SIMPLE, SECURE LOGIN WITH MULTIPLE AUTHENTICATION PROVIDERS
First Claim
1. An apparatus for distributed authentication comprising:
- at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server; and
at least one authentication server communicatively coupled to said at least one client via a telecommunications network, said at least one authentication server being programmed for;
performing a same hash operation on a same group of identification elements extracted via said at least one authentication server to generate a second hash value; and
comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to other affiliated authentication servers.
3 Assignments
0 Petitions
Accused Products
Abstract
A secure distributed single-login authentication system comprises a client and a server. The client collects authentication credentials from a user and tests credentials at a variety of potential authentication servers to check where the login is valid. It combines a password with a time-varying salt and a service-specific seed in a message digesting hash, generating a first hash value. The client sends the hash value with a user name and the time-varying salt to a selected server. The server extracts the user name and looks up the user name in the server'"'"'s database. If an entry is found, it retrieves the password, performing the same hash function on the combination of user name, service-specific seed, and password to generate a second hash value, comparing the values. If the values match, the user is authenticated. Thus, the system never reveals the password to authentication agents that might abuse the information.
172 Citations
13 Claims
-
1. An apparatus for distributed authentication comprising:
-
at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server; and at least one authentication server communicatively coupled to said at least one client via a telecommunications network, said at least one authentication server being programmed for; performing a same hash operation on a same group of identification elements extracted via said at least one authentication server to generate a second hash value; and comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to other affiliated authentication servers. - View Dependent Claims (2, 3)
-
-
4. An apparatus for distributed authentication comprising:
-
at least one client programmed for; taking and parsing an entered user name and password; combining said password and a service specific seed unique to an authentication server selected from said at least one authentication server; applying a hash algorithm to said combination to generate a first hash value; finding an address representing said selected authentication server; sending a data packet to said selected authentication server, said data packet comprising said user name and said first hash value; and iterating said at least one authentication server to find a correct authentication server; and at least one authentication server being communicatively coupled to said at least one client via a telecommunications network, said at least on authentication server being programmed for; extracting said user name and said first hash value from said data packet; checking and retrieving said user'"'"'s password from said selected authentication server'"'"'s database; combining said retrieved password and said service specific seed unique to said selected authentication server; applying said hash algorithm to said combination completed in said server portion to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and caching and distributing said positive authentication result.
-
-
5. In a computerized network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, a distributed authentication system comprising:
-
a client; and
a server;wherein said client comprises computer-readable code executing on a processing element for; taking and parsing an entered user name and password; means for generating a time stamp; combining said password and a service specific seed unique to an authentication server selected from a list of authentication servers; applying a hash algorithm to said combination and said time stamp to generate a first hash value; finding an address representing said selected authentication server; sending a data packet to said selected authentication server, said data packet comprising said user name, said time stamp, and said first hash value; and iterating said list of authentication servers to find a correct authentication server; and wherein said server comprises computer-readable code executing on a processing element for; extracting said user name, said time stamp, and said first hash value from said data packet; checking and retrieving said user'"'"'s password from said selected authentication server'"'"'s database; combining said time stamp, said retrieved password and said service specific seed unique to said selected authentication server; applying said hash algorithm to said combination completed in said server portion to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and means for caching and distributing said positive authentication result. - View Dependent Claims (6, 7, 8)
-
-
9. In a computerized network which is registered with a unique domain name, said network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, each of said authentication servers having a fully qualified domain name (FQDN) which is a local host name with said unique domain name appended, a distributed authentication system for providing distributed authentication service, wherein a given user enters a global user identification (GUID) and a password for authentication to be carried out at a target authentication server, said GUID comprising a user name, a delimitation symbol, and a domain which is same as said local host name of said target authentication server, said distributed authentication system comprising:
-
a client; and a server; wherein said client comprises computer-readable code executing on said client on a processing element for; parsing an entered GUID and extracting said domain therefrom; appending said unique domain to said domain to form a fully qualified domain name (FQDN) for said target authentication server; translating said FQDN to an address representing said target authentication server; generating a time stamp; means for combining said password and a service specific seed unique to said target authentication server; applying a hash algorithm to said combination and said time stamp to generate a first hash value; and sending a data packet to said target authentication server, said data packet comprising said first hash value, said user name, and said time stamp; and wherein said server comprises computer-readable code executing on a processing element for; extracting said first hash value, said user name, and said time stamp from said data packet received from said client; checking and retrieving said user'"'"'s password from said target authentication server'"'"'s database; combining said time stamp, said retrieved password, and said service specific seed unique to said target authentication server; applying said hash algorithm to said combination completed in said server portion to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and caching and distributing said positive authentication result. - View Dependent Claims (10, 11, 12, 13)
-
Specification