Distributed single sign-on
First Claim
1. A user computer, connectable via a network to a plurality of verifier servers and a plurality n of authentication servers, for generating a cryptographic token for authenticating the user computer to a said verifier server under a username identifying the user computer to that verifier server, wherein the n authentication servers store respective cryptographic shares of password data, which is dependent on a predetermined user password, such that a plurality t1≤
- n of the password data shares is needed to determine if said user password matches a password attempt, and further store respective cryptographic shares of secret data, which enables determination of said username for each verifier server, such that a plurality t2≤
t1 of the secret data shares is needed to reconstruct the secret data, the user computer comprising a user interface for input of a password attempt, and control logic adapted;
on input via the user interface of a password attempt, to communicate via said network with at least t1 authentication servers to implement an authentication procedure in which said password data shares of those authentication servers are used to determine if said user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers; and
on receipt of said secret data shares, to reconstruct and use said secret data to generate, via communication with at least a plurality T≤
t1 of said at least t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username for the selected verifier server.
1 Assignment
0 Petitions
Accused Products
Abstract
Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1≤n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2≤t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T≤t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.
16 Citations
2 Claims
-
1. A user computer, connectable via a network to a plurality of verifier servers and a plurality n of authentication servers, for generating a cryptographic token for authenticating the user computer to a said verifier server under a username identifying the user computer to that verifier server, wherein the n authentication servers store respective cryptographic shares of password data, which is dependent on a predetermined user password, such that a plurality t1≤
- n of the password data shares is needed to determine if said user password matches a password attempt, and further store respective cryptographic shares of secret data, which enables determination of said username for each verifier server, such that a plurality t2≤
t1 of the secret data shares is needed to reconstruct the secret data, the user computer comprising a user interface for input of a password attempt, and control logic adapted;on input via the user interface of a password attempt, to communicate via said network with at least t1 authentication servers to implement an authentication procedure in which said password data shares of those authentication servers are used to determine if said user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers; and on receipt of said secret data shares, to reconstruct and use said secret data to generate, via communication with at least a plurality T≤
t1 of said at least t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username for the selected verifier server. - View Dependent Claims (2)
- n of the password data shares is needed to determine if said user password matches a password attempt, and further store respective cryptographic shares of secret data, which enables determination of said username for each verifier server, such that a plurality t2≤
Specification