Distributed single sign-on
First Claim
1. A method for use, at an authentication server being one of a plurality of n such authentication servers connectable to a user computer via a network, in generating a cryptographic token for authenticating the user computer to one of plurality of verifier servers under a username identifying the user computer to that verifier server, the method comprising:
- storing one of n cryptographic shares of password data, which is dependent on a predetermined user password, such that a plurality t1<
n of the n password data shares, each being stored by a respective one of the n authentication servers, is needed to determine if said user password matches a password attempt;
storing one of n cryptographic shares of secret data, which enables determination of said username for each verifier server, such that a plurality t2=t1 of the n secret data shares, each being stored by a respective one of the n authentication servers, is needed to reconstruct the secret data, wherein said username is different for every verifier server, and wherein said secret data comprises data indicative of said username for each verifier server;
on receipt from the user computer of an authentication request sent to each of at least t1 authentication servers on input of a password attempt at the user computer, communicating via said network to implement an authentication procedure in which said password data shares of those authentication servers are used to determine if said user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers;
on receipt from the user computer of a token request sent to each of at least a plurality T=t1 of said at least t1 authentication servers on reconstruction of said secret data, communicating with the user computer to implement a token generation procedure in which, via communication with said at least T authentication servers, the user computer uses said secret data to generate a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username for the selected verifier server.
1 Assignment
0 Petitions
Accused Products
Abstract
Respective cryptographic shares of password data, dependent on a user password, are provided at n authentication servers. A number t1≤n of the password data shares determine if the user password matches a password attempt. Respective cryptographic shares of secret data, enabling determination of a username for each verifier server, are provided at n authentication servers. A number t2≤t1 of the shares reconstruct the secret data. For a password attempt, the user computer communicates with at least t1 authentication servers to determine if the user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers. The user computer uses the secret data to generate, with T≤t1 of said t1 servers, a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username.
-
Citations
1 Claim
-
1. A method for use, at an authentication server being one of a plurality of n such authentication servers connectable to a user computer via a network, in generating a cryptographic token for authenticating the user computer to one of plurality of verifier servers under a username identifying the user computer to that verifier server, the method comprising:
-
storing one of n cryptographic shares of password data, which is dependent on a predetermined user password, such that a plurality t1<
n of the n password data shares, each being stored by a respective one of the n authentication servers, is needed to determine if said user password matches a password attempt;storing one of n cryptographic shares of secret data, which enables determination of said username for each verifier server, such that a plurality t2=t1 of the n secret data shares, each being stored by a respective one of the n authentication servers, is needed to reconstruct the secret data, wherein said username is different for every verifier server, and wherein said secret data comprises data indicative of said username for each verifier server; on receipt from the user computer of an authentication request sent to each of at least t1 authentication servers on input of a password attempt at the user computer, communicating via said network to implement an authentication procedure in which said password data shares of those authentication servers are used to determine if said user password matches the password attempt and, if so, the user computer receives at least t2 secret data shares from respective authentication servers; on receipt from the user computer of a token request sent to each of at least a plurality T=t1 of said at least t1 authentication servers on reconstruction of said secret data, communicating with the user computer to implement a token generation procedure in which, via communication with said at least T authentication servers, the user computer uses said secret data to generate a cryptographic token for authenticating the user computer to a selected verifier server, secret from said at least T servers, under said username for the selected verifier server.
-
Specification
-
- Resources
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsCamenisch, Jan, Gilad, Yossi, Lehmann, Anja, Nagy, Zoltan A., Neven, Gregory
-
Primary Examiner(s)Smithers, Matthew
-
Application NumberUS16/007,353Publication NumberTime in Patent Office202 DaysField of SearchUS Class CurrentCPC Class CodesG06F 21/41 where a single sign-on prov...H04L 63/0815 providing single-sign-on or...H04L 9/085 Secret sharing or secret sp...H04L 9/30 Public key, i.e. encryption...H04L 9/3213 using tickets or tokens, e....H04L 9/3236 using cryptographic hash fu...H04L 9/3247 involving digital signatures
