Method for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server
First Claim
1. A method for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using said data and without requiring decryption by the client machine, said registered user having a unique identifier known to the data access server and further having a password accessible to the data access server, said unique identifier being saved in the data access server in a user space associated with the registered user, said registered user further having a public key and a private key that is encrypted with said password to generate an encrypted private key that is stored together with the public key in said user space, the method comprising the following steps all carried out by the data access server:
- (a) receiving from a user a login request including an identifier of said user and supplementary data that may be used to authenticate the user, (b) verifying that the user is a registered user, (c) if the user is a registered user;
i) receiving a request by the registered user for performing said operation together with a session ID of said user that is allocated to the user during login and is known to the login server, ii) communicating the session ID of said user to the login server for identification thereby, iii) receiving from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server, iv) decrypting the encrypted password so as to derive the password associated with the user during the login request, v) attempting to decrypt the encrypted private key of the registered user having said unique identifier using said password, and vi) if the registered user'"'"'s private key is successfully decrypted, using the registered user'"'"'s private key to perform said operation on behalf of the registered user.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using the data and without requiring decryption by the client machine. The registered user has a unique identifier known to the data access server and further having a password accessible to the data access server. The unique identifier is saved in the data access server in a user space associated with the registered user, who further has a public key and a private key that is encrypted with the password to generate an encrypted private key that is stored together with the public key in the user space. The data access server receives from a user a login request including an identifier of the user and supplementary data that may be used to authenticate the user. It receives a request by a registered user for performing an operation together with a session ID of the user that is allocated to the user during login and is known to a login server connected to the data access server and to which it communicates the session ID for identification thereby, and for receiving from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server. The encrypted password is decrypted so as to derive the password associated with the user during the login request, thus enabling the data access server to decrypt the encrypted private key of the registered user and use the registered user'"'"'s private key to perform the requested operation.
118 Citations
23 Claims
-
1. A method for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using said data and without requiring decryption by the client machine, said registered user having a unique identifier known to the data access server and further having a password accessible to the data access server, said unique identifier being saved in the data access server in a user space associated with the registered user, said registered user further having a public key and a private key that is encrypted with said password to generate an encrypted private key that is stored together with the public key in said user space, the method comprising the following steps all carried out by the data access server:
-
(a) receiving from a user a login request including an identifier of said user and supplementary data that may be used to authenticate the user, (b) verifying that the user is a registered user, (c) if the user is a registered user;
i) receiving a request by the registered user for performing said operation together with a session ID of said user that is allocated to the user during login and is known to the login server, ii) communicating the session ID of said user to the login server for identification thereby, iii) receiving from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server, iv) decrypting the encrypted password so as to derive the password associated with the user during the login request, v) attempting to decrypt the encrypted private key of the registered user having said unique identifier using said password, and vi) if the registered user'"'"'s private key is successfully decrypted, using the registered user'"'"'s private key to perform said operation on behalf of the registered user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for performing on behalf of an authorized user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using said data and without requiring decryption by the client machine, said user having a unique identifier known to the data access server and further having a password accessible to the data access server, said unique identifier being saved in the data access server in a user space associated with the registered user, said authorized user further having a public key and a private key that is encrypted with said password to generate an encrypted private key that is stored together with the public key in said user space, the method comprising the following steps all carried out by a login server coupled to the data access server:
-
(a) receiving from the data access server a session ID of said user associated with a current session that is allocated to the user during login and is known to the login server, (b) using the session ID of said user to retrieve the user'"'"'s password, and (c) sending to the data access server the user'"'"'s password encrypted in such a manner as to enable the data access server to;
i) decrypt the encrypted password so as to derive the password associated with the user during a login request, ii) attempt to decrypt the encrypted private key of the registered user having said unique identifier using said password, and iii) if the registered user'"'"'s private key is successfully decrypted, using the registered user'"'"'s private key to perform said operation on behalf of the registered user. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
-
-
19. A program storage device readable by machine, tangibly embodying a program of instructions executable by the machine to perform method steps for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using said data and without requiring decryption by the client machine, said registered user having a unique identifier known to the data access server and further having a password accessible to the data access server, said unique identifier being saved in the data access server in a user space associated with the registered user, said registered user further having a public key and a private key that is encrypted with said password to generate an encrypted private key that is stored together with the public key in said user space, the method comprising the following steps:
-
(a) receiving from a user a login request including an identifier of said user and supplementary data that may used to authenticate the user, (b) verifying that the user is a registered user, (c) if the user is a registered user;
i) receiving a request by the registered user for performing said operation together with a session ID of said user that is allocated to the user during login and is known to the login server, ii) communicating the session ID of said user to the login server for identification thereby, iii) receiving from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server, iv) decrypting the encrypted password so as to derive the password associated with the user during the login request, v) attempting to decrypt the encrypted private key of the registered user having said unique identifier using said password, and vi) if the registered user'"'"'s private key is successfully decrypted, using the registered user'"'"'s private key to perform said operation on behalf of the registered user.
-
-
20. A computer program product comprising a computer useable medium having computer readable program code embodied therein for performing on behalf of a registered user an operation on data stored on a publicly accessible data access server coupled to a client machine used by the registered user in such a manner as to prevent unauthorized users from using said data and without requiring decryption by the client machine, said registered user having a unique identifier known to the data access server and further having a password accessible to the data access server, said unique identifier being saved in the data access server in a user space associated with the registered user, said registered user further having a public key and a private key that is encrypted with said password to generate an encrypted private key that is stored together with the public key in said user space, the computer program product comprising:
-
computer readable program code for causing the computer to receive from a user a login request including an identifier of said user and supplementary data that may used to authenticate the user, computer readable program code for causing the computer to verify that the user is a registered user, computer readable program code responsive to the user being a registered user for causing the computer to receive a request by the registered user for performing said operation together with a session ID of said user that is allocated to the user during login and is known to the login server, computer readable program code responsive to the user being a registered user for causing the computer to communicate the session ID of said user to the login server for identification thereby, computer readable program code responsive to the user being a registered user for causing the computer to receive from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server, computer readable program code responsive to the user being a registered user for causing the computer to decrypt the encrypted password so as to derive the password associated with the user during the login request, computer readable program code responsive to the user being a registered user for causing the computer to attempt to decrypt the encrypted private key of the registered user having said unique identifier using said password, and computer readable program code responsive to the user being a registered user and to the registered user'"'"'s private key being successfully decrypted for causing the computer to use the registered user'"'"'s private key to perform said operation on behalf of the registered user.
-
-
21. A data access server for effecting a secure transaction on behalf of a user accessing the data access server via a client machine, the data access server comprising:
-
a first communication port for coupling the client machine thereto, a second communication port for coupling a login server thereto, a processor coupled to the first communication port and to the second communication port, a memory coupled to the processor storing a user identity in respect of a registered user and a private key encrypted with a password of said user, a receive unit coupled to the processor for receiving from a user a login request including an identifier of said user and supplementary data that may be used to authenticate the user, a verification unit coupled to the receive unit for verifying that a user is registered, a command unit coupled to the processor for receiving a request by the registered user for performing a desired operation together with a session ID of said user that is allocated to the user during login and is known to the login server, a password retrieval unit coupled to the second communication port for communicating the session ID of the user to the login server for identification thereby and for receiving from the login server the user'"'"'s password encrypted in such a manner as to enable decryption by the data access server, a first decryption unit coupled to the password retrieval unit for decrypting the encrypted password so as to derive the password associated with the user during a login request, and a second decryption unit for decrypting the encrypted private key of the registered user having said unique identifier using said password. - View Dependent Claims (22)
-
-
23. A login server comprising:
-
a communication port for coupling a data access server thereto, a processor coupled to the communication port, a memory coupled to the processor storing a user identity in respect of a registered user and an encrypted password of said user, a login request unit coupled to the processor for receiving from the data access server a login request including an identifier of said user, a session ID allocation unit coupled to the login request unit for allocating a session ID relating to a current connection session with the data access server and storing the session ID in said memory in association with the user identity of said user, a password retrieval unit coupled to the communication port for receiving the session ID from the data access server and retrieving the encrypted password of the user, a decryption unit coupled to the password retrieval unit for decrypting the encrypted password so as to derive the password associated with the user during a login request, and an encryption unit coupled to the decryption unit for encrypting the private key of the registered user in such a manner as to enable decryption by the data access server.
-
Specification