Using one-time passwords with single sign-on authentication

US 20070006291A1
Filed: 06/30/2005
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, said method comprising:

receiving an authentication request, said authentication request including a username and an OTP associated with the user;

authenticating the OTP;

updating a database with the authenticated OTP, said database including a mapping of a plurality of usernames associated with a plurality of users to a respective password, such that the password mapped to the username associated with the user is the authenticated OTP; and

permitting the database to be accessible by an authentication server configured to use the password mapped to the username associated with the user in the database to provide SSO authentication to the user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, computer program product, authentication proxy server, and system for enabling a user to use a one-time password in conjunction with single sign-on authentication and external authentication, such as provided by the Kerberos protocol, are provided.

Citations

28 Claims

1. A method of enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, said method comprising:
- receiving an authentication request, said authentication request including a username and an OTP associated with the user;
  
  authenticating the OTP;
  
  updating a database with the authenticated OTP, said database including a mapping of a plurality of usernames associated with a plurality of users to a respective password, such that the password mapped to the username associated with the user is the authenticated OTP; and
  
  permitting the database to be accessible by an authentication server configured to use the password mapped to the username associated with the user in the database to provide SSO authentication to the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising using the OTP stored in the database, and mapped to the username associated with the user, to encrypt a session key and to generate a master ticket, said master ticket capable of being used by the user to request one or more service tickets, said service tickets capable of being used to access a respective application server.
  - 3. The method of claim 2 further comprising:
    - receiving the encrypted session key and generated master ticket from the authentication server; and
      
      transmitting the session key and master ticket received to the user.
  - 4. The method of claim 3 further comprising:
    - receiving a service ticket request, said service ticket request including the master ticket;
      
      transmitting the service ticket request to a ticket granting server;
      
      receiving a service ticket from the ticket granting server in response to the service ticket request, wherein said service ticket is encrypted with a secret key associated with a respective application server; and
      
      transmitting the service ticket received to the user.
  - 5. The method of claim 4, wherein receiving the service ticket request, transmitting the service ticket request to the ticket granting server, receiving the service ticket and transmitting the service ticket to the user are repeated each time the user wishes to access a different application server.
  - 6. The method of claim 4, wherein the authentication server comprises a Kerberos Authentication Server (AS), and the ticket granting server comprises a Kerberos Ticket Granting Server (TGS).

7. A computer program product for enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, wherein the computer program product comprises at least one computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- a first executable portion for receiving an authentication request, said request including a username and an OTP associated with the user;
  
  a second executable portion for authenticating the OTP;
  
  a third executable portion for updating a database with the authenticated OTP, said database including a mapping of a plurality of usernames associated with a plurality of users to a respective password, such that the password mapped to the username associated with the user is the authenticated OTP; and
  
  a fourth executable portion for permitting the database to be accessible by an authentication server configured to use the password mapped to the username associated with the user in the database to provide SSO authentication to the user.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, further comprising a fifth executable portion for using the OTP stored in the database, and mapped to the username associated with the user, to encrypt a session key and to generate a master ticket, said master ticket capable of being used by the user to request one or more service tickets, said service tickets capable of being used to access a respective application server.
  - 9. The computer program product of claim 8 further comprising:
    - a sixth executable portion for receiving the encrypted session key and generated master ticket from the authentication server; and
      
      a seventh executable portion for transmitting the session key and master ticket received to the user.
  - 10. The computer program product of claim 9, further comprising:
    - an eighth executable portion for receiving a service ticket request, said request including the master ticket;
      
      a ninth executable portion for transmitting the service ticket request to a ticket granting server;
      
      a tenth executable portion for receiving a service ticket from the ticket granting server in response to the service ticket request, wherein said service ticket is encrypted with a secret key associated with the authentication server and transmitted to the user; and
      
      an eleventh executable portion for transmitting the service ticket received to the user.
  - 11. The computer program product of claim 10, wherein receiving the service ticket request, transmitting the request to the ticket granting server, receiving the service ticket and transmitting the service ticket to the user are repeated each time the user wishes to access a different application server.
  - 12. The computer program product of claim 10, wherein the authentication server comprises a Kerberos Authentication Server (AS), and the ticket granting server is a Kerberos Ticket Granting Server (TGS).

13. A system for enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, said system comprising:
- a client application associated with the user;
  
  an authentication proxy server in communication with the client application, said authentication proxy server configured to receive an authentication request from the client application, said authentication request including a username and an OTP associated with the user;
  
  a password authentication server (PAS) in communication with the authentication proxy server, wherein the authentication proxy server authenticates the OTP using the PAS;
  
  a database accessible by the authentication proxy server, said database including a mapping of a plurality of usernames associated with a plurality of users to a respective password, wherein said authentication proxy server is configured to update said database with said authenticated OTP, such that the password mapped to the username associated with the user is the authenticated OTP; and
  
  an authentication server in communication with the authentication proxy server, said authentication server configured to receive the authentication request from the authentication proxy server, and, in response, to access the database to retrieve the authenticated OTP mapped to the username associated with the user, and use said authenticated OTP to provide SSO authentication.

14. The system of 13, wherein the authentication server provides SSO authentication by using the OTP retrieved from the database to encrypt a session key and to generate a master ticket, said master ticket capable of being used by the client application to request one or more service tickets, said service tickets capable of being used to access a respective application server.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein said authentication server is further configured to transmit the encrypted session key and the generated master ticket to the authentication proxy server, and wherein said authentication proxy server is further configured to transmit the session key and master ticket received to the client application.
  - 16. The system of claim 15 further comprising:
    - a ticket granting server in communication with the authentication proxy server, wherein said authentication proxy server is further configured to receive a service ticket request, said service ticket request including the master ticket previously generated by the authentication server and an identification of a respective application server, and to transmit the service ticket request to the ticket granting server.
  - 17. The system of claim 16, wherein the ticket granting server is configured to generate a service ticket using a secret key associated with the application server, and to transmit the service ticket to the authentication proxy server, and wherein said authentication proxy server is further configured to transmit the service ticket received to the client application.
  - 18. The system of claim 16, wherein the authentication server comprises a Kerberos Authentication Server (AS), and the ticket granting server comprises a Kerberos Ticket Granting Server (TGS).

19. An authentication proxy server capable of enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, said authentication proxy server comprising:
- means for receiving an authentication request, said authentication request including a username and an OTP associated with the user;
  
  means for authenticating the OTP; and
  
  means for updating a database with the authenticated OTP, said database including a mapping of a plurality of usernames associated with a plurality of users to a respective password, such that the password mapped to the username associated with the user is the authenticated OTP, wherein the database is accessible by an authentication server configured to use the password mapped to the username associated with the user in the database to provide SSO authentication to the user.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The authentication proxy server of claim 19, wherein the authentication server provides SSO authentication by using the OTP stored in the database, and mapped to the username associated with the user, to encrypt a session key and to generate a master ticket, said master ticket capable of being used by the user to request one or more service tickets, said service tickets capable of being used to access a respective application server, and wherein said authentication proxy server further comprises:
    - means for receiving the encrypted session key and generated master ticket from the authentication server; and
      
      means for transmitting the session key and master ticket received to the user.
  - 21. The authentication proxy server of claim 20 further comprising:
    - means for receiving a service ticket request, said service ticket request including the master ticket;
      
      means for transmitting the service ticket request to a ticket granting server;
      
      means for receiving a service ticket from the ticket granting server in response to the service ticket request, wherein said service ticket is encrypted with the session key previously encrypted by the authentication server and transmitted to the user; and
      
      means for transmitting the service ticket received to the user.
  - 22. The authentication proxy server of claim 21, wherein receiving the service ticket request, transmitting the service ticket request to the ticket granting server, receiving the service ticket and transmitting the service ticket to the user are repeated each time the user wishes to access a different application server.
  - 23. The authentication proxy server of claim 21, wherein the authentication server comprises a Kerberos Authentication Server (AS), and said ticket granting server comprises a Kerberos Ticket Granting Server (TGS).

24. An authentication proxy server capable of enabling a user to use a one-time password (OTP) in conjunction with single sign-on (SSO) authentication, said authentication proxy server comprising:
- a processing device capable of receiving an authentication request including a username and an OTP associated with the user, said processing device also capable of authenticating the OTP and updating a database with the authenticated OTP, wherein the database includes a mapping of a plurality of usernames associated with a plurality of users to a respective password, such that the password mapped to the username associated with the user is the authenticated OTP, and wherein the database is also accessible by an authentication server configured to use the password mapped to the username associated with the user in the database to provide SSO authentication to the user.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The authentication proxy server of claim 24, wherein the authentication server provides SSO authentication by using the OTP stored in the database, and mapped to the username associated with the user, to encrypt a session key and to generate a master ticket, said master ticket capable of being used by the user to request one or more service tickets, said service tickets capable of being used to access a respective application server, and wherein the processing device of the authentication proxy server is further capable of receiving the encrypted session key and generated master ticket from the authentication server and transmitting the session key and master ticket received to the user.
  - 26. The authentication proxy server of claim 25 wherein said processing device is further capable of receiving a service ticket request including the master ticket, transmitting the service ticket request to a ticket granting server, receiving a service ticket from the ticket granting server in response to the service ticket request that is encrypted with a secret key associated with a respective application server and transmitting the service ticket received to the user.
  - 27. The authentication proxy server of claim 26, wherein receiving the service ticket request, transmitting the service ticket request to the ticket granting server, receiving the service ticket and transmitting the service ticket to the user are repeated each time the user wishes to access a different application server.
  - 28. The authentication proxy server of claim 26, wherein the authentication server comprises a Kerberos Authentication Server (AS), and said ticket granting server comprises a Kerberos Ticket Granting Server (TGS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Solutions and Networks US LLC (Nokia Corporation)
Original Assignee
Nokia Corporation
Inventors
Zaretsky, Elias, Barari, Tirthankar, Elkun, Leonid

Granted Patent

US 7,540,022 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/10
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/41   where a single sign-on prov...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0838   using one-time-passwords

H04L 63/0884   by delegation of authentica...

H04L 9/083   involving central third par...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3228   One-time or temporary data,...

Using one-time passwords with single sign-on authentication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Using one-time passwords with single sign-on authentication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links