Authentication with expiring binding digital certificates

US 20060059346A1
Filed: 09/14/2004
Published: 03/16/2006
Est. Priority Date: 09/14/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system for authenticating a client for access to a business service of a firm, the system comprising:

a computer-implemented system configured to;

verify the identity of the client and thereafter create a binding between a digital certificate and the client, wherein the binding is configured to expire after a period of time; and

verify the validity of the digital certificate and the binding.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments of the present invention systems and methods for authenticating a client for access to a business service of a firm and methods of creating a binding between a client'"'"'s public key and a client identifier are provided. In one embodiment, the present invention is directed to a system for authenticating a client for access to a business service of a firm. The system may include a computer-implemented system. The computer-implemented system may be configured to verify the identity of the client and thereafter create a binding between a digital certificate and the client, wherein the binding is configured to expire after a period of time. The computer-implemented system may also be configured to verify the validity of the digital certificate and the binding.

Citations

29 Claims

1. A system for authenticating a client for access to a business service of a firm, the system comprising:
- a computer-implemented system configured to;
  
  verify the identity of the client and thereafter create a binding between a digital certificate and the client, wherein the binding is configured to expire after a period of time; and
  
  verify the validity of the digital certificate and the binding.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The system of claim 1, wherein the computer-implemented system is further configured to issue the digital certificate to the client.
  - 3. The system of claim 2, wherein the system is configured to issue the digital certificate to the client after verifying the identity of the client.
  - 4. The system of claim 3, wherein the system is configured to issue a cookie file to the client along with the digital certificate, wherein the cookie file is associated with the digital certificate.
  - 5. The system of claim 1, wherein the system is configured to verify the identity of the client by checking a token presented by the client.
  - 6. The system of claim 5, wherein the token is a physical token that generates passwords according to an algorithm.
  - 7. The system of claim 5, wherein the token is a password securely transmitted to the client.
  - 8. The system of claim 7, wherein the password expires after a predetermined amount of time.
  - 9. The system of claim 1, wherein the binding includes a representation of the digital certificate associated with a representation of the client.
  - 10. The system of claim 9, the computer-implemented system being further configured to verify the binding by comparing data derived from the digital certificate to the stored representation of the digital certificate and by checking a stored expiration date associated with the binding.
  - 11. The system of claim 1, the computer implemented system being further configured to verify the binding by verifying the presence of a cookie file corresponding to the digital certificate.
  - 12. The system of claim 1, the computer implemented system being further configured to verify the binding by checking the status of a flag, wherein a state of the flag indicates whether the digital certificate is believed to be compromised.
  - 13. The system of claim 1, configured to deny access to the client if the binding is not verified.
  - 14. The system of claim 1, configured to permit access to the client upon verification of the binding without re-verifying the identity of the client by a client token.
  - 15. The system of claim 1, configured to rebind a binding upon re-verification of the identity of the client by a client token by resetting an expiration date of the binding.
  - 16. The system of claim 1, further configured to process expiration information of the binding before expiration of the binding.
  - 17. The system of claim 1, further configured to create at least a second binding between the digital certificate and the client, wherein the second binding is configured to expire after the first binding.
  - 18. The system of claim 1, wherein the period of time of expiration of the binding is in the range of about 30 to 365 days.
  - 19. The system of claim 1, wherein the period of time of expiration of the binding is in the range of about 90 to 180 days.

20. A method of authenticating a client for access to a business service of a firm, the method comprising:
- verifying the identity of the client;
  
  creating a first binding between a digital certificate and the client, wherein the binding comprises a representation of the digital certificate associated with a representation of the client, wherein the first binding expires after a period of time, and wherein the digital certificate is stored at a first location;
  
  checking the validity of the digital certificate; and
  
  checking whether the digital certificate is validly bound to the client.

21. A computer readable medium containing instructions that when executed by a processor cause the processor to perform a method of authenticating a client for access to a business service of a firm, the method comprising the steps of:
- verifying the identity of the client;
  
  creating a first binding between a digital certificate and the client, wherein the binding comprises a representation of the digital certificate associated with a representation of the client, wherein the first binding expires after a period of time, and wherein the digital certificate is stored at a first location;
  
  checking the validity of the digital certificate; and
  
  checking whether the digital certificate is validly bound to the client.

22. A method of creating a binding between a client'"'"'s public key and the client, comprising:
- verifying the identity of the client with a token;
  
  associatively storing a representation of the public key, a representation of the client, and a representation of an expiration date for the binding; and
  
  permitting the client to access a client service system upon verification that the public key presented by the client matches the public key associatively stored with the representation of the client, and that the expiration date for the binding has not expired, wherein the permitting occurs without requiring use of the client token for the verification.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The method of claim 22, wherein the representation of the public key is derived from a digital certificate.
  - 24. The method of claim 22, wherein the representation of the public key is a hash of a digital certificate.
  - 25. The method of claim 22, further comprising denying the client access to the client service system if the public key presented by the client does not match the public key associatively stored with the representation of the client.
  - 26. The method of claim 22, further comprising denying the client access to the client service system if the expiration date for the binding has expired.
  - 27. The method of claim 22, further comprising associatively re-storing the representation of the public key, the representation of the client, and a representation of a second expiration date for the binding, wherein the second expiration date is after the expiration date.
  - 28. The method of claim 27, wherein the re-storing occurs after re-verifying the identity of the client with the token.
  - 29. The method of claim 27, wherein the re-storing occurs if the client has logged-into the client service system a predetermined number of times prior to the expiration date.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Morgan Stanley
Original Assignee
Morgan Stanley
Inventors
Sherman, Andrew, Duchovni, Victor, Donnelly, Barbara

Application Number

US10/940,042
Publication Number

US 20060059346A1
Time in Patent Office

Days
Field of Search
US Class Current

713/175
CPC Class Codes

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/166   at the transport layer

Authentication with expiring binding digital certificates

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication with expiring binding digital certificates

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links