Session key secruity protocol

US 20030217288A1
Filed: 05/15/2002
Published: 11/20/2003
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method of securing information in a multi-site authentication system, said method comprising:

generating an authentication ticket from a first network server, said ticket including information associated with a user of a client computer, said first network server and said client computer being coupled to a data communication network;

encrypting content of the ticket, by the first network server, using a shared symmetric key, said shared key being shared by the first network server and a second network server, said second network server also being coupled to the data communication network;

encrypting the shared key, by the first network server, using a public key associated with the second network server; and

directing the client computer along with the ticket from the first network server to the second network server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security protocol for use in a multi-site authentication system. After authenticating a user, an authentication server generates a ticket including information associated with the user. The authentication server encrypts content of the ticket using a symmetric key shared with an affiliate server. The affiliate server has a public key that the authentication server uses to encrypt the shared key. The authentication server has private key for creating a signature on the ticket. The affiliate server decrypts the shared key with its private key and then decrypts the content of the ticket using the decrypted shared key. The affiliate server validates the signature with the authentication server'"'"'s public key.

Citations

32 Claims

1. A method of securing information in a multi-site authentication system, said method comprising:
- generating an authentication ticket from a first network server, said ticket including information associated with a user of a client computer, said first network server and said client computer being coupled to a data communication network;
  
  encrypting content of the ticket, by the first network server, using a shared symmetric key, said shared key being shared by the first network server and a second network server, said second network server also being coupled to the data communication network;
  
  encrypting the shared key, by the first network server, using a public key associated with the second network server; and
  
  directing the client computer along with the ticket from the first network server to the second network server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1 further comprising:
    - decrypting the encrypted shared key, by the second network server, using a private key associated with the second network server; and
      
      decrypting the content of the ticket, by the second network server, using the decrypted shared key.
  - 3. The method of claim 1 further comprising generating a signature for the ticket using a private key associated with the first network server.
  - 4. The method of claim 3 wherein the ticket includes the content encrypted by the shared key, the shared key, and the signature.
  - 5. The method of claim 3 wherein the signature includes address information for the second network server and further comprising identifying, by the second network server, its own address information in the signature to validate the signature.
  - 6. The method of claim 1 wherein the shared key comprises a randomly generated, single-use session key.
  - 7. The method of claim 1 further comprising transporting the ticket from the first network server to the second network server over a privacy-enhanced protocol.
  - 8. The method of claim 1 wherein the first network server is an authentication server associated with the multi-site user authentication system and further comprising retrieving login information from the user for authenticating the user before generating the ticket.
  - 9. The method of claim 8 wherein the content of the ticket includes the retrieved login information.
  - 10. The method of claim 8 wherein the retrieved login information includes a login ID and a password associated with the login ID.
  - 11. The method of claim 8 further comprising, before authenticating the user, determining whether the user was already authenticated and, if the user was not already authenticated, then retrieving the login information from the user and authenticating the user with the authentication server by comparing the login information with authentication information stored in a database associated with the authentication server.
  - 12. The method of claim 1 further comprising receiving a request from the user via a browser of the client computer, said request being for a selected service to be provided by the second network server.
  - 13. The method of claim 1 wherein the second network server is a portal for providing the user with a gateway to services provided by one or more other network servers coupled to the data communication network.
  - 14. The method of claim 1 wherein the network servers are web servers and the data communication network is the Internet.
  - 15. The method of claim 1 wherein one or more computer-readable media have computer-executable instructions for performing the method of claim 1.

16. A system of securing information comprising an authentication server associated with a multi-site user authentication system, said authentication server retrieving login information from a user of a client computer for authenticating the user, said authentication server further generating an authentication ticket after authenticating the user, said ticket including information associated with the user of the client computer, said authentication server having a shared symmetric key for encrypting content of the ticket, said shared key being shared by the authentication server and an affiliate server, said affiliate server having a public key and said authentication server using the public key to encrypt the shared key.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The system of claim 16 wherein the affiliate server has a private key for decrypting the encrypted shared key, said affiliate server decrypting the content of the ticket using the decrypted shared key.
  - 18. The system of claim 16 wherein the authentication server has a private key for generating a signature for the ticket.
  - 19. The system of claim 18 wherein the ticket includes the content encrypted by the shared key, the shared key, and the signature.
  - 20. The system of claim 18 wherein the signature includes address information for the affiliate server, said affiliate server validating the signature by identifying its own address information in the signature.
  - 21. The system of claim 16 wherein the shared key comprises a randomly generated, single-use session key.
  - 22. The system of claim 16 further comprising a database associated with the authentication server, said database storing login information for comparison with the login information retrieved from the user.
  - 23. The system of claim 16 further comprising a browser of the client computer, said affiliate server receiving a request from the user via the browser for a selected service to be provided by the affiliate server.
  - 24. The system of claim 16 wherein the affiliate server is a portal for providing the user with a gateway to services provided by one or more network servers coupled to the data communication network.
  - 25. The system of claim 16 wherein the affiliate server is a web server and the data communication network is the Internet.

26. A method of securing information in a multi-site authentication system, said method comprising:
- generating an authentication ticket from a first network server, said ticket including information associated with a user of a client computer, said first network server and said client computer being coupled to a data communication network;
  
  generating a signature for the ticket using a private key associated with the first network server, said signature including address information for a second network server, said second network server also being coupled to the data communication network;
  
  directing the client computer along with the ticket from the first network server to the second network server over a privacy-enhanced protocol; and
  
  identifying, by the second network server, its own address information in the signature to validate the signature.
- View Dependent Claims (27)
- - 27. The method of claim 26 wherein the privacy-enhanced protocol is a secure socket layer protocol.

28. A security protocol for use in a multi-site authentication system comprising:
- a shared symmetric key, said shared key being shared by a first network server and a second network server, said first network server encrypting content of an authentication ticket that includes information associated with a user of a client computer using the shared key, said first and second network servers and said client computer being coupled to a data communication network;
  
  a public key associated with the second network server, said first network server encrypting the shared key using the public key; and
  
  a private key associated with the second network server;
  
  said second network server decrypting the encrypted shared key using the private key and decrypting the content of the ticket using the decrypted shared key.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The protocol of claim 28 further comprising a private key associated with the first network server, said first network server generating a signature for the ticket using its private key.
  - 30. The protocol of claim 29 wherein the ticket includes the content encrypted by the shared key, the shared key, and the signature.
  - 31. The protocol of claim 29 wherein the signature includes address information for the second network server and wherein the second network server validates the signature by identifying its own address information in the signature.
  - 32. The protocol of claim 28 wherein the shared key comprises a randomly generated, single-use session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Quiang Michael, Chan, Kok Wai, Howard, John Hal

Granted Patent

US 7,523,490 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 2209/60   Digital content management,...

H04L 63/045   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/0844   with user authentication or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Session key secruity protocol

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Session key secruity protocol

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links