Session Key Security Protocol

US 20090204808A1
Filed: 04/20/2009
Published: 08/13/2009
Est. Priority Date: 05/15/2002
Status: Active Grant

First Claim

Patent Images

1. A method for exchanging information in a multi-site authentication system having a first network server and a second network server coupled to a data communication network, said method comprising:

receiving, from a client computing device via the first network server, a request for a service provided by the second network server;

receiving, from the first network server, an authentication ticket along with the request, said authentication ticket including;

a session key encrypted by a public key associated with the second network server;

message content encrypted by the session key; and

a signature for the encrypted session key and the encrypted message content, said signature including address information of the second network server;

identifying the address information for the second network server in the signature to validate the signature included in the authentication ticket;

verifying the authentication ticket content based on the signature included in the authentication ticket;

decrypting the encrypted session key via a private key associated with the second network server; and

decrypting the encrypted message content via the decrypted session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Exchanging information in a multi-site authentication system. A network server receives, from an authentication server, a request by a client computing device for a service provided by the network server along with an authentication ticket. The authentication ticket includes: a session key encrypted by a public key associated with the network server, message content encrypted by the session key, and a signature for the encrypted session key and the encrypted message content. The signature includes address information of the network server. The network server identifies its own address information in the signature to validate the signature included in the authentication ticket and verifies the authentication ticket content based on the signature included in the authentication ticket. The network server decrypts the encrypted session key via a private key associated with the second network server and decrypts the encrypted message content via the decrypted session key.

75 Citations

View as Search Results

20 Claims

1. A method for exchanging information in a multi-site authentication system having a first network server and a second network server coupled to a data communication network, said method comprising:
- receiving, from a client computing device via the first network server, a request for a service provided by the second network server;
  
  receiving, from the first network server, an authentication ticket along with the request, said authentication ticket including;
  
  a session key encrypted by a public key associated with the second network server;
  
  message content encrypted by the session key; and
  
  a signature for the encrypted session key and the encrypted message content, said signature including address information of the second network server;
  
  identifying the address information for the second network server in the signature to validate the signature included in the authentication ticket;
  
  verifying the authentication ticket content based on the signature included in the authentication ticket;
  
  decrypting the encrypted session key via a private key associated with the second network server; and
  
  decrypting the encrypted message content via the decrypted session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the first network server is an authentication server associated with the multi-site authentication system and wherein the message content includes login information retrieved from a user of the client computing device by said authentication server.
  - 3. The method of claim 2 wherein the login information includes a login ID and a password associated with the login ID.
  - 4. The method of claim 1 wherein the second network server is a portal for providing the client computing device with a gateway to services provided by another network server coupled to the data communication network.
  - 5. The method of claim 1 wherein the first and second network servers are web servers and the data communication network is the Internet.
  - 6. The method of claim 1 wherein the address information of the second network server includes the domain name of the second network server.
  - 7. The method of claim 1 wherein the session key is randomly generated, single-use session key.
  - 8. The method of claim 1 wherein the second network server includes one or more computer-readable storage media having computer-executable instructions executed by said second network server to implement said receiving a request for a service, said receiving an authentication ticket, said identifying, said verifying, said decrypting the encrypted session key, and said decrypting the encrypted message content.

9. A system for exchanging in a multi-site authentication system having an authentication server coupled to a data communication network, said system comprising:
- a network server coupled to the data communication network, wherein said network server includes a processor executing instructions stored on one or more computer-readable storage media to perform the following operations;
  
  receiving, from a client computing device via the authentication server, a request for a service provided by the network server;
  
  receiving, from the authentication server, an authentication ticket along with the request, said authentication ticket including a session key encrypted by a public key associated with the network server, message content encrypted by the session key, and a signature for the encrypted session key and the encrypted message content, said signature including address information of the network server;
  
  identifying the address information of the network server in the signature to validate the signature included in the authentication ticket;
  
  verifying the authentication ticket content based on the signature included in the authentication ticket;
  
  decrypting the encrypted session key via a private key associated with the network server; and
  
  decrypting the encrypted message content via the decrypted session key.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9 wherein the message content includes login information retrieved from a user of the client computing device by the authentication server.
  - 11. The system of claim 10 wherein the login information includes a login ID and a password associated with the login ID.
  - 12. The system of claim 9 wherein the network server is a portal for providing the client computing device with a gateway to services provided by another network server coupled to the data communication network.
  - 13. The system of claim 9 wherein the address information of the network server includes the domain name of the network server.
  - 14. The system of claim 9 wherein the session key is a randomly generated, single-use session key.

15. A method of exchanging information on a data communication network, said data communication network having at least a client computing device, a network server, and an authentication server coupled thereto, said method comprising:
- receiving a request for a service provided by the network server;
  
  generating, in response to the request, a sign-in interface for obtaining authenticating information from a user of the client computing device;
  
  redirecting the client computing device from the network server to the authentication server, wherein the authentication server receives message content from the client computing device, said message content including the authenticating information obtained from the user of the client computing device via the interface;
  
  receiving, from the authentication server, an authentication ticket along with the request, said authentication ticket including;
  
  a randomly generated session key encrypted by a public key associated with the network server;
  
  the message content encrypted by the session key; and
  
  a signature for the encrypted session key and the encrypted message content, said signature including address information of the network server;
  
  identifying the address information for the network server in the signature to validate the signature included in the authentication ticket;
  
  verifying the authentication ticket content based on the signature included in the authentication ticket;
  
  decrypting the encrypted session key via a private key associated with the network server;
  
  decrypting the encrypted message content via the decrypted session key; and
  
  providing the service to the client computing device.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 wherein the network server provides a portal service for providing the client computing device with a gateway to services provided by another network server coupled to the data communication network, and wherein said receiving a request comprises receiving a request for one of said services provided by the another network server.
  - 17. The method of claim 15 wherein the message content includes login information retrieved from a user of the client computing device by the authentication server.
  - 18. The method of claim 17 wherein the wherein the login information includes a login ID and a password associated with the login ID.
  - 19. The method of claim 15 wherein the session key is a randomly generated, single-use session key.
  - 20. The method of claim 15 wherein the network server includes one or more computer-readable storage media having computer-executable instructions executed by said network server to implement said receiving a request for a service, said generating, said redirecting, said receiving an authentication ticket, said identifying, said verifying, said decrypting the encrypted session key, said decrypting the encrypted message content, and said providing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Quiang Michael, Chan, Kok Wai, Howard, John Hal

Granted Patent

US 7,971,240 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 2209/60   Digital content management,...

H04L 63/045   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/0844   with user authentication or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3247   involving digital signatures

Session Key Security Protocol

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Session Key Security Protocol

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links