Single sign-on over the internet using public-key cryptography

US 20050074126A1
Filed: 01/29/2002
Published: 04/07/2005
Est. Priority Date: 01/29/2002
Status: Active Grant

First Claim

Patent Images

1. A method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, the method comprising:

receiving an authentication challenge sent by the secure server to the client; and

generating a ticket having a digital signature applied using a private key of the authentication server; and

wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer program product, apparatus, and method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, includes receiving an authentication challenge sent by the secure server to the client; and generating a ticket having a digital signature applied using a private key of the authentication server; and wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.

251 Citations

104 Claims

1. A method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, the method comprising:
- receiving an authentication challenge sent by the secure server to the client; and
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 3. The method of claim 2, wherein authenticating comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket previously sent to the client by the authentication server after a successful authentication of the client in which the client supplied a security credential.
  - 4. The method of claim 3, further comprising:
    - receiving the security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

5. A method for use in a secure server for granting access to the secure server, in response to a request from a client for access to the secure server, without further intervention by the user of the client, the method comprising:
- sending an authentication challenge to the client, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the client sends the authentication challenge to the authentication server without intervention by the user;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  granting access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (6)
- - 6. The method of claim 5, wherein the portion includes at least a part of the authentication challenge, and granting comprises:
    - verifying the part of the authentication challenge received in the ticket before granting access to the client.

7. A method for use in a Web server for obtaining content from a secure server, in response to a request from a client for the content, without further intervention by the user of the client, the method comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (8)
- - 8. The method of claim 7, further comprising:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

9. A method for use in an authentication server for obtaining content from a secure server for a client that has issued a request for the content from the secure server, without further intervention by the user of the client, the method comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 11. The method of claim 10, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 12. The method of claim 9, further comprising:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 13. The method of claim 9, further comprising:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 14. The method of claim 13, further comprising:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

15. A method for use in a secure server for providing content hosted by the secure server to a client in response to a request for the content sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the method comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  providing the requested content to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (16)
- - 16. The method of claim 15, wherein the portion includes at least a part of the authentication challenge, further comprising:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

17. A method for use in a Web server for obtaining access to a secure server, in response to a request from a client for the access, without further intervention by the user of the client, the method comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (18)
- - 18. The method of claim 17, further comprising:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

19. A method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for the access, without further intervention by the user of the client, the method comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The method of claim 19, further comprising:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 21. The method of claim 20, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 22. The method of claim 19, further comprising:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 23. The method of claim 19, further comprising:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 24. The method of claim 23, further comprising:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

25. A method for use in a secure server for granting access to a client in response to a request for the access sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the method comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  ranting the access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (26)
- - 26. The method of claim 25, wherein the portion includes at least a part of the authentication challenge, further comprising:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

27. Computer-readable media embodying instructions executable by a computer to perform a method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, the method comprising:
- receiving an authentication challenge sent by the secure server to the client; and
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.
- View Dependent Claims (28, 29, 30)
- - 28. The media of claim 27, wherein the method further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 29. The media of claim 28, wherein authenticating comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket previously sent to the client by the authentication server after a successful authentication of the client in which the client supplied a security credential.
  - 30. The media of claim 29, wherein the method further comprises:
    - receiving the security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

31. Computer-readable media embodying instructions executable by a computer to perform a method for use in a secure server for granting access to the secure server, in response to a request from a client for access to the secure server, without further intervention by the user of the client, the method comprising:
- sending an authentication challenge to the client, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the client sends the authentication challenge to the authentication server without intervention by the user;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  granting access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (32)
- - 32. The media of claim 31, wherein the portion includes at least a part of the authentication challenge, and granting comprises:
    - verifying the part of the authentication challenge received in the ticket before granting access to the client.

33. Computer-readable media embodying instructions executable by a computer to perform a method for use in a Web server for obtaining content from a secure server, in response to a request from a client for the content, without further intervention by the user of the client, the method comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (34)
- - 34. The media of claim 33, wherein the method further comprises:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

35. Computer-readable media embodying instructions executable by a computer to perform a method for use in an authentication server for obtaining content from a secure server for a client that has issued a request for the content from the secure server, without further intervention by the user of the client, the method comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The media of claim 35, wherein the method further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 37. The media of claim 36, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 38. The media of claim 35, wherein the method further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 39. The media of claim 35, wherein the method further comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 40. The media of claim 39, wherein the method further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

41. Computer-readable media embodying instructions executable by a computer to perform a method for use in a secure server for providing content hosted by the secure server to a client in response to a request for the content sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the method comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  providing the requested content to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (42)
- - 42. The media of claim 41, wherein the portion includes at least a part of the authentication challenge, wherein the method further comprises:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

43. Computer-readable media embodying instructions executable by a computer to perform a method for use in a Web server for obtaining access to a secure server, in response to a request from a client for the access, without further intervention by the user of the client, the method comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (44)
- - 44. The media of claim 43, wherein the method further comprises:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

45. Computer-readable media embodying instructions executable by a computer to perform a method for use in an authentication server for obtaining access to a secure server for a client that has issued a request for the access, without further intervention by the user of the client, the method comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (46, 47, 48, 49, 50)
- - 46. The media of claim 45, wherein the method further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 47. The media of claim 46, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 48. The media of claim 45, wherein the method further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 49. The media of claim 45, wherein the method further comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 50. The media of claim 49, wherein the method further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

51. Computer-readable media embodying instructions executable by a computer to perform a method for use in a secure server for granting access to a client in response to a request for the access sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the method comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  ranting the access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (52)
- - 52. The media of claim 51, wherein the portion includes at least a part of the authentication challenge, wherein the method further comprises:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

53. An apparatus for use in an authentication server for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, the apparatus comprising:
- means for receiving an authentication challenge sent by the secure server to the client; and
  
  means for generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.
- View Dependent Claims (54, 55, 56)
- - 54. The apparatus of claim 53, further comprising:
    - means for authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 55. The apparatus of claim 54, wherein means for authenticating comprises:
    - means for receiving a ticket-granting ticket from the client, the ticket-granting ticket previously sent to the client by the authentication server after a successful authentication of the client in which the client supplied a security credential.
  - 56. The apparatus of claim 55, further comprising:
    - means for receiving the security credential from the client, the security credential belonging to a user of the client;
      
      means for verifying the security credential; and
      
      means for generating the ticket-granting ticket when the verification is successful.

57. An apparatus for use in a secure server for granting access to the secure server, in response to a request from a client for access to the secure server, without further intervention by the user of the client, the apparatus comprising:
- means for sending an authentication challenge to the client, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the client sends the authentication challenge to the authentication server without intervention by the user;
  
  means for receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  means for verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  means for granting access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (58)
- - 58. The apparatus of claim 57, wherein the portion includes at least a part of the authentication challenge, and means for granting comprises:
    - means for verifying the part of the authentication challenge received in the ticket before granting access to the client.

59. An apparatus for use in a Web server for obtaining content from a secure server, in response to a request from a client for the content, without further intervention by the user of the client, the apparatus comprising:
- means for sending a request for the content to the secure server;
  
  means for receiving an authentication challenge from the secure server in response to the request;
  
  means for sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  means for receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  means for sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (60)
- - 60. The apparatus of claim 59, further comprising:
    - means for sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      means for receiving the forwardable ticket from the authentication server.

61. An apparatus for use in an authentication server for obtaining content from a secure server for a client that has issued a request for the content from the secure server, without further intervention by the user of the client, the apparatus comprising:
- means for receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  means for generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (62, 63, 64, 65, 66)
- - 62. The apparatus of claim 61, further comprising:
    - means for authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 63. The apparatus of claim 62, wherein means for authenticating comprises:
    - means for verifying the forwardable ticket.
  - 64. The apparatus of claim 61, further comprising:
    - means for receiving a security credential from the client, the security credential belonging to a user of the client;
      
      means for verifying the security credential; and
      
      means for generating the forwardable ticket when verifying the client is successful.
  - 65. The apparatus of claim 61, further comprising:
    - means for receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      means for generating the forwardable ticket; and
      
      means for sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 66. The apparatus of claim 65, further comprising:
    - means for receiving a security credential from the client, the security credential belonging to a user of the client;
      
      means for verifying the security credential; and
      
      means for generating the ticket-granting ticket when the verification is successful.

67. An apparatus for use in a secure server for providing content hosted by the secure server to a client in response to a request for the content sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the apparatus comprising:
- means for sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  means for receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  means for verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  means for providing the requested content to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (68)
- - 68. The apparatus of claim 67, wherein the portion includes at least a part of the authentication challenge, further comprising:
    - means for verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

69. An apparatus for use in a Web server for obtaining access to a secure server, in response to a request from a client for the access, without further intervention by the user of the client, the apparatus comprising:
- means for sending a request for the content to the secure server;
  
  means for receiving an authentication challenge from the secure server in response to the request;
  
  means for sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  means for receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  means for sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (70)
- - 70. The apparatus of claim 69, further comprising:
    - means for sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      means for receiving the forwardable ticket from the authentication server.

71. An apparatus for use in an authentication server for obtaining access to a secure server for a client that has issued a request for the access, without further intervention by the user of the client, the apparatus comprising:
- means for receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  means for generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (72, 73, 74, 75, 76)
- - 72. The apparatus of claim 71, further comprising:
    - means for authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 73. The apparatus of claim 72, wherein means for authenticating comprises:
    - means for verifying the forwardable ticket.
  - 74. The apparatus of claim 71, further comprising:
    - means for receiving a security credential from the client, the security credential belonging to a user of the client;
      
      means for verifying the security credential; and
      
      means for generating the forwardable ticket when verifying the client is successful.
  - 75. The apparatus of claim 71, further comprising:
    - means for receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      means for generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 76. The apparatus of claim 75, further comprising:
    - means for receiving a security credential from the client, the security credential belonging to a user of the client;
      
      means for verifying the security credential; and
      
      means for generating the ticket-granting ticket when the verification is successful.

77. An apparatus for use in a secure server for granting access to a client in response to a request for the access sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the apparatus comprising:
- means for sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  means for receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  means for verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  means for granting the access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (78)
- - 78. The apparatus of claim 77, wherein the portion includes at least a part of the authentication challenge, further comprising:
    - means for verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

79. At least one computer programmed to execute a process for obtaining access to a secure server for a client that has issued a request for access to the secure server, without further intervention by the user of the client, the process comprising:
- receiving an authentication challenge sent by the secure server to the client; and
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon receiving the ticket and verifying the digital signature using a public key corresponding to the private key of the authentication server, grants access to the client.
- View Dependent Claims (80, 81, 82)
- - 80. The computer of claim 79, wherein the process further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 81. The computer of claim 80, wherein authenticating comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket previously sent to the client by the authentication server after a successful authentication of the client in which the client supplied a security credential.
  - 82. The computer of claim 81, wherein the process further comprises:
    - receiving the security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

83. At least one computer programmed to execute a process for granting access to the secure server, in response to a request from a client for access to the secure server, without further intervention by the user of the client, the process comprising:
- sending an authentication challenge to the client, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the client sends the authentication challenge to the authentication server without intervention by the user;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  granting access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (84)
- - 84. The computer of claim 83, wherein the portion includes at least a part of the authentication challenge, and granting comprises:
    - verifying the part of the authentication challenge received in the ticket before granting access to the client.

85. At least one computer programmed to execute a process for obtaining content from a secure server, in response to a request from a client for the content, without further intervention by the user of the client, the process comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (86)
- - 86. The computer of claim 85, wherein the process further comprises:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

87. At least one computer programmed to execute a process for obtaining content from a secure server for a client that has issued a request for the content from the secure server, without further intervention by the user of the client, the process comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, provides the requested content; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (88, 89, 90, 91, 92)
- - 88. The computer of claim 87, wherein the process further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 89. The computer of claim 88, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 90. The computer of claim 87, wherein the process further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 91. The computer of claim 87, wherein the process further comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 92. The computer of claim 91, wherein the process further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

93. At least one computer programmed to execute a process for providing content hosted by the secure server to a client in response to a request for the content sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the process comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  providing the requested content to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (94)
- - 94. The computer of claim 93, wherein the portion includes at least a part of the authentication challenge, wherein the process further comprises:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

95. At least one computer programmed to execute a process for obtaining access to a secure server, in response to a request from a client for the access, without further intervention by the user of the client, the process comprising:
- sending a request for the content to the secure server;
  
  receiving an authentication challenge from the secure server in response to the request;
  
  sending a forwardable ticket to an authentication server trusted by the secure server, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  receiving from the authentication server a ticket having a digital signature applied using a private key of the authentication server; and
  
  sending the ticket to the secure server, wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (96)
- - 96. The computer of claim 95, wherein the process further comprises:
    - sending a forwardable challenge to the client in response to the request from the client, the forwardable challenge including the identity of an authentication server trusted by the Web server, wherein the authentication server authenticates the client and generates the forwardable ticket based on authenticating the client; and
      
      receiving the forwardable ticket from the authentication server.

97. At least one computer programmed to execute a process for obtaining access to a secure server for a client that has issued a request for the access, without further intervention by the user of the client, the process comprising:
- receiving a forwardable ticket sent by a Web server in response to a challenge issued by the secure server in response to the request, the forwardable ticket previously sent to the Web server by the authentication server based on a successful authentication of the client by the authentication server;
  
  generating a ticket having a digital signature applied using a private key of the authentication server; and
  
  wherein the secure server, upon verifying the digital signature using a public key corresponding to the private key of the authentication server, grants the access; and
  
  wherein all communications with the client employ a generic application-layer network protocol.
- View Dependent Claims (98, 99, 100, 101, 102)
- - 98. The computer of claim 97, wherein the process further comprises:
    - authenticating the client based on a previous successful authentication of the client before generating the ticket.
  - 99. The computer of claim 98, wherein authenticating comprises:
    - verifying the forwardable ticket.
  - 100. The computer of claim 97, wherein the process further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the forwardable ticket when verifying the client is successful.
  - 101. The computer of claim 97, wherein the process further comprises:
    - receiving a ticket-granting ticket from the client, the ticket-granting ticket sent by a second authentication server to the client based on the previous successful authentication;
      
      generating the forwardable ticket; and
      
      sending the forwardable ticket to the client, whereupon the client sends the forwardable ticket to the Web server.
  - 102. The computer of claim 101, wherein the process further comprises:
    - receiving a security credential from the client, the security credential belonging to a user of the client;
      
      verifying the security credential; and
      
      generating the ticket-granting ticket when the verification is successful.

103. At least one computer programmed to execute a process for granting access to a client in response to a request for the access sent from the client, without further intervention by the user of the client, the request forwarded by a Web server to the secure server, the process comprising:
- sending an authentication challenge to the Web server, the authentication challenge including the identity of an authentication server trusted by the secure server, wherein the Web server sends the authentication challenge to the authentication server;
  
  receiving a ticket having a digital signature applied using a private key of the authentication server;
  
  verifying the digital signature using a public key corresponding to the private key of the authentication server; and
  
  ranting the access to the client upon verifying at least a portion of the ticket.
- View Dependent Claims (104)
- - 104. The computer of claim 103, wherein the portion includes at least a part of the authentication challenge, wherein the process further comprises:
    - verifying the part of the authentication challenge received in the ticket before providing the requested content to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Stanko, Joseph A.

Granted Patent

US 7,246,230 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/279
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/126   the source of the received ...

Single sign-on over the internet using public-key cryptography

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

251 Citations

104 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on over the internet using public-key cryptography

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

251 Citations

104 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links