SYSTEM AND METHOD FOR PROVIDING ACCESS CREDENTIALS

US 20120284786A1
Filed: 05/05/2011
Published: 11/08/2012
Est. Priority Date: 05/05/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing access credentials associated with a user of a service to a server hosting the service, the method comprising:

establishing a first data connection with a terminal associated with the user on the basis of authentication credentials held for the user of the terminal;

in response to establishing said first data connection, establishing a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session between the terminal and the server, said first communications session using a first communications protocol;

establishing a second communications session with the server, said second communications session using a second communications protocol, and receiving from the server via the second communications session a request for access credentials associated with the user, said request comprising information received by said server in said first communications session, andidentifying said access credentials on the basis of said information, and transmitting said access credentials to the server via the second communications session.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention are concerned with providing access credentials associated with a user of a service to a server hosting the service, e.g. enabling single sign on by the user to a number of servers.

The embodiments include functionality for establishing a first data connection with a terminal associated with the user and a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session, using a first communications protocol, between the terminal and the server. A second communications session, using a second communications protocol, is also established with the server, via which a request for access credentials associated with the user is received. This request includes information received by the server in the first communications session, which is used to identify access credentials of the user that are transmitted to the server via the second communications session.

Citations

18 Claims

1. A method of providing access credentials associated with a user of a service to a server hosting the service, the method comprising:
- establishing a first data connection with a terminal associated with the user on the basis of authentication credentials held for the user of the terminal;
  
  in response to establishing said first data connection, establishing a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session between the terminal and the server, said first communications session using a first communications protocol;
  
  establishing a second communications session with the server, said second communications session using a second communications protocol, and receiving from the server via the second communications session a request for access credentials associated with the user, said request comprising information received by said server in said first communications session, andidentifying said access credentials on the basis of said information, and transmitting said access credentials to the server via the second communications session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method according to claim 1, in which the information in said request for access credentials includes authentication credentials associated with the user, wherein received authentication credentials are received by the server from the terminal in the first communications session, the method comprising:
    - verifying said received authentication credentials using authentication credentials held for the user of the terminal, and, dependent upon the verification, identifying said access credentials.
  - 3. A method according to claim 2, in which said received authentication credentials include a message authentication code generated using said authentication credentials held for the user of the terminal, and wherein the information in said request for access credentials includes a user identifier, the method comprising:
    - using said authentication credentials held for the user of the terminal to verify the message authentication code in said received authentication credentials, andin response to the verification of said message authentication code, identifying access credentials associated with said user identifier.
  - 4. A method according to claim 1, in which the information in said request for access credentials includes a data connection identifier identifying one of said first and second data connections, the method comprising:
    - storing an association between the first and second data connections, andin response to receiving said data connection identifier in said request for access credentials, retrieving said stored association in order to determine the authentication credentials used to establish said first data connection, and identifying said access credentials on the basis of said authentication credentials.
  - 5. A method according to claim 4, in which said first data connection is established between said terminal and a proxy server, wherein said second data connection is established between said proxy server and said server, and wherein said data connection identifier identifies a communications port of said proxy server used to establish said second data connection.
  - 6. A method according to claim 1, in which said authentication credentials held for the user of the terminal comprise one or more secret keys held for the user and transmitted prior to the establishment of the first data connection as part of an authentication provisioning process, the authentication provisioning process comprising:
    - generating one or more secret keys to be shared with said terminal;
      
      associating said one or more secret keys with access credentials associated with the user, andstoring said one or more secret keys, and transmitting said one or more secret keys to the terminal, whereby to share authentication credentials with the terminal.
  - 7. A method according to claim 1, the method comprising:
    - receiving a request to establish said first data connection, said request including verification information based on authentication credentials held for the user of the terminal, andin response to receiving said request to establish said first data connection, verifying said verification information using said authentication credentials held for the user of the terminal, and establishing the first data connection with the terminal on the basis of said verification.
  - 8. A method according to claim 1, further comprising establishing a plurality of said first communications sessions and second communications sessions, each being associated with the terminal and a respective service hosted by a said server and each service requiring access credentials to enable the terminal to access a given said service, the method comprising identifying respective access credentials on the basis of respective information received by a given server from the terminal via a given first communications session.
  - 9. A method according to claim 1, in which said first data connection is established between said terminal and a proxy server separated by a firewall, wherein said second data connection is established between said proxy server and said server and wherein said first data connection is established via one or more relay servers enabling the establishment of the first connection via said firewall.
  - 10. A method according to claim 1, in which encrypted authentication credentials to be used in establishing said first data connection are stored at the terminal, wherein said encrypted authentication credentials are encrypted using a user password, and wherein said user password is changed at a plurality of terminals associated with the user of said terminal as part of a password change process executed by the server, said password change process comprising:
    - receiving a hash of a new password entered at the terminal;
      
      identifying a plurality of other terminals associated with the user of said terminal;
      
      transmitting a hash of said new password to said plurality of other terminals, andwherein each said plurality of other terminals uses said hash of the new password to encrypt authentication credentials to be used in establishing a respective first data connection.
  - 11. A method according to claim 10, wherein the password change process further comprises requesting data identifying at least some of said plurality of other terminals from an entity bridging said first and second data connections.

12. A system comprising:
- at least one processor; and
  
  at least one memory including computer program code, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the system at least to perform;
  
  establishing a first data connection with a terminal associated with the user on the basis of authentication credentials held for the user of the terminal;
  
  in response to establishing said first data connection, establishing a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session between the terminal and the server, said first communications session using a first communications protocol;
  
  establishing a second communications session with the server, said second communications session using a second communications protocol, and receiving from the server via the second communications session a request for access credentials associated with the user, said request comprising information received by said server in said first communications session, andidentifying said access credentials on the basis of said information, and transmitting said access credentials to the server via the second communications session.
- View Dependent Claims (13, 14, 15, 16)
- - 13. A system according to claim 12, wherein the information in said request for access credentials includes authentication credentials associated with the user and wherein received authentication credentials are received by the server from the terminal in the first communications session, and wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the system to perform:
    - verifying said received authentication credentials using authentication credentials held for the user of the terminal, and, dependent upon the verification, identifying said access credentials.
  - 14. A system according to claim 13, wherein said received authentication credentials include a message authentication code generated using said authentication credentials held for the user of the terminal, and wherein the information in said request for access credentials includes a user identifier, and wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the system to perform:
    - using said authentication credentials held for the user of the terminal to verify the message authentication code in said received authentication credentials, andin response to the verification of said message authentication code, identifying access credentials associated with said user identifier.
  - 15. A system according to claim 12 configured to access storage, and wherein the information in said request for access credentials includes a data connection identifier identifying one of said first and second data connections, and wherein the at least one memory and the computer program code are configured to, with the at least one processor, further cause the system to perform:
    - storing in said storage an association between the first and second data connections, andin response to receiving said data connection identifier in said request for access credentials, retrieving from said storage said stored association in order to determine the authentication credentials used to establish said first data connection, and identifying said access credentials on the basis of said authentication credentials.
  - 16. A method according to claim 15, wherein said first data connection is established between said terminal and a proxy server, wherein said second data connection is established between said proxy server and said server, and wherein said data connection identifier identifies a communications port of said proxy server used to establish said second data connection.

17. A proxy server for providing access credentials associated with a user of a service to a server hosting the service, the proxy server comprising a processing system and a communications interface, wherein the processing system is arranged to:
- establish a first data connection via the communications interface with a terminal associated with the user on the basis of authentication credentials held for the user of the terminal;
  
  in response to establishing said first data connection, establish with the server a second data connection via the communications interface, and bridge the first and second data connections in order to establish a first communications session between the terminal and the server, said first communications session using a first communications protocol;
  
  establish a second communications session with the server via the communications interface, said second communications session using a second communications protocol, and receive from the server via the second communications session a request for access credentials associated with the user, said request comprising information received by said server in said first communications session, andidentify said access credentials on the basis of said information, and transmit said access credentials to the server via the second communications session.

18. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method of providing access credentials associated with a user of a service to a server hosting the service, the method comprising:
- establishing a first data connection with a terminal associated with the user on the basis of authentication credentials held for the user of the terminal;
  
  in response to establishing said first data connection, establishing a second data connection with the server, and bridging the first and second data connections in order to establish a first communications session between the terminal and the server, said first communications session using a first communications protocol;
  
  establishing a second communications session with the server, said second communications session using a second communications protocol, and receiving from the server via the second communications session a request for access credentials associated with the user, said request comprising information received by said server in said first communications session, andidentifying said access credentials on the basis of said information, and transmitting said access credentials to the server via the second communications session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Visto Corporation (Blackberry Limited)
Inventors
Somani, Haniff, Quinlan, Sean Michael

Granted Patent

US 9,130,935 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/7
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

SYSTEM AND METHOD FOR PROVIDING ACCESS CREDENTIALS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR PROVIDING ACCESS CREDENTIALS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links