Enhanced security for electronic communications
First Claim
1. A method for a computing system of a single sign-on service to verify identities of third-party Web sites whose users interact with the single sign-on service, the verifying being based in part on use of digital signatures corresponding to the Web sites, the method comprising:
- for each of multiple third-party Web sites, registering the Web site with the single sign-on service, the registering including obtaining information for the Web site that includes a shared secret access key available to the Web site and a unique non-secret identifier associated with the shared secret access key;
receiving multiple sign-on messages that are each from one of the multiple third-party Web sites on behalf of a user of the one Web site who is attempting to perform a sign-on to the single sign-on service, each message including multiple parameters that identify the user and that indicate sign-on information for the user, each message further including the identifier of the one Web site and a digital signature that is generated using the shared secret access key of the one Web site and using information included in the message; and
for each of the multiple received sign-on messages, verifying an identity of the Web site from which the sign-on message was received based at least in part on the digital signature included in the sign-on message.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for providing enhanced security for electronic communications, such as by including in a message sent between two services a digital signature that is generated by using secret information known to the services, so that the recipient receives assurance regarding the sender'"'"'s identity if the recipient can replicate the received digital signature using the secret information known to the recipient. In some situations, the enhanced security is used in communications to and/or from an access manager system that provides single sign-on functionality and other functionality to other services for use with those services'"'"' users, such as to prevent malicious phishers from inappropriately gaining access to user information. Various services may use the enhanced security techniques when interacting with the access manager system at various times, such as to initiate sign-on for a user and/or to take subsequent action on behalf of a signed-on user.
131 Citations
51 Claims
-
1. A method for a computing system of a single sign-on service to verify identities of third-party Web sites whose users interact with the single sign-on service, the verifying being based in part on use of digital signatures corresponding to the Web sites, the method comprising:
-
for each of multiple third-party Web sites, registering the Web site with the single sign-on service, the registering including obtaining information for the Web site that includes a shared secret access key available to the Web site and a unique non-secret identifier associated with the shared secret access key;
receiving multiple sign-on messages that are each from one of the multiple third-party Web sites on behalf of a user of the one Web site who is attempting to perform a sign-on to the single sign-on service, each message including multiple parameters that identify the user and that indicate sign-on information for the user, each message further including the identifier of the one Web site and a digital signature that is generated using the shared secret access key of the one Web site and using information included in the message; and
for each of the multiple received sign-on messages, verifying an identity of the Web site from which the sign-on message was received based at least in part on the digital signature included in the sign-on message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method for verifying authorization of Web service invocation requests based in part on generated digital signatures accompanying the requests, the method comprising:
-
receiving multiple requests that are each from one of multiple requesters to invoke an indicated single sign-on Web service on behalf of a user associated with the requester, each received request including a predefined identifier associated with the requester and a generated digital signature that is generated based at least in part on information included in the request and on other information that is not included in the request, the predefined identifier for the requester being associated with a predefined secret access key known to the requester; and
for each of the multiple received requests from a requester to invoke the indicated single sign-on Web service on behalf of a user, attempting to verify that the request is from an authorized requester by generating a new digital signature for the request and determining whether the new digital signature matches the digital signature included in the request, the generating of the new digital signature including retrieving the predefined secret access key that is associated with the predefined identifier included in the request and using the retrieved access key along with information included in the request for the generating of the new digital signature, such that the new and included digital signatures will match if the other information not included in the request that was used for generating the included digital signature is the retrieved predefined associated secret access key; and
if it is verified that the request is from an authorized requester, facilitation invocation of the indicated single sign-on Web service in such a manner as to perform an action for the user on whose behalf the request is being made by the requester. - View Dependent Claims (14, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
- 15. The method of 13 wherein the method is performed by an access manager, and wherein the method further comprises, before the receiving of at least one of the multiple requests from a requester, registering the requester with the access manager by obtaining information for the requester that includes a non-secret unique identifier, a secret access key known to the requester, and other information associated with the requester, such that the non-secret unique identifier is the predefined identifier in the at least one requests and such that the secret access key is the predefined secret access key in the at least one requests.
-
38. A computer-readable medium whose contents enable a computing device to authorize service requests based in part on generated digital signatures accompanying the requests, by performing a method comprising:
-
receiving an indication of a request by a requester to obtain indicated functionality, the received request including a digital signature that is generated based on information included in the request and on other information associated with the requester, the indicated functionality including to facilitate sign-on by a user to a sign-on service;
verifying that the request is authorized based at least in part on the other information associated with the requester being a predefined secret access key that is associated with the requester; and
after verifying that the request is authorized, facilitating provision of the indicated functionality for the requester. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45, 46, 47)
-
-
48. A computing system configured to verify authorization of requests for services based in part on generated digital signatures accompanying the requests, comprising:
-
a first module that is configured to receive multiple requests that are each from a requester to invoke an indicated service, each received request including a digital signature that is generated based at least in part on information included in the request and on other information specific to the requester that is not included in the request, the indicated service being a sign-on service for use by users interacting with multiple requesters; and
a second module that is configured to, for each of the multiple received requests from a requester, verify that the request is authorized by generating a new digital signature for the request that matches the digital signature included in the request, the generating of the new digital signature including using a predefined secret access key for the requester so as to verify that the other information not included in the request that was used for generating the included digital signature is the predefined secret access key; and
facilitate invocation of the indicated service. - View Dependent Claims (49, 50, 51)
-
Specification