Single sign-on process

US 20030012382A1
Filed: 07/29/2002
Published: 01/16/2003
Est. Priority Date: 02/08/2000
Status: Active Grant

First Claim

Patent Images

1. Single sign-on process allowing a mobile user with a mobile equipment to remote-access a remote location, comprising the steps of:

(1) sending a first authenticator over a first communication layer to a first intermediate equipment between said mobile equipment and said remote location, (2) verifying in said first intermediate equipment said first authenticator sent by said mobile equipment, (3) if said first authenticator is accepted by said first intermediate equipment, completing the communication layer between said mobile equipment and said intermediate equipment, (4) repeating steps (1) to (3) with a plurality of successive intermediate equipment and over a plurality of successive communication layers, until a communication has been completed at the last requested communication layer between said mobile equipment and said remote location, characterised in that at least a plurality of said authenticators are furnished by a smart-card in said mobile equipment.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Single sign-on process allowing a mobile user with a mobile phone or with a laptop to remote-access a remote server, comprising the steps of:

(1) sending a first authenticator over a first communication layer to a first intermediate equipment between said mobile equipment and said remote server,

(2) verifying in said first intermediate equipment said first authenticator sent by said mobile equipment,

(3) if said first authenticator is accepted by said first intermediate equipment, completing the communication layer between said mobile equipment and said intermediate equipment,

(4) repeating steps (1) to (3) with a plurality of successive intermediate equipment and over a plurality of successive communication layers, until a communication has been completed at the last requested communication layer between said mobile equipment and said remote server,

wherein at least a plurality of said authenticators are furnished by a smart-card in said mobile equipment.

167 Citations

38 Claims

1. Single sign-on process allowing a mobile user with a mobile equipment to remote-access a remote location, comprising the steps of:
- (1) sending a first authenticator over a first communication layer to a first intermediate equipment between said mobile equipment and said remote location, (2) verifying in said first intermediate equipment said first authenticator sent by said mobile equipment, (3) if said first authenticator is accepted by said first intermediate equipment, completing the communication layer between said mobile equipment and said intermediate equipment, (4) repeating steps (1) to (3) with a plurality of successive intermediate equipment and over a plurality of successive communication layers, until a communication has been completed at the last requested communication layer between said mobile equipment and said remote location, characterised in that at least a plurality of said authenticators are furnished by a smart-card in said mobile equipment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. Single sign-on process according to claim 1, wherein at least one of said intermediate equipment delegates the verification of the corresponding authenticator to a third equipment.
  - 3. Single sign-on process according to one of the claims 1 or 2, wherein said authenticators are delivered by said smart-card to a software module in said mobile equipment which sends it to said intermediate equipment.
  - 4. Single sign-on process according to claim 3, wherein said software module initially prompts said user to enter his secret, and wherein said first authenticator is only sent if the secret entered by said user is correct.
  - 5. Single sign-on process according to claim 4, wherein said secret is verified in said smart-card.
  - 6. Single sign-on process according to claim 5, wherein said secret is the same as the secret requested for the domain authentication in said remote location.
  - 7. Single sign-on process according to claim 1, wherein said mobile equipment comprises a cellular phone equipment.
  - 8. Single sign-on process according to claim 7, wherein said smart-card is a SIM card.
  - 9. Single sign-on process according to one of the claims 7 or 8, wherein said smart-card is a WIM card.
  - 10. Single sign-on process according to one of the claims 7 to 9, wherein said first communication layer is a cellular mobile phone layer, said intermediate equipment being a fixed equipment in said cellular mobile phone system, and said first authenticator being used for authenticating said mobile user in said cellular mobile phone system.
  - 11. Single sign-on process according to one of the preceding claims, wherein at least one of said authenticators is stored in said smart-card.
  - 12. Single sign-on process according to one of the preceding claims, wherein at least one of said authenticators is computed in said smart-card.
  - 13. Single sign-on process according to the preceding claim, wherein at least one of said authenticators is computed in said smart-card using a cryptographic function using at least one key.
  - 14. Single sign-on process according to the preceding claim, wherein said cryptographic function uses a symmetric algorithm.
  - 15. Single sign-on process according to the claim 13, wherein said cryptographic function uses an asymmetric algorithm.
  - 16. Single sign-on process according to one of the claim 13 to 15, wherein said at least one key is stored in said smart-card.
  - 17. Single sign-on process according to one of the preceding claims, wherein at least one of said communication layers is the internet, one of said intermediate equipment is an ISP server, and one of said authenticators is used by said ISP for verifying the identity of said user and granting him access to the internet.
  - 18. Single sign-on process according to one of the preceding claims, wherein at least one of said communication layers is an IPSEC layer, one of said intermediate equipment is an IPSEC gateway, and one of said authenticators is used by said IPSEC gateway for verifying the identity of said user and granting him access to a network.
  - 19. Single sign-on process according to one of the preceding claims, wherein at least one of said authenticators is used by said remote location for verifying the identity of said user and granting him access to a remote domain.
  - 20. Single sign-on process according to one of the preceding claims, further comprising the steps of:
    - replacing a secret requested for accessing said remote location with a new secret in said remote location, concatenating and encrypting the old and the new secret with a synchronization public key of said mobile equipment in said remote location, entering the new secret in said mobile equipment, transmitting the concatenated and encrypted old and new secrets to said mobile equipment, decrypting said old and new secrets with a synchronization private key of said mobile equipment and corresponding to said synchronization public key, comparing said old decrypted secret with the secret stored in said mobile equipment, and comparing said decrypted new secret with said new secret entered in said mobile equipment, if both comparisons are positive, replacing said secret stored in said mobile equipment with said decrypted new secret, otherwise denying replacement of secret.

21. Smart-card that can be used in a mobile equipment for authenticating the user of said mobile equipment in order to remote-access a remote location, characterised by processing means for delivering a plurality of authenticators for authenticating said user in a plurality of intermediate equipment in order to establish a plurality of successive communication layers between said mobile equipment and said remote location.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 22. Smart-card according to claim 21, wherein said mobile equipment comprises a cellular phone equipment.
  - 23. Smart-card according to claim 22, which is a SIM card.
  - 24. Smart-card according to one of the claims 21 to 23, wherein at least one of said authenticators is stored in said smart-card.
  - 25. Smart-card according to one of the claims 21 to 24, wherein at least one of said authenticators is computed in said smart-card.
  - 26. Smart-card according to the preceding claim, wherein at least one of said authenticators is computed in said smart-card using a cryptographic function using at least one key.
  - 27. Smart-card according to the preceding claim, wherein said at least one key is stored in said smart-card.
  - 28. Smart-card according to one of the claims 21 to 27, wherein at least one authenticator can be used by an ISP for verifying the identity of said user and granting him access to the internet.
  - 29. Smart-card according to one of the claims 21 to 28, wherein at least one authenticator can be used by an IPSEC gateway for verifying the identity of said user and granting him access to a corporate network.
  - 30. Smart-card according to one of the claims 21 to 29, wherein at least one authenticator can be used by a remote location in a corporate network for verifying the identity of said user and granting him access to a remote domain.
  - 31. Smart-card according to one of the claims 21 to 30, further comprising:
    - a synchronization private key for decrypting an old and a new secret encrypted with a corresponding synchronization public key, comparison means for comparing said old decrypted secret with the secret stored in said mobile equipment, and comparing said decrypted new secret with a new secret entered in said mobile equipment, means for replacing said secret stored in said mobile equipment with said decrypted new secret when both comparisons are positive.

32. Smart-card comprising:
- a synchronization private key for decrypting an old and a new secret encrypted with a corresponding synchronization public key, comparison means for comparing said old decrypted secret with the secret stored in said mobile equipment, and comparing said decrypted new secret with a new secret entered in said mobile equipment, means for replacing said secret stored in said mobile equipment with said decrypted new secret when both comparisons are positive.
- View Dependent Claims (33)
- - 33. Smart-card according to claim 32, which is a SIM card.

34. Process for replacing a secret in a plurality of equipment in a network, comprising the steps of:
- replacing an old secret by a new secret in a first equipment, encrypting the old and the new secret with a synchronization public key of a second equipment in said first equipment, entering the new secret in said second equipment, transmitting the encrypted old and new secrets to said second equipment, decrypting said old and new secret with a synchronization private key of said second equipment and corresponding to said synchronization public key, comparing said old decrypted secret with the secret stored in said second equipment, and comparing said decrypted new secret with said secret entered in said second equipment, if both comparisons are positive, replacing said secret stored in said second equipment with said decrypted new secret, otherwise denying replacement of secret.
- View Dependent Claims (35, 36, 37, 38)
- - 35. Process according to the preceding claim, wherein said old and new secrets are concatenated before encryption.
  - 36. Process according to the preceding claim, wherein said second equipment is a mobile equipment.
  - 37. Process according to one of the claims 34 to 36, wherein said synchronization private key is stored in a smart-card.
  - 38. Process according to one of the claims 34 to 37, wherein supplementary fields containing the date, time and/or the sequence number are added to said encrypted old and new secrets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VL Collective IP, LLC (VideoLabs, Inc.)
Original Assignee
Swisscom Mobile AG (Government of Switzerland)
Inventors
Ferchichi, Azim, Lauper, Eric

Granted Patent

US 7,058,180 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/270
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0442   wherein the sending and rec...

H04L 63/062   for key distribution, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/164   at the network layer

H04L 67/04   specially adapted for termi...

H04L 67/14   Session management for real...

H04W 12/02   Protecting privacy or anony...

H04W 12/04   Key management, e.g. using ...

H04W 12/06   Authentication

H04W 12/082   using revocation of authori...

H04W 8/265   for initial activation of n...

Single sign-on process

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Single sign-on process

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others