Authentication system for networked computer applications

US 20100017859A1
Filed: 09/14/2009
Published: 01/21/2010
Est. Priority Date: 12/23/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating a user within a networked computer system, the method comprising:

providing an authentication server for authenticating a user;

providing a gatekeeper server;

creating an authentication token comprising a user ID of the user by the authentication server upon user authentication to uniquely identify the user, the authentication token being independent of the user credentials presented by the user and verifiable without a need for the user to re-present the user credentials;

providing an application server;

providing a first encryption key, said first encryption key being shared by the authentication server and the application server but not with the gatekeeper server;

encrypting the authentication token with the first encryption key, wherein the gatekeeper server is unable to access the encrypted authentication token created by the authentication server; and

using the encrypted authentication token by the application server to verify that the user is a subscriber to the application server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system such as in a networked computer system comprising a user, an application server, a gatekeeper server and an authentication server. Communication within the system is managed by the gatekeeper server, wherein the user communicates with the authentication server and the application server through the gatekeeper server. Once the user has been initially authenticated by the authentication server, the user may request application services from a plurality of application servers within the networked computer system without having to be re-authenticated.

55 Citations

View as Search Results

22 Claims

1. A method of authenticating a user within a networked computer system, the method comprising:
- providing an authentication server for authenticating a user;
  
  providing a gatekeeper server;
  
  creating an authentication token comprising a user ID of the user by the authentication server upon user authentication to uniquely identify the user, the authentication token being independent of the user credentials presented by the user and verifiable without a need for the user to re-present the user credentials;
  
  providing an application server;
  
  providing a first encryption key, said first encryption key being shared by the authentication server and the application server but not with the gatekeeper server;
  
  encrypting the authentication token with the first encryption key, wherein the gatekeeper server is unable to access the encrypted authentication token created by the authentication server; and
  
  using the encrypted authentication token by the application server to verify that the user is a subscriber to the application server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of authenticating a user of claim 1, further comprising:
    - providing a second encryption key, said second encryption key being an asymmetric key pair wherein the authentication server stores the private key of the asymmetric key pair; and
      
      digitally signing the authentication token by the authentication server with the private key of the asymmetric key pair before encrypting the authentication token with the first encryption key.
  - 3. The method of authenticating a user of claim 1, further comprising providing a third encryption key, said third encryption key is stored on the gatekeeper server.
  - 4. The method of authenticating a user of claim 3, wherein said third encryption key is a symmetric key.
  - 5. The method of authenticating a user of claim 3, further comprising providing a plurality of authentication servers, application servers and gatekeeper servers, wherein the first encryption key is shared among the authentication servers and application servers, the private key of the second encryption key is stored on the authentication servers and the third encryption key is shared among the gatekeeper servers.
  - 6. The method of authenticating a user of claim 1, wherein the combined token is less than or equal to 2 kilobytes.

7. An authentication system within a networked computer system, comprising:
- an application server;
  
  a gatekeeper server;
  
  an authentication server;
  
  a user having user credentials, anda first encryption key shared by the application server and authentication server, wherein the first encryption key is not shared with the gatekeeper server, and wherein an encrypted authentication token created by the authentication server using the first encryption key is independent of the user credentials presented by the user and verifiable without a need for the user to re-present the user credentials, the encrypted authentication token being used to verify by the application server that the user is a subscriber to the application server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The authentication system of claim 7, further comprising a second encryption key, said second encryption key being an asymmetric key pair, wherein the authentication server stores the private key of the asymmetric key pair and the application server stores the public key of the asymmetric key pair.
  - 9. The authentication system of claim 7, wherein the first encryption key is a symmetric key.
  - 10. The authentication system of claim 7, further comprising a third encryption key stored by the gatekeeper server, wherein the third encryption key is not stored by the application server or the authentication server.
  - 11. The authentication system of claim 10, wherein the third encryption key is a symmetric key.
  - 12. The authentication system of claim 7, wherein the combined token is less than or equal to 2 kilobytes.

13. A computer-readable token having a plurality of data nodes stored therein and representing a data structure for verifying authentication of a user, comprising:
- a first data node comprising data identifying the data structure;
  
  a second data node comprising data indicating the time the data structure was created; and
  
  a third data node comprising unique data representing the user.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The computer-readable token of claim 13, further comprising a fourth data node comprising data representing the relationship between the user and the requester.
  - 15. The computer-readable token of claim 13, wherein the third data node is derived from credentials presented by the user.
  - 16. The computer-readable token of claim 13, wherein the first data node comprises data derived from the second data node.
  - 17. The computer-readable token of claim 13, wherein the first data node comprises data derived from data identifying a server.
  - 18. The computer-readable token of claim 13, further comprising a second data structure for securing data stored within the first data structure.
  - 19. The computer-readable token of claim 13, wherein the second data structure comprises:
    - a fifth data node comprising the data of the first data node;
      
      a sixth data node comprising data indicating the time the second data structure was created; and
      
      a seventh data node comprising data indicating the time period for which the second data structure will be valid.
  - 20. The computer-readable token of claim 19, wherein a hash function is performed on the computer-readable token by a server.
  - 21. The computer-readable token of claim 19, wherein the computer-readable token is encrypted by a server.
  - 22. The computer-readable token of claim 13, wherein the computer-readable token is less than or equal to 2 kilobytes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Original Assignee
Wells Fargo Bank NA (Wells Fargo & Company)
Inventors
Savage, Jonathan Francis, Howser, Christopher Wayne, Kelly, Edward R., Zheng, Yuliang

Application Number

US12/584,861
Publication Number

US 20100017859A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0428   wherein the data content is...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/126   the source of the received ...

Authentication system for networked computer applications

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication system for networked computer applications

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links