internet connected device, the internet connected device having a processor configured to execute the application, the application configured to: send a request to the web-service; receive a response to the request, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN); and execute the executable code, thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, the device unique identifier to an authentication server, thereby enabling the authentication server to send the device unique identifier to the web-service.
  • VPN Virtual Private Network
  • the application is further configured to: send additional information to the web-service; and receive, by a second application installed on the internet connected device, other than the application, the additional information, thereby enabling transferring the additional information from the application to the second application.
  • the application is further configured to: receive from the web- service, a unique identifier uniquely identifying the internet connected device; and locally store, by the application, the unique identifier, in a location accessible by the application on the internet connected device.
  • the unique identifier is the device unique identifier.
  • the unique identifier is a web-service generated unique identifier, generated by the web-service for uniquely identifying the internet connected device.
  • the executable code is configured to check if the device unique identifier is locally stored before attempting to communicate with the server.
  • the server is an HTTP server.
  • the internet connected device includes a configuration of the
  • the internet connected device is a mobile device.
  • a web-service server having a processor configured to: receive a request originating from an application installed on an internet connected device, the request including a current Internet Protocol (IP) address of the internet connected device; generate a unique identifier for the internet connected device; store the unique identifier in association with the current IP address of the internet connected device; send the unique identifier to the application, thereby enabling the application to store the unique identifier in a local storage of the internet connected device, accessible by the application; receive from the application, upon a change of the current IP address of the internet connected device, a new IP address and the unique identifier; and update the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • the processor is further configured to: receive a unique identifier request originating from the application installed on the internet connected device, the request including the current Internet Protocol (IP) address of the internet connected device; and send the unique identifier to the application, enabling the application to store the unique identifier in the local storage of the internet connected device, accessible by the application.
  • IP Internet Protocol
  • the internet connected device is a mobile device.
  • an internet connected device having a device unique identifier inaccessible by an application installed on the internet connected device, the internet connected device having a processor configured to execute the application, the application configured to: send to a web-service, a unique identification request including a current Internet Protocol (IP) address of the internet connected device; receive a unique identifier, uniquely identifying the internet connected device, from the web-service, the device unique identifier being associated with the current IP address; detect a change of the current IP address of the internet connected device to a new IP address; and send the new IP address and the unique identifier, thereby enabling the web-service to update the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • the processor is further configured to: send a unique identifier request to the web-service, the request including the current Internet Protocol (IP) address of the internet connected device; and receive the unique identifier, thereby enabling the application to store the unique identifier in the local storage of the internet connected device, accessible by the application.
  • IP Internet Protocol
  • the internet connected device is a mobile device.
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a web-service server to perform a method comprising: receiving a request originating from an application installed on an internet connected device; sending a response to the application, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN), thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, a device unique identifier to an authentication server, wherein the device unique identifier is inaccessible by the application; and receiving the device unique identifier obtained from the authentication server, thereby uniquely identifying the internet connected device.
  • VPN Virtual Private Network
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of an internet connected device having a device unique identifier inaccessible by an application installed thereon, to perform a method comprising: sending a request to the web-service; receiving a response to the request, the response including executable code configured to attempt, when executed by the application, communicating with a server located within a Virtual Private Network (VPN); and executing the executable code, thereby triggering a VPN authentication process for connecting the internet connected device to the VPN, the VPN authentication process including sending, by the internet connected device, the device unique identifier to an authentication server, thereby enabling the authentication server to send the device unique identifier to the web-service.
  • VPN Virtual Private Network
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a web-service server to perform a method comprising: receiving a request originating from an application installed on an internet connected device, the request including a current Internet Protocol (IP) address of the internet connected device; generating a unique identifier for the internet connected device; storing the unique identifier in association with the current IP address of the internet connected device; sending the unique identifier to the application, thereby enabling the application to store the unique identifier in a local storage of the internet connected device, accessible by the application; receiving from the application, upon a change of the current IP address of the internet connected device, a new IP address and the unique identifier; and updating the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of an internet connected device having a device unique identifier inaccessible by an application installed thereon, to perform a method comprising: sending to a web-service, a unique identification request including a current Internet Protocol (IP) address of the internet connected device; receiving a unique identifier, uniquely identifying the internet connected device, from the web-service, the device unique identifier being associated with the current IP address; detecting a change of the current IP address of the internet connected device to a new IP address; and sending the new IP address and the unique identifier, thereby enabling the web-service to update the current IP address associated with the unique identifier to the new IP address.
  • IP Internet Protocol
  • Fig. 1 is a block diagram schematically illustrating one example of a system for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter
  • Fig. 2 is a block diagram schematically illustrating one example of an internet connected device, in accordance with the presently disclosed subject matter
  • FIG. 3 is a block diagram schematically illustrating one example of a third-party web-service server, in accordance with the presently disclosed subject matter
  • Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out by a web-service server for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter;
  • Fig. 5 is a flowchart illustrating one example of a sequence of operations carried out by an internet connected device for uniquely identifying the internet connected device by a third-party web-service, in accordance with the presently disclosed subject matter;
  • Fig. 6 is a flowchart illustrating another example of a sequence of operations carried out by a web-service server for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter.
  • Fig. 7 is a flowchart illustrating another example of a sequence of operations carried out by an internet connected device for uniquely identifying the internet connected device by a third-party web-service, in accordance with the presently disclosed subject matter.
  • DSP digital signal processor
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • non-transitory is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.
  • the phrase “for example,” “such as”, “for instance” and variants thereof describe non-limiting embodiments of the presently disclosed subject matter.
  • Reference in the specification to “one case”, “some cases”, “other cases” or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter.
  • the appearance of the phrase “one case”, “some cases”, “other cases” or variants thereof does not necessarily refer to the same embodiment(s).
  • Figs. 1-3 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter.
  • Each module in Figs. 1-3 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein.
  • the modules in Figs. 1-3 may be centralized in one location or dispersed over more than one location.
  • the system may comprise fewer, more, and/or different modules than those shown in Figs. 1-3.
  • Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
  • Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
  • Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
  • FIG. 1 showing a block diagram schematically illustrating one example of a system for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter.
  • the system 10 for uniquely identifying an internet connected device 100 by a web-service includes a plurality of internet connected devices 100, such as smartphones, tablet computers, smartwatches, smart televisions, various Internet of Things (IoT) devices, or any other device supporting Hypertext Transfer Protocol (HTTP), etc.
  • the system 10 further includes one or more third-party web-services executed on a third-party web-service server 170, or on a group of third-party web- service servers 170, that can optionally be distributed.
  • the internet connected devices 100 and the third-party web-service servers 170 are connected to a communication network 140, such as the Internet.
  • the third-party web-service servers 170 can be part of a Virtual Private Network (VPN) 160, however it is not necessarily so. Any one of the internet connected devices 100 can have one or more applications installed thereon and configured to communicate, over the communication network 140, with one or more of the third-party web-service servers 170, e.g. for obtaining a certain service therefrom.
  • VPN Virtual Private Network
  • Some exemplary services include: (a) receiving advertisements to be displayed by the application calling the third-party web-service; (b) obtaining analytical information relating to the application calling the third-party web-service; (c) sharing information between two or more applications installed on the internet connected device executing the third-party web-service; (d) authenticating users across applications without having to embed a third-party authenticator's SDK in the application's code (e.g. without embedding Facebook's or Google's authenticator in the code); (e) identifying if a user is underage across applications without having to embed the monitoring code SDK in the application, etc.
  • a third-party web-service provider offering the third-party web- service, is interested in uniquely identifying the internet connected device 100 executing the application communicating therewith.
  • such applications do not have access to a unique identifier of the internet connected device 100 enabling unique identification of the internet connected device 100 executing the application (e.g., in cases where the application is not developed using Software Development Kits (SDKs) enabling access to a unique identifier assigned to the internet connected device 100 e.g. by its manufacturer).
  • SDKs Software Development Kits
  • the first solution includes use of VPN 160, for forcing a process during which the internet connected device 100 sends a unique identifier (hereinafter: "Device Unique Identifier" or "DUTD"), assigned to the internet connected device 100 by its manufacturer or by another entity such as the third-party web-service provider, for authentication purposes, as further detailed herein, inter alia with reference to Figs. 4 and 5.
  • DUTD Unique Identifier
  • the connection to the VPN 160 can be pre-configured on the internet connected device 100.
  • One method includes installing a second application on the internet connected device 100, the second application configured to configure the connection to the VPN 160.
  • the second application can download a VPN profile defining the connection to the VPN 160, including a DUID assigned to the internet connected device 100 by the third-party web-service provider.
  • the second application can be configured to have access to the DUID assigned to the internet connected device 100 by its manufacturer (e.g. as the second application can be developed using an SDK), and in such case, it can download a VPN profile defining the connection to the VPN 160, and associate it with the DUID assigned to the internet connected device 100 by its manufacturer.
  • connection to the VPN 160 can be manually configured by the internet connected device 100 user.
  • the user of the internet connected device 100 may be instructed to download, from a given network location (optionally identified by a Unified Resource Locator (URL)), a VPN profile defining the connection to the VPN 160, including a DUID assigned to the internet connected device 100 by the third-party web-service provider.
  • URL Unified Resource Locator
  • an application installed on the internet connected device 100 requests a web-service from the third-party web-service server 170.
  • the third-party web-service server 170 returns a response to the application, including executable code (e.g. JavaScript), configured to send an identification request to a server, such as a Hypertext Transfer Protocol (HTTP) server 130, located within the VPN 160.
  • executable code e.g. JavaScript
  • HTTP Hypertext Transfer Protocol
  • a VPN connection is initialized, via a VPN Tunnel 150, between the internet connected device 100 executing the application and a VPN server 110 of the VPN 160.
  • the internet connected device 100 provides the VPN server 110 with the DUID, and the VPN server 110 performs an authentication process vs.
  • the HTTP server 130 receives the identification request from the application, and executes a process during which the HTTP server 130 approaches the authentication server 120 to retrieve the DUID, and send the DUTD back to the application.
  • the application can store the DUID on a local storage, accessible by the application, within the internet connected device 100 (e.g. in a cookie file of an internal browser of the application). It is to be noted that a more detailed explanation about this process is provided with reference to Figs. 4 and 5.
  • the second solution includes utilizing an application installed on the internet connected device 100, and configured to provide the third-party web-service server 170 with an Internet Protocol (IP) address assigned to the internet connected device 100 at the time the application is executed (IP) address assigned to the internet connected device 100 at the time the application is executed (It is to be noted in this respect that whenever the internet connected device 100, or the application installed thereon, sends a request to a web-service, the request includes the IP address of the internet connected device 100 (as a standard part of any TCP/IP implementation of a connection between the internet connected device 100 and the third-party web-service server 170)).
  • IP Internet Protocol
  • the third-party web-service server 170 can generate and assign a unique identifier (hereinafter: "Third-Party Service Device Unique Identifier" or "3PDUI”) to the internet connected device 100 having the IP address provided thereto, locally store such unique identifier in association with the received IP address, and send such 3PDUI to the internet connected device 100.
  • the application can be further configured to check (e.g. periodically or upon identification of certain events, such as a restart event, occurring, etc.) if the IP address of the internet connected device 100 changed (e.g.
  • the third-party web- service server 170 with the new Internet Protocol (IP) address assigned to the internet connected device 100 and with the 3PDUI previously assigned to the internet connected device 100, so that the third-party web-service server 170 can update the IP address of the internet connected device 100, stored in association with the 3PDUI, to the new IP address.
  • IP Internet Protocol
  • the third-party web-service server 170 will always have the 3PDUI stored in association with the current IP address of the internet connected device 100, which will enable the web-service executed on the third -party web-service server 170 to uniquely identify the internet connected device 100 by the 3PDUI using the current IP address of the internet connected device 100, upon request.
  • internet connected device 100 can comprise a network interface 250 (e.g. a WiFi client, a LiFi client, 3G/4G client, or any other component that enables the internet connected device 100 to wirelessly connect to the communication network 140, etc.), enabling connecting the internet connected device 100 to a communication network 140 (e.g.
  • a network interface 250 e.g. a WiFi client, a LiFi client, 3G/4G client, or any other component that enables the internet connected device 100 to wirelessly connect to the communication network 140, etc.
  • a communication network 140 e.g.
  • the internet connected device 100 can have an Internet Protocol (IP) address assigned to it by an Internet Service Provider (ISP).
  • IP Internet Protocol
  • ISP Internet Service Provider
  • the ISP can sometimes assign an internet connected device 100 with a new IP address, e.g. upon certain events occurring (e.g. roaming, restarting the internet connected device 100, etc.).
  • Internet connected device 100 can have one or more applications installed thereon, such as App “a” 230-a, App “b” 230-b, App “n” 230-n.
  • Each application can have a local storage accessible thereto (and optionally inaccessible to other applications), such as App “a” storage 240-a for App “a” 230-a, App “n” storage 240-n for App “n” 230-n, etc.
  • Internet connected device 100 can further comprise a local data repository 260 (e.g. Read Only Memory - ROM, Random Access Memory - RAM, or any other type of local memory, etc.) configured to store data, including, inter alia, the internet connected device 100 IP address, a DUTD, a 3PDUI, etc.
  • data repository 260 can be further configured to enable retrieval and/or update and/or deletion of the data stored thereon.
  • certain parts of the data repository 260 can be inaccessible by any application installed on the internet connected device 100.
  • certain application installed on the internet connected device 100 can have access to certain parts of the data repository 260, that are optionally inaccessible to other applications.
  • at least one application installed on the internet connected device 100 cannot access at least a part of the data repository 260 comprising the DUID.
  • Internet connected device 100 further comprises a processing resource 200.
  • Processing resource 200 can be one or more processing units (e.g. central processing units), microprocessors, microcontrollers (e.g. microcontroller units (MCUs)) or any other computing processing device, which are adapted to independently or cooperatively process data for controlling relevant internet connected device 100 resources and for enabling operations related to internet connected device 100 resources.
  • processing units e.g. central processing units
  • microprocessors e.g. microcontroller units (MCUs)
  • MCUs microcontroller units
  • the processing resource 200 can comprise one or more of the following modules: internet connected device unique identification module 210 and app info sharing module 220.
  • internet connected device unique identification module 210 can be configured to uniquely identify an internet connected device 100, as further detailed herein, inter alia with reference to Fig. 5.
  • app info sharing module 220 can be configured to enable sharing data between two applications installed on an internet connected device 100, utilizing the unique identification of the internet connected device 100, as further detailed herein, inter alia with reference to Figs. 4-7.
  • Fig. 3 is a block diagram schematically illustrating one example of a third-party web-service server, in accordance with the presently disclosed subject matter.
  • third- part web-service server 170 can comprise a network interface 310 (e.g. a network card enabling the third-part web-service server 170 to connect to the communication network 140, via a wired or wireless connection, etc.), enabling connecting the third-part web- service serverl70 to the communication network 140 (e.g. a TCP/IP communication network such as the Internet) and enabling it to send data and/or receive data sent thereto, through the communication network 140, including sending and/or receiving requests/responses to/from internet connected devices 100 applications (installed on internet connected devices 100), as detailed herein, inter alia with reference to Figs. 4-7.
  • a network interface 310 e.g. a network card enabling the third-part web-service server 170 to connect to the communication network 140, via a wired or wireless connection, etc.
  • the communication network 140 e.g. a TCP/IP communication network such as the Internet
  • the communication network 140 e.g. a TCP/IP communication network
  • Third-part web-service server 170 can further comprise, or be otherwise associated with, a data repository 320 (e.g. a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of local memory, etc.) configured to store data, including, inter alia, one or more of: an IP addresses of internet connected devices 100, a DUTD of internet connected devices 100, a 3PDUI of internet connected devices 100, etc.
  • data repository 320 can be further configured to enable retrieval and/or update and/or deletion of the data stored thereon.
  • Third-part web-service server 170 further comprises a processing resource 330.
  • Processing resource 330 can be one or more processing units (e.g. central processing units), microprocessors, microcontrollers (e.g. microcontroller units (MCUs)) or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant third-part web-service server 170 resources and for enabling operations related to third-part web-service server 170 resources.
  • processing units e.g. central processing units
  • microprocessors e.g. microcontroller units (MCUs)
  • MCUs microcontroller units
  • the processing resource 330 can comprise one or more of the following modules: web-service internet connected device unique identification module 340 and web-service app info sharing module 350.
  • web- service internet connected device unique identification module 340 can be configured to uniquely identify an internet connected device 100, as further detailed herein, inter alia with reference to Fig. 4.
  • web- service app info sharing module 350 can be configured to enable sharing data between two applications installed on a given internet connected device 100, utilizing the unique identification of the given internet connected device 100, as further detailed herein, inter alia with reference to Figs. 4 and 5.
  • FIG. 4 is a flowchart illustrating one example of a sequence of operations carried out by a third-party web service executing on a web-service server for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter
  • Fig. 5 is a flowchart illustrating one example of a sequence of operations carried out by an application installed on an internet connected device for uniquely identifying the internet connected device by the third-party web-service, in accordance with the presently disclosed subject matter. Both flowcharts provide a full picture of a process of uniquely identifying an internet connected device by the web-service.
  • the process enables an application (e.g. App “a” 230-a, App “n” 230-n) calling the third-party web-service to obtain the DUID of the internet connected device 100 on which the application is installed, even in those cases where the DUID is otherwise inaccessible by such application (e.g. even if the application does not have direct access to the DUID stored on the data repository 260 of the internet connected device 100 on which the application is installed).
  • an application e.g. App "a” 230-a, App “n” 230-n
  • those parts of the process carried out by the application installed on the internet connected device 100 can be performed utilizing the internet connected device 100 unique identification module 210, and those parts of the process carried out by the third-party web-service server 170 can be performed utilizing the web-service mobile device unique identification module 340.
  • the internet connected device unique identification process begins with an application (e.g. App “a” 230-a, ... , App “n” 230-n), installed on the internet connected device 100 to be identified, sending a request to the third-party web-service server 170 (block 510).
  • the request can be any type of request (e.g. an HTTP request) triggering activation of a web service executing on the third-party web-service server 170.
  • the request, originating from the application to be identified, is received by the web service (block 410).
  • the web-service is configured to send a response to the application, the response including executable code, executable by the application (e.g. JavaScript code that can be executed by an internal web-browser of the application) (block 420).
  • executable code executable by the application (e.g. JavaScript code that can be executed by an internal web-browser of the application)
  • the executable code can be configured to check, when executed by the application, if the application has access to a unique identifier uniquely identifying the internet connected device 100.
  • a unique identifier uniquely identifying the internet connected device 100 can be stored in a part of the internet connected device's 100 memory accessible by the application (e.g. for App "a” 230-a, the unique identifier can be stored App “a” storage 240-a, for App "n” 230-n, the unique identifier can be stored App "n” storage 240-n), e.g. in cases the unique identifier has been previously obtained and locally stored using the process described herein (see block 440 herein). If the application has access to the unique identifier - the executable code can send the unique identifier back to the web-service, thereby uniquely identifying the internet connected device 100.
  • the executable code can be configured to attempt sending a request to a server (e.g. HTTP server 130) located within a Virtual Private Network (VPN) thereby triggering a VPN connection initialization, via a VPN Tunnel 150, between the internet connected device 100 executing the application and a VPN server 110 of the VPN 160.
  • a server e.g. HTTP server 130
  • VPN Virtual Private Network
  • the internet connected device 100 having the VPN connection pre-configured thereon
  • the VPN server 110 provides the VPN server 110 with the DUID (which is a unique identifier uniquely identifying the internet connected device 100), and the VPN server 110 performs an authentication process vs. an authentication server 120 of the VPN 160.
  • the server to which the request was sent e.g.
  • HTTP server 130 receives the request sent by the executable code executed by the application executing on the internet connected device 100 to be identified, and executes a process during which the server (e.g. HTTP server 130) approaches the authentication server 120 to retrieve the DUID of the internet connected device 100, and send the DUID back to the application.
  • the executable code executed by the internet connected device 100 can be further configured to send the DUID to the web-service, thereby uniquely identifying the internet connected device 100 by the web-service.
  • the executable code, sent by the web-service to the internet connected device 100, is received and executed by the application (blocks 520 and 530), resulting in the web-service receiving the DUID of the internet connected device 100 to be uniquely identified (block 430).
  • the web-service can be configured to send the DUID received at block 430, or another unique identifier uniquely identifying the internet connected device 100 (e.g. a unique identifier generated by the web-service), to the application, thereby enabling the application to locally store the DUID or the other unique identifier, in a location, on the internet connected device 100, accessible by the application (e.g. for App "a” 230-a, the DUID can be stored inside a cookie file in App "a” storage 240- a, for App "n” 230-n, the DUID can be stored inside a cookie file in App "n” storage 240-n) (block 440).
  • the application can receive the DUID or the other unique identifier (block 540) and locally store it in a location accessible by the application (block 550).
  • the web-service utilizing the unique identifier uniquely identifying the internet connected device 100, can be used to enable two different applications installed on a certain internet connected device 100 to exchange data therebetween, even in those cases where the two different applications cannot directly exchange data therebetween.
  • one application of the two applications can send data designated to the other application to the web-service, along with an indication of the internet connected device 100 unique identifier (e.g. as obtained at block 540).
  • the web-service can receive the data, and send it to a second application installed on the same internet connected device 100 (identifiable by the unique identifier), e.g. upon the second application requesting to receive the data provided by the first application.
  • FIG. 6 is a flowchart illustrating another example of a sequence of operations carried out by a third-party web service executing on a web-service server for uniquely identifying an internet connected device, in accordance with the presently disclosed subject matter
  • Fig. 7 is a flowchart illustrating another example of a sequence of operations carried out by an application installed on an internet connected device for uniquely identifying the internet connected device by the third-party web-service, in accordance with the presently disclosed subject matter. Both flowcharts provide a full picture of a second process of uniquely identifying an internet connected device by the web-service.
  • those parts of the second process carried out by the application installed on the internet connected device 100 can be performed utilizing the internet connected device unique identification module 210, and those parts of the second process carried out by the third-party web-service server 170 can be performed utilizing the web-service internet connected device unique identification module 340.
  • the second process begins with a dedicated application installed on an internet connected device 100 performing an initial registration stage during which it sends a web-service a unique identification request, including a current IP address of the internet connected device 100 (block 710). It is to be noted in this respect that whenever the internet connected device 100 sends a request to a web-service, the request includes the IP address of the internet connected device (as a standard part of any TCP/IP implementation of a connection between the internet connected device 100 and the third-party web-service server 170).
  • the request including the current IP address of the internet connected device 100, is received by the web-service (block 610), which is configured to generate a unique identifier uniquely identifying the internet connected device (hereinafter: "Third-Party Service Device Unique Identifier" or "3PDUI") (block 620).
  • the web-service is further configured to store the 3PDUI in association with the current IP address of the internet connected device 100, e.g. in data repository 320 (block 630).
  • the web-service then sends the 3PDUI to the dedicated application, thereby enabling it to store the 3PDUI in a local storage of the internet connected device 100, accessible by the application (e.g. in a cookie file accessible to an internal web- browser of the application) (block 640).
  • the dedicated application can be configured to receive the 3PDUI, and locally store it, in a location accessible thereto (block 720).
  • the dedicated application is further configured to detect a change in the IP address of the internet connected device 100 to a new IP address (e.g. by comparing a stored IP address representative of the latest IP address assigned to the internet connected device 100 known to the dedicated application, with a new IP address assigned to the internet connected device 100) (block 730).
  • the dedicated application can be configured to send the new IP address, and the 3PDUI (obtained at block 720) to the web-service (block 740).
  • the web-service can be configured to receive the new IP address and the 3PDUI sent to it in block 740 (block 650).
  • the web-service can be configured to update the IP address stored in association with the received 3PDUI to the new IP address (block 660).
  • the web-service always has a mapping between the current IP addresses of the internet connected devices and their respective 3PDUIs.
  • any application can approach the web- service with its current IP address, and receive its 3PDUI.
  • system can be implemented, at least partly, as a suitably programmed computer.
  • the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method.
  • the presently disclosed subject matter further contemplates a machine-readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Accounting & Taxation (AREA)
  • Development Economics (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Game Theory and Decision Science (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • General Business, Economics & Management (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un procédé permettant d'identifier de façon univoque, au moyen d'un service Web tiers, un dispositif connecté à Internet ayant un identifiant unique de dispositif, l'identifiant unique du dispositif étant inaccessible par une application installée sur le dispositif connecté à Internet et appelant le service Web tiers lorsqu'il est exécuté, ledit procédé consistant à : recevoir une demande de l'application au moyen du service Web tiers ; envoyer, au moyen du service Web tiers, une réponse à l'application, la réponse comprenant un code exécutable configuré pour tenter, lorsqu'il est exécuté par l'application, de communiquer avec un serveur situé dans un réseau privé virtuel (VPN), ce qui déclenche un processus d'authentification VPN permettant de connecter le dispositif connecté à Internet au VPN, le processus d'authentification VPN consistant à envoyer l'identifiant unique du dispositif à un serveur d'authentification au moyen du dispositif connecté à Internet ; et recevoir, au moyen du service Web tiers, l'identifiant unique du dispositif obtenu à partir du serveur d'authentification, ce qui permet d'identifier de façon univoque le dispositif connecté à Internet au moyen du service Web tiers.
PCT/US2018/020819 2017-04-13 2018-03-04 Système et procédés permettant d'identifier des dispositifs connectés à internet de façon univoque WO2018190969A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201762485118P 2017-04-13 2017-04-13
US62/485,118 2017-04-13

Publications (1)

Publication Number Publication Date
WO2018190969A1 true WO2018190969A1 (fr) 2018-10-18

Family

ID=63793456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/020819 WO2018190969A1 (fr) 2017-04-13 2018-03-04 Système et procédés permettant d'identifier des dispositifs connectés à internet de façon univoque

Country Status (1)

Country Link
WO (1) WO2018190969A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150222629A1 (en) * 2012-12-23 2015-08-06 Mcafee, Inc. Hardware-based device authentication
US20150381621A1 (en) * 2014-06-27 2015-12-31 Citrix Systems, Inc. Enterprise Authentication Via Third Party Authentication Support

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150222629A1 (en) * 2012-12-23 2015-08-06 Mcafee, Inc. Hardware-based device authentication
US20150381621A1 (en) * 2014-06-27 2015-12-31 Citrix Systems, Inc. Enterprise Authentication Via Third Party Authentication Support

Similar Documents

Publication Publication Date Title
US12041186B2 (en) Systems, methods, and devices for multi-stage provisioning and multi-tenant operation for a security credential management system
US10574698B1 (en) Configuration and deployment of decoy content over a network
US11902268B2 (en) Secure gateway onboarding via mobile devices for internet of things device management
CN102823195B (zh) 利用由虚拟机进行的软件测试远程维护电子网络中的客户端系统的系统和方法
US11030632B2 (en) Device identification systems and methods
US9021005B2 (en) System and method to provide remote device management for mobile virtualized platforms
US20150271679A1 (en) System and method of verifying integrity of software
WO2018183375A1 (fr) Corrélation de dispositif mobile et d'utilisation d'application avec utilisation de service infonuagique pour assurer la sécurité
EP3783861B1 (fr) Procédé et terminal de téléchargement et de gestion de données
US12340197B2 (en) Package distribution and installation in response to user logon
JP5795124B2 (ja) 通信ネットワーク内でユーザがブラウジングする間にユーザを監視する方法およびサーバ
CN111800426A (zh) 应用程序中原生代码接口的访问方法、装置、设备及介质
US11778047B2 (en) Indirect transmission of session data
CN105553920A (zh) 数据交互方法及装置、系统
CN111224952A (zh) 用于定向流量的网络资源获取方法、装置及存储介质
US11153106B2 (en) System for improved traffic handling in a network
US11165774B2 (en) Delegated authentication to certificate authorities
CN107667518B (zh) 电子设备的自动发现和上线
CN114629683B (zh) 管理服务器的接入方法、装置、设备及存储介质
WO2018190969A1 (fr) Système et procédés permettant d'identifier des dispositifs connectés à internet de façon univoque
US10979297B1 (en) Network inventory reporting device
CN111510429A (zh) 一种安卓系统应用推广中流量劫持的分析检测方法及系统
CN119316241B (zh) 基于联盟根证书的网站访问方法、装置、设备和介质
EP4542424A1 (fr) Gestion de secret fédéré pour des instances de charge de travail dans des plateformes de calcul en nuage
JP7235720B2 (ja) デバイス固有ターゲティングのクッキー不要オプトアウトの為のシステム及び方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18784381

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18784381

Country of ref document: EP

Kind code of ref document: A1