Enhanced security for electronic communications

US 20070234410A1
Filed: 03/31/2006
Published: 10/04/2007
Est. Priority Date: 03/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method for a computing system of a single sign-on service to verify identities of third-party Web sites whose users interact with the single sign-on service, the verifying being based in part on use of digital signatures corresponding to the Web sites, the method comprising:

for each of multiple third-party Web sites, registering the Web site with the single sign-on service, the registering including obtaining information for the Web site that includes a shared secret access key available to the Web site and a unique non-secret identifier associated with the shared secret access key;

receiving multiple sign-on messages that are each from one of the multiple third-party Web sites on behalf of a user of the one Web site who is attempting to perform a sign-on to the single sign-on service, each message including multiple parameters that identify the user and that indicate sign-on information for the user, each message further including the identifier of the one Web site and a digital signature that is generated using the shared secret access key of the one Web site and using information included in the message; and

for each of the multiple received sign-on messages, verifying an identity of the Web site from which the sign-on message was received based at least in part on the digital signature included in the sign-on message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for providing enhanced security for electronic communications, such as by including in a message sent between two services a digital signature that is generated by using secret information known to the services, so that the recipient receives assurance regarding the sender'"'"'s identity if the recipient can replicate the received digital signature using the secret information known to the recipient. In some situations, the enhanced security is used in communications to and/or from an access manager system that provides single sign-on functionality and other functionality to other services for use with those services'"'"' users, such as to prevent malicious phishers from inappropriately gaining access to user information. Various services may use the enhanced security techniques when interacting with the access manager system at various times, such as to initiate sign-on for a user and/or to take subsequent action on behalf of a signed-on user.

131 Citations

51 Claims

1. A method for a computing system of a single sign-on service to verify identities of third-party Web sites whose users interact with the single sign-on service, the verifying being based in part on use of digital signatures corresponding to the Web sites, the method comprising:
- for each of multiple third-party Web sites, registering the Web site with the single sign-on service, the registering including obtaining information for the Web site that includes a shared secret access key available to the Web site and a unique non-secret identifier associated with the shared secret access key;
  
  receiving multiple sign-on messages that are each from one of the multiple third-party Web sites on behalf of a user of the one Web site who is attempting to perform a sign-on to the single sign-on service, each message including multiple parameters that identify the user and that indicate sign-on information for the user, each message further including the identifier of the one Web site and a digital signature that is generated using the shared secret access key of the one Web site and using information included in the message; and
  
  for each of the multiple received sign-on messages, verifying an identity of the Web site from which the sign-on message was received based at least in part on the digital signature included in the sign-on message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein the verifying of the identity of the Web site from which the sign-on message was received based at least in part on the digital signature included in the sign-on message includes:
    - retrieving the shared secret access key with which the identifier included in the received sign-on message is associated;
      
      generating a new digital signature using the retrieved shared secret access key and information included in the received sign-on message; and
      
      determining that the new digital signature matches the digital signature included in the received sign-on message.
  - 3. The method of claim 2 further comprising:
    - after the identity of the Web site is verified, using the parameters included in the received sign-on message to determine whether to approve the attempted sign-on by the user identified in the received sign-on message; and
      
      if the attempted sign-on by the identified user is approved, providing to the Web site a credential that represents the identified user for later use in performing operations on behalf of the identified user.
  - 4. The method of claim 3 further comprising:
    - receiving multiple messages that are each from one of the multiple third-party Web sites to perform an indicated operation on behalf of a user of the one Web site, each message including a previously provided credential that represents the user; and
      
      for each of the multiple received messages, verifying that the included credential is valid for the user and performing the indicated operation if the credential is valid.
  - 5. The method of claim 3 wherein the registering of each of the Web sites with the single sign-on service further includes determining access rights specific to the Web site for use in performing operations on behalf of users of the Web site, and wherein, after the identity of the Web site is verified for a received sign-on message, the determining of whether to approve the attempted sign-on by a user identified in the message and/or the providing to the Web site of a credential that represents the identified user are performed in a manner specific to the determined access rights for the Web site.
  - 6. The method of claim 2 wherein the multiple parameters of each of the received sign-on messages further include an indication of a requested sign-on operation and a timestamp, and wherein the information included in each of the received sign-on messages that is used for generating the included digital signature includes the parameters indicating the sign-on information and the timestamp.
  - 7. The method of claim 6 wherein the information included in each of the received sign-on messages that is used for the generating of the new digital signature is the same information used for generating the digital signature included in the message based on the information used being part of a predefined group of information, and wherein the generating of a digital signature using information from the specified group of information includes arranging the information in a predetermined order before generating the digital signature.
  - 8. The method of claim 1 further comprising failing to verify an identity of a Web site from which is received another sign-on message on behalf of a user, and not approving an attempted sign-on by the user based on the failing.
  - 9. The method of claim 1 wherein the registering of one of the Web sites with the single sign-on service is performed by an operator of the one Web site so as to register the one Web site as a customer of the single sign-on service, and wherein the shared secret access key for the one Web site is determined at least in part based on information supplied by the operator as part of the registering of the one Web site such that the shared secret access key is unique to the one Web site.
  - 10. The method of claim 1 wherein at least some of the received sign-on messages are each specified as an Uniform Resource Locator such that the multiple parameters and the digital signature for the message are specified as query parameters within the Uniform Resource Locator.
  - 11. The method of claim 1 wherein, for at least some of the received sign-on messages that are each from a third-party Web site on behalf of a user of the Web site who is attempting to perform a sign-on to the single sign-on service, the message is received from a computing system of the user after the Web site sent a communication to the computing system of the user to be redirected to the single sign-on service, the communication sent from the Web site including the identifier of the Web site and the generated digital signature that is included in the sign-on message.
  - 12. The method of claim 11 wherein, for each of the at least some received sign-on messages that are each from a third-party Web site on behalf of a user of the Web site who is attempting to perform a sign-on to the single sign-on service, the received sign-on message includes at least a first received electronic communication and a distinct second received electronic communication, such that the first received communication includes the identifier of the Web site and the generated digital signature for the sign-on message and is initiated by the Web site, and such that the second received communication is from the user and includes the indicated sign-on information for the user, the second received communication being in response to a sign-on Web page sent to the user after receipt of the first received communication and not being accessible to the Web site.

13. A computer-implemented method for verifying authorization of Web service invocation requests based in part on generated digital signatures accompanying the requests, the method comprising:
- receiving multiple requests that are each from one of multiple requesters to invoke an indicated single sign-on Web service on behalf of a user associated with the requester, each received request including a predefined identifier associated with the requester and a generated digital signature that is generated based at least in part on information included in the request and on other information that is not included in the request, the predefined identifier for the requester being associated with a predefined secret access key known to the requester; and
  
  for each of the multiple received requests from a requester to invoke the indicated single sign-on Web service on behalf of a user, attempting to verify that the request is from an authorized requester by generating a new digital signature for the request and determining whether the new digital signature matches the digital signature included in the request, the generating of the new digital signature including retrieving the predefined secret access key that is associated with the predefined identifier included in the request and using the retrieved access key along with information included in the request for the generating of the new digital signature, such that the new and included digital signatures will match if the other information not included in the request that was used for generating the included digital signature is the retrieved predefined associated secret access key; and
  
  if it is verified that the request is from an authorized requester, facilitation invocation of the indicated single sign-on Web service in such a manner as to perform an action for the user on whose behalf the request is being made by the requester.
- View Dependent Claims (14, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 14. The method of claim 13 wherein the verifying that a request is from an authorized user includes verifying an identity of the requester.
  - 18. The method of claim 13 wherein one of the requests from a requester includes a credential that represents the user on whose behalf the indicated single sign-on Web service is to be invoked for the one request, the credential having been previously issued to a recipient requester such that the credential is invalid for other requesters, and wherein the verifying that the one request is from an authorized requester further includes verifying that the requester for the one request is the recipient requester.
  - 19. The method of claim 13 wherein one of the requests from a requester includes a credential that represents the user on whose behalf the indicated single sign-on Web service is to be invoked for the one request, the credential having been previously issued to a recipient requester other than the requester such that the credential is valid for other requesters only if authority to use the credential has been delegated to the other requesters by the recipient requester, and wherein the verifying that the one request is from an authorized requester further includes verifying that the requester has received a delegation of authority to use the credential from the recipient requester.
  - 20. The method of claim 13 wherein the method is performed by one or more computing systems of the single sign-on Web service, and wherein the action to be performed for a user for one of the received requests from a requester is to send a sign-on Web page to the user to allow the user to designate sign-on information for the user to be provided to the single sign-on Web service for use in performing a sign-on of the user to the single sign-on Web service.
  - 21. The method of claim 20 further comprising receiving the designated sign-on information for the user, and performing a sign-on operation for the user to the single sign-on Web service if the received sign-on information is valid for the user.
  - 22. The method of claim 21 further comprising, if the received sign-on information is valid for the user, providing a credential to the requester to represent the user in future actions.
  - 23. The method of claim 21 wherein the performing of the sign-on operation occurs in accordance with a standardized sign-on process.
  - 24. The method of claim 23 wherein the standardized sign-on process is to be performed in accordance with WS-Federation specifications.
  - 25. The method of claim 23 wherein the standardized sign-on process is to be performed in accordance with Liberty Alliance Project specifications.
  - 26. The method of claim 20 wherein designating of the sign-on information by the user and providing of the designated sign-on information for the user to the single sign-on Web service are performed in such a manner as to prevent the requester from obtaining access to the designated sign-on information.
  - 27. The method of claim 13 wherein one of the requests further includes sign-on information for the user on whose behalf the one request is made.
  - 28. The method of claim 27 wherein the action to be performed for a user for one of the received requests is to perform a sign-on to the single sign-on Web service using the included sign-on information, and wherein the method further comprises providing a credential to the requester to represent the user if performance of the sign-on succeeds.
  - 29. The method of claim 13 further comprising:
    - receiving multiple requests that are each from one of multiple requesters to take an indicated action and that are not made on behalf of other users, each received request including a predefined identifier associated with the requester and a generated digital signature that is generated based at least in part on information included in the request and on other information that is not included in the request, the predefined identifier for the requester being associated with a predefined secret access key known to the requester; and
      
      for each of the multiple received requests from a requester to take an indicated action, before taking the indicated action for the request, verifying that the request is from an authorized requester by generating a new digital signature for the request and determining that the new digital signature matches the digital signature included in the request, the generating of the new digital signature including retrieving the predefined secret access key that is associated with the predefined identifier included in the request and using the retrieved access key along with information included in the request for the generating of the new digital signature, such that the new and included digital signatures will match if the other information not included in the request that was used for generating the included digital signature is the retrieved predefined associated secret access key.
  - 30. The method of claim 13 wherein the secret access key for one of the requests from a requester is a shared secret between the requester and a system performing the method.
  - 31. The method of claim 13 wherein the secret access keys for at least some of the requests are each at least one of a portion of a public key pair, an X.509 certificate, and information generated by a hard token.
  - 32. The method of claim 13 wherein one of the requests includes multiple parameters for use with the indicated single sign-on Web service for the one request, and wherein the generating of the new digital signature for the one request uses an indicated ordering of at least some of the parameters.
  - 33. The method of claim 13 wherein the multiple requesters each have a granted level of permissions that are determined specific to the requester, and wherein the attempting to verify that a request from a requester is from an authorized requester is performed in a manner that varies to reflect the determined level of permissions for the requester.
  - 34. The method of claim 13 wherein the performing of an attempt to verify that a request from a requester is from an authorized requester employs stricter criteria for verifying that the request is from an authorized requester if the requester has a low level of permissions than if the requester has a high level of permissions.
  - 35. The method of claim 13 wherein each of at least one of the requests includes a timestamp, and wherein the verifying for each of the at least some requests that the request is from an authorized requester further includes verifying that a current time is within a predetermined period of time since the included timestamp.
  - 36. The method of claim 13 wherein for each of at least one of the requests the indicated single sign-on Web service is provided by a system performing the method on behalf of the single sign-on Web service.
  - 37. The method of claim 13 further comprising, for each of at least one of the requests, if it is not verified that the request is from an authorized requester, preventing invocation of the indicated single sign-on Web service for the request.

15. The method of 13 wherein the method is performed by an access manager, and wherein the method further comprises, before the receiving of at least one of the multiple requests from a requester, registering the requester with the access manager by obtaining information for the requester that includes a non-secret unique identifier, a secret access key known to the requester, and other information associated with the requester, such that the non-secret unique identifier is the predefined identifier in the at least one requests and such that the secret access key is the predefined secret access key in the at least one requests.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein the verifying that each of the at least one requests is from an authorized requester further includes verifying that the predefined identifier included in the request corresponds to a registered requester.
  - 17. The method of claim 15 wherein the verifying that each of the at least one requests is from an authorized requester further includes determining that the identity of the requester from whom the request is received is the registered requester based at least in part on the information obtained from the requester during the registering.

38. A computer-readable medium whose contents enable a computing device to authorize service requests based in part on generated digital signatures accompanying the requests, by performing a method comprising:
- receiving an indication of a request by a requester to obtain indicated functionality, the received request including a digital signature that is generated based on information included in the request and on other information associated with the requester, the indicated functionality including to facilitate sign-on by a user to a sign-on service;
  
  verifying that the request is authorized based at least in part on the other information associated with the requester being a predefined secret access key that is associated with the requester; and
  
  after verifying that the request is authorized, facilitating provision of the indicated functionality for the requester.
- View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
- - 39. The computer-readable medium of claim 38 wherein the verifying that the request is authorized based at least in part on the other information associated with the requester includes generating a new digital signature and determining that the new digital signature matches the digital signature included in the request, the generating of the new digital signature being based on the information included in the request and on a retrieved predefined secret access key that is associated with a predefined identifier included in the request.
  - 40. The computer-readable medium of claim 38 wherein the verifying that the request is authorized is further based in part on access rights that are determined for the requester.
  - 41. The computer-readable medium of claim 38 wherein the user uses a service provided by the requester, wherein the request is made by the requester on behalf of the user, and wherein the facilitating of the provision of the indicated functionality for the requester includes performing a sign-on of the user to the sign-on service based on sign-on information received for the user if the received sign-on information is valid for the user.
  - 42. The computer-readable medium of claim 41 wherein the performing of the sign-on of the user including sending a sign-on Web page to the user to allow the user to designate the sign-on information, and wherein the method further comprises, if the received sign-on information is valid for the user, providing a credential to the requester to represent the user in future actions.
  - 43. The computer-readable medium of claim 41 wherein the sign-on service is a single sign-on service, and wherein the computing device performs the method on behalf of the single sign-on service.
  - 44. The computer-readable medium of claim 38 wherein the computer-readable medium is a memory of a computing device.
  - 45. The computer-readable medium of claim 38 wherein the computer-readable medium is a data transmission medium transmitting a generated data signal containing the contents.
  - 46. The computer-readable medium of claim 38 wherein the contents are instructions that when executed cause the computing device to perform the method.
  - 47. The computer-readable medium of claim 38 wherein the contents include one or more data structures for use in authorizing service requests, the data structures comprising one or more entries that each correspond to a requester and contain information comprising a predefined identifier associated with the requester and an associated predefined secret access key available to the requester.

48. A computing system configured to verify authorization of requests for services based in part on generated digital signatures accompanying the requests, comprising:
- a first module that is configured to receive multiple requests that are each from a requester to invoke an indicated service, each received request including a digital signature that is generated based at least in part on information included in the request and on other information specific to the requester that is not included in the request, the indicated service being a sign-on service for use by users interacting with multiple requesters; and
  
  a second module that is configured to, for each of the multiple received requests from a requester, verify that the request is authorized by generating a new digital signature for the request that matches the digital signature included in the request, the generating of the new digital signature including using a predefined secret access key for the requester so as to verify that the other information not included in the request that was used for generating the included digital signature is the predefined secret access key; and
  
  facilitate invocation of the indicated service.
- View Dependent Claims (49, 50, 51)
- - 49. The computing system of claim 48 further comprising:
    - a third module that is configured to register multiple requesters, the registering including determining information for the requester that includes a secret access key available to the requester and a non-secret unique identifier associated with the secret access key.
  - 50. The computing system of claim 48 wherein the first module and the second module each include software instructions for execution in memory of the computing system.
  - 51. The computing system of claim 48 wherein the first module consists of a means for receiving multiple requests that are each from a requester to invoke an indicated service, each received request including a digital signature that is generated based at least in part on information included in the request and on other information specific to the requester that is not included in the request, the indicated service being a sign-on service for use by users interacting with multiple requesters;
    - and wherein the second module consists of a means for, for each of the multiple received requests from a requester, verifying that the request is authorized by generating a new digital signature for the request that matches the digital signature included in the request, the generating of the new digital signature including using a predefined secret access key for the requester so as to verify that the other information not included in the request that was used for generating the included digital signature is the predefined secret access key, and facilitating invocation of the indicated service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Geller, Alan

Granted Patent

US 8,312,523 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

G06F 2221/2119   Authenticating web pages, e...

G06Q 20/3821   Electronic credentials

G06Q 20/3825   Use of electronic signatures

G06Q 2220/00   Business processing using c...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

H04L 63/123   received data contents, e.g...

Enhanced security for electronic communications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

131 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

Enhanced security for electronic communications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

131 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links