Systems and methods for controlling access to a public data network from a visited access provider

US 20050198036A1
Filed: 11/26/2004
Published: 09/08/2005
Est. Priority Date: 11/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a public data network from a visited access provider, comprising receiving from a client device a message indicative of a request to access the public data network;

supporting a temporary connection between the client device and a user-selected credit provider, the temporary connection comprising a transmission of substitute user credentials from the user-selected credit provider in response to transmission of original user credentials from the client device;

receiving the substitute user credentials from the client device;

communicating the substitute user credentials to the user-selected credit provider to authenticate the client device;

responsive to successful authentication of the client device by the user-selected credit provider on the basis of the substitute user credentials, authorizing the client device to access the public data network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To allow a user to access a public data network from a region of service operated by a visited access provider, the visited provider is supplied with an identity of a credit provider. The user is redirected to the credit provider, resulting in establishment of a temporary connection with the credit provider. During this temporary connection, the user supplies original user credentials and, in return, receives substitute user credentials if the original user credentials are valid. The substitute user credentials are supplied to the visited provider, which proceeds to have the user authenticated by the credit provider on the basis of the substitute user credentials. In this way, the visited provider authenticates the user with the credit provider before allowing the user to access the public data network, but a secure exchange of the original user credentials between the user and the credit provider prevents unauthorized access to this information by the visited provider.

Citations

57 Claims

1. A method of controlling access to a public data network from a visited access provider, comprising receiving from a client device a message indicative of a request to access the public data network;
- supporting a temporary connection between the client device and a user-selected credit provider, the temporary connection comprising a transmission of substitute user credentials from the user-selected credit provider in response to transmission of original user credentials from the client device;
  
  receiving the substitute user credentials from the client device;
  
  communicating the substitute user credentials to the user-selected credit provider to authenticate the client device;
  
  responsive to successful authentication of the client device by the user-selected credit provider on the basis of the substitute user credentials, authorizing the client device to access the public data network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method defined in claim 1, wherein receiving from the client device the message indicative of the request to access the public data network comprises receiving an identity of a Web page attempted to be accessed by a browser on the client device.
  - 3. The method defined in claim 1, further comprising, prior to supporting:
    - identifying to the client device at least one candidate credit provider including the user-selected credit provider.
  - 4. The method defined in claim 3, wherein supporting is performed responsive to receipt from the client device of data indicative of a selected one of the at least one candidate credit provider.
  - 5. The method defined in claim 1, wherein supporting is performed responsive to receipt from the client device of data indicative of the user-selected credit provider.
  - 6. The method defined in claim 5, further comprising:
    - causing the client device to establish the temporary connection with the user-selected credit provider.
  - 7. The method defined in claim 5, further comprising:
    - causing the client device to establish the temporary connection with the user-selected credit provider over the public data network.
  - 8. The method defined in claim 7, wherein causing the client device to establish the temporary connection with the user-selected credit provider over the public data network comprises redirecting the client device to an Internet Protocol (IP) address associated with the user-selected credit provider.
  - 9. The method defined in claim 7, further comprising:
    - terminating the temporary connection after the transmission of a pre-determined amount of data over the temporary connection.
  - 10. The method defined in claim 7, further comprising:
    - terminating the temporary connection after a pre-determined duration.
  - 11. The method defined in claim 7, further comprising:
    - responsive to unsuccessful authentication of the client device by the user-selected credit provider on the basis of the substitute credentials, communicating to the client device an indication of the unsuccessful authentication.
  - 12. The method defined in claim 11, wherein the original user credentials comprise a user name, a realm and a password.
  - 13. The method defined in claim 11, wherein the original user credentials comprise a user name and a credit card number.
  - 14. The method defined in claim 11, wherein the original user credentials comprise an account number and a personal identification number.
  - 15. The method defined in claim 11, wherein the substitute user credentials comprise a user name and a realm.
  - 16. The method defined in claim 15, wherein the original user credentials are characterized by being indecipherable from the substitute user credentials.

17. A network, comprising:
- a network server entity adapted to receive from a client device a message indicative of a user-selected credit provider;
  
  a gateway entity adapted to support a temporary connection between the client device and the user-selected credit provider, the temporary connection comprising a transmission of substitute user credentials from the user-selected credit provider in response to transmission of original user credentials from the client device;
  
  the network server entity being further adapted to receive the substitute user credentials from the client device;
  
  an authentication entity adapted to communicate the substitute user credentials to the user-selected credit provider to authenticate the client device;
  
  the network server entity being further adapted to authorize the client device to access the public data network in response to successful authentication of the client device by the user-selected credit provider on the basis of the substitute user credentials.
- View Dependent Claims (18)
- - 18. The network defined in claim 17, wherein the network server entity is a web server.

19. A network, comprising:
- means for receiving from a client device a message indicative of a user-selected credit provider;
  
  means for supporting a temporary connection between the client device and the user-selected credit provider, the temporary connection comprising a transmission of substitute user credentials from the user-selected credit provider in response to transmission of original user credentials from the client device;
  
  means for receiving the substitute user credentials from the client device;
  
  means for communicating the substitute user credentials to the user-selected credit provider to authenticate the client device;
  
  means for authorizing the client device to access the public data network in response to successful authentication of the client device by the user-selected credit provider on the basis of the substitute user credentials.

20. A method of authenticating users having a business relationship with a credit provider, comprising:
- receiving original user credentials from a client device;
  
  sending to the client device substitute user credentials associated with the original user credentials;
  
  receiving the substitute user credentials from a visited provider of access to a public data network;
  
  authenticating the client device on the basis of the substitute user credentials;
  
  responsive to successful authentication of the client device on the basis of the substitute user credentials, indicating to the visited provider of access to the public data network that the client device has been successfully authenticated.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 21. The method defined in claim 20, wherein receiving the original user credentials from the client device is effected over the public data network.
  - 22. The method defined in claim 21, wherein receiving the original user credentials is effected via the visited provider of access to the public data network.
  - 23. The method defined in claim 20, further comprising, between receiving the original user credentials and sending the substitute user credentials:
    - generating the substitute credentials.
  - 24. The method defined in claim 23, further comprising:
    - storing the substitute user credentials in a database in association with the original user credentials.
  - 25. The method defined in claim 24, wherein authenticating the client device on the basis of the substitute user credentials comprises accessing the database, wherein the client device is said to be successfully authenticated on the basis of the substitute user credentials if the substitute user credentials are contained in the database.
  - 26. The method defined in claim 25, further comprising, between receiving the original user credentials and sending the substitute user credentials:
    - authenticating the client device on the basis of the original user credentials.
  - 27. The method defined in claim 26, wherein authenticating the client device on the basis of the original user credentials comprises accessing a database of authorized users, wherein the client device is said to be successfully authenticated on the basis of the original user credentials if the original user credentials are contained in the database of authorized users.
  - 28. The method defined in claim 27, wherein generating the substitute credentials is performed in response to successful authentication of the client device on the basis of the original user credentials.
  - 29. The method defined in claim 23, wherein the original user credentials comprise a user name, a realm and a password.
  - 30. The method defined in claim 23, wherein the original user credentials comprise a user name and a credit card number.
  - 31. The method defined in claim 23, wherein the original user credentials comprise an account number and a personal identification number.
  - 32. The method defined in claim 23, wherein generating the substitute user credentials comprises deriving the substitute credentials from the original user credentials.
  - 33. The method defined in claim 23, wherein the substitute user credentials comprise data indicative of the substitute nature of the substitute user credentials.
  - 34. The method defined in claim 29, wherein the substitute user credentials comprise data indicative of a realm different from the realm indicated by the original user credentials.

35. A credit provider having a business relationship with a plurality of users, comprising:
- a network server entity adapted to;
  
  receive original user credentials from a client device;
  
  send to the client device substitute user credentials associated with the original user credentials;
  
  an authentication entity adapted to;
  
  receive the substitute user credentials from a visited provider of access to a public data network;
  
  authenticate the client device on the basis of the substitute user credentials;
  
  indicate to the visited provider of access to the public data network that the client device has been successfully authenticated in response to successful authentication of the client device on the basis of the substitute user credentials.

36. A credit provider having a business relationship with a plurality of users, comprising:
- means for receiving original user credentials from a client device;
  
  means for sending to the client device substitute user credentials associated with the original user credentials;
  
  means for receiving the substitute user credentials from a visited provider of access to a public data network;
  
  means for authenticating the client device on the basis of the substitute user credentials;
  
  means for responsive to successful authentication of the client device on the basis of the substitute user credentials, indicating to the visited provider of access to the public data network that the client device has been successfully authenticated.

37. A method of accessing a public data network from a region of service operated by a visited access provider, comprising supplying to the visited access provider an identity of a credit provider;
- establishing a temporary connection with the credit provider;
  
  receiving substitute user credentials from the credit provider during the temporary connection in response to supplying the credit provider with original user credentials provider during the temporary connection;
  
  supplying the substitute user credentials to the visited access provider for authentication of the client device by the credit provider on the basis of the substitute user credentials.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49)
- - 38. A method defined in claim 37, wherein supplying the substitute user credentials to the visited access provider is performed automatically in response to receiving the substitute user credentials from the credit provider.
  - 39. A method defined in claim 37, wherein supplying the substitute user credentials to the visited access provider is performed without requiring user input after receiving the substitute user credentials from the credit provider.
  - 40. The method defined in claim 37, further comprising:
    - accessing the public data network via the visited access provider in response to successful authentication of the client device on the basis of the substitute user credentials.
  - 41. The method defined in claim 40, further comprising, prior to supplying to the visited access provider the identity of the credit provider:
    - receiving from the visited network provider an identity of at least one candidate credit provider including the credit provider.
  - 42. The method defined in claim 41, further comprising:
    - selecting the credit provider from among the at least one candidate credit provider identified whose identity is received from the visited network provider.
  - 43. The method defined in claim 40, wherein the temporary connection is established over the public data network.
  - 44. The method defined in claim 43, wherein the temporary connection is established via the visited access provider.
  - 45. The method defined in claim 44, wherein data sent to the home network during the temporary connection is encrypted at the client device and decrypted at the credit provider.
  - 46. The method defined in claim 45, wherein data sent from the home network during the temporary connection is encrypted at the credit provider and decrypted at the client device.
  - 47. The method defined in claim 37, wherein the temporary connection is sufficiently secure to prevent the visited access provider from determining the original user credentials supplied to the credit provider.
  - 48. The method defined in claim 47, wherein the temporary connection is a secure socket layer connection.
  - 49. The method defined in claim 37, wherein establishing the temporary connection with the credit provider comprises receiving an Internet Protocol address of the credit provider from the visited access provider and accessing the Internet Protocol address via the Internet.

50. Apparatus for accessing a public data network from a region of service operated by a visited access provider, comprising means for supplying to the visited access provider an identity of a credit provider;
- means for establishing a temporary connection with the credit provider;
  
  means for receiving substitute user credentials from the credit provider during the temporary connection in response to supplying the credit provider with original user credentials provider during the temporary connection;
  
  means for supplying the substitute user credentials to the visited access provider for authentication of the client device by the credit provider on the basis of the substitute user credentials.

51. A graphical user interface for guiding a user through a process of accessing a public data network from a region of service operated by a visited access provider, comprising:
- a browser capable of interfacing with the user;
  
  a control entity operative to;
  
  output via the browser content from the visited access provider;
  
  responsive to identification via the browser of a credit provider, output via the browser content from the credit provider;
  
  responsive to identification via the browser of user credentials of a user having a business relationship with the credit provider, access content of user-selected locations on the public data network.
- View Dependent Claims (52, 53, 54, 55, 56)
- - 52. The graphical user interface defined in claim 51, wherein the content from the visited access provider includes a text entry area for identification of the credit provider.
  - 53. The graphical user interface defined in claim 51, wherein the content from the visited access provider includes a choice of at least one candidate credit provider allowing selective identification of the credit provider.
  - 54. The graphical user interface defined in claim 51, wherein the content from the credit provider includes a text entry area for identification of the user credentials.
  - 55. The graphical user interface defined in claim 52, wherein the content from the credit provider includes a text entry area for identification of the user credentials.
  - 56. The graphical user interface defined in claim 53, wherein the content from the credit provider includes a text entry area for identification of the user credentials.

57. A computer program product for use with a client device in accessing a public data network from a region of service operated by a visited access provider, the computer program product comprising a computer usable medium having computer readable program code thereon, the computer readable program code including:
- program code for implementing a browser to interface with the user;
  
  program code for outputting via the browser content from the visited access provider;
  
  program code for outputting via the browser content from a credit provider in response to receiving via the browser an identification of the credit provider;
  
  program code for accessing via the browser content of user-selected locations on the public data network in response to receiving via the browser an identification of user credentials of a user having a business relationship with the credit provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
BCE Incorporated
Inventors
Nedkov, Nicolas, Wong, Spencer, Smith, Brian Norman

Granted Patent

US 8,191,128 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2898   Subscriber equipments DSL m...

H04L 63/08   for authentication of entit...

H04W 12/062   Pre-authentication

H04W 48/18   Selecting a network or a co...

H04W 80/00   Wireless network protocols ...

H04W 84/12   WLAN [Wireless Local Area N...

Systems and methods for controlling access to a public data network from a visited access provider

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for controlling access to a public data network from a visited access provider

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links