Service provider anonymization in a single sign-on system

US 20060155993A1
Filed: 02/21/2003
Published: 07/13/2006
Est. Priority Date: 02/21/2003
Status: Abandoned Application

First Claim

Patent Images

1-26. -26. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for sign-on in a network based communications environment is described. Authentication of a first entity is requested by a second entity for accessing a service to be provided by the second entity to the first entity. The authentication is provided by a third entity. Data that identify the second entity are blinded towards the third entity. Blinding means that data identifying the second entity are modified such that the blinded data do not provide any information on the basis of which the second entity can be identified preferably except for the entity which has at least initiated data blinding, here the first entity. Examples for blinding include the use of a pseudonym or alias for the data identifying the second entity. According to a preferred embodiment, the method according to the present invention is used for a single sign-on. Referring to the above description of single sign-on, e.g. in line with the LAP specifications, the present invention provides a method for blinding the identity of the service provider SP towards the identity provider IdP.

Citations

44 Claims

1-26. -26. (canceled)

27. A method for sign-on in a network based communications environment, comprising the steps of:
- authentication of a first entity is requested by a second entity for accessing a service to be provided by the second entity (SP) to the first entity, the authentication being provided by a third entity (IdP);
  
  blinding towards the third entity (IdP) data identifying the second entity (SP) by modifying the data identifying the second entity (SP) such that no information on the basis of which the second entity (SP) is identifiably by the third entity (IdP) is provided; and
  
  , providing the modified data to the third entity (IdP).
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 28. The method according to claim 27, wherein said method is used for single sign-on in the network based communications environment.
  - 29. The method according to claim 27, further comprising the step of communicating a service request from the first entity to the second entity (SP).
  - 30. The method according to claim 27, further comprising the step of communicating at least one of a first authentication request and a first trusted group identifier from the second entity (SP) to the first entity, the first authentication request being relatable by the first entity to the second entity (SP), and the first group identifier indicating a group of trusted entities the second entity (SP) belongs to.
  - 31. The method according to claim 27, wherein blinding the data characterizing the second entity (SP) comprises at least one of the steps of:
    - blinding by means of the first entity;
      
      blinding by utilizing a memory associated to the first entity;
      
      blinding by utilizing cryptographic techniques;
      
      blinding by utilizing data identifying the second entity (SP); and
      
      blinding by utilizing data identifying the first entity towards the third entity (IdP).
  - 32. The method according to claim 27, further comprising the step of obtaining data identifying the third entity (IdP) and communicating a second authentication request from the first entity to the third entity (IdP), the second authentication request including or being accompanied by the blinded data and the data identifying the first entity towards the third entity (IdP).
  - 33. The method according to claim 32, wherein the data identifying the first entity towards the third entity (IdP) is or is accompanied by a second trusted group identifier, which indicates that the first entity belongs to a group of trusted entities.
  - 34. The method according to claim 32, wherein the second authentication request comprises or is accompanied by the first trusted group identifier.
  - 35. The method according to claim 32, further comprising the step of authenticating the first entity by the third entity (IdP) by using at least the data identifying the first entity towards the third entity (IdP).
  - 36. The method according to claim 33, further comprising the step of authenticating the first entity by the third entity (IdP) by using at least the second trusted group identifier.
  - 37. The method according to claim 32, further comprising the step of authenticating the second entity (SP) by the third entity (IdP) by using the first trusted group identifier.
  - 38. The method according to claim 32, further comprising the step of obtaining by the third entity (IdP), in response to the second authentication request, data characterizing the first entity towards the second entity (SP) by utilizing the blinded data and the data identifying the first entity towards the third entity (IdP).
  - 39. The method according to claim 27, further comprising the step of communicating, from the third entity (IdP) to the first entity, a first authentication response comprising or being accompanied by at least the data characterizing the first entity towards the second entity (SP).
  - 40. The method according to claim 39, further comprising the step of signing the first authentication response by the third entity (IdP) with a signature for authentication of the third entity towards the second entity (SP).
  - 41. The method according to claim 39, further comprising the step of communicating a second authentication response from of the first entity to the second entity (SP), the second authentication response comprising or being accompanied by the data characterizing the first entity towards the second entity (SP) and relatable by the second entity (SP) to the authentication requested by the second entity (SP).
  - 42. The method according to claim 27, further comprising the step of communicating a service response from the second entity (SP) to the first entity if the second authentication response is accepted by the second entity (SP), the service response indicating that the first entity is allowed to access the service.
  - 43. The method according to claim 42, wherein the accepting step comprises the step of obtaining by the second entity (SP) data identifying the first entity towards the second entity (SP), the data identifying the first entity towards the second entity (SP) being related to the data characterizing the first entity towards the second entity (SP).

44. A sign-on entity for use in a network based communications environment, said sign-on entity adapted to:
- receive an authentication request from a second entity (SP) for accessing a service to be provided by the second entity (SP) to the entity for authentication of the entity by a third entity (IdP), the authentication request comprising data identifying the second entity (SP); and
  
  , blind towards the third entity (IdP) data identifying the second entity (SP) by-modifying the data identifying the second entity (SP) such that no information on the basis of which the second entity (SP) is identifiable by the third entity (IdP) is provided, and by sending the modified data to the third entity (IdP).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Busboon, Axel

Application Number

US10/545,150
Publication Number

US 20060155993A1
Time in Patent Office

Days
Field of Search
US Class Current

713/169
CPC Class Codes

G06F 21/31   User authentication

G06F 21/6254   by anonymising data, e.g. d...

H04L 2209/04   Masking or blinding

H04L 2209/42   Anonymization, e.g. involvi...

H04L 63/0421   Anonymous communication, i....

H04L 63/0815   providing single-sign-on or...

H04L 9/321   involving a third party or ...

H04L 9/3271   using challenge-response

Service provider anonymization in a single sign-on system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Service provider anonymization in a single sign-on system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links