Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment

US 6,421,768 B1
Filed: 05/04/1999
Issued: 07/16/2002
Est. Priority Date: 05/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:

a) at a user'"'"'s computer, accessing said first computer;

b) authenticating said user to said first computer;

c) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of a user characteristic, said voucher being cryptographically assured by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;

d) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and

e) sending at least a portion of said cookie, including said voucher, to said second computer configured to;

(1) authenticate said voucher without necessarily requiring said user to explicitly identify himself to said second computer;

(2) extract said user characteristic from said voucher; and

(3) perform an action based on said user characteristic.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cryptographically assured data structures are created to enable a single sign on and/or authentication method for securely transferring user authentication information from a first computer to a second computer to allow the user to seamlessly interact with the second computer without necessarily re-authenticating himself thereto. Thus, if a second computer trusts the methods used by a first computer to authenticate a user, then the second computer can use a cryptographically assured cookie created by the first computer to authenticate the user, without requiring the user to perform an explicit authentication step at the second computer. More particularly, a cryptographically assured cookie is made by creating a cryptographically assured voucher of a user characteristic at the first computer, and embedding the voucher into a cookie for transmission to the user'"'"'s computer and hence to the second computer.

292 Citations

38 Claims

1. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
- a) at a user'"'"'s computer, accessing said first computer;
  
  b) authenticating said user to said first computer;
  
  c) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of a user characteristic, said voucher being cryptographically assured by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
  
  d) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and
  
  e) sending at least a portion of said cookie, including said voucher, to said second computer configured to;
  
  (1) authenticate said voucher without necessarily requiring said user to explicitly identify himself to said second computer;
  
  (2) extract said user characteristic from said voucher; and
  
  (3) perform an action based on said user characteristic.

2. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
- a) at said first computer, receiving an access request from said user;
  
  b) receiving authentication information from said user;
  
  c) creating a cookie containing a user characteristic;
  
  d) cryptographically assuring said cookie with a digital voucher of said user characteristic, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
  
  e) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and
  
  f) sending said cookie to said user'"'"'s computer to be at least partially forwarded to said second computer that can;
  
  (1) authenticate said voucher;
  
  (2) extract said user characteristic from said voucher; and
  
  (3) perform an action based on said user characteristic.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 3. The method of claim 2, wherein said first computer and said second computer are not collocated.
  - 4. The method of claim 3, wherein said first computer and said second computer have different owners.
  - 5. The method of claim 3, wherein said first computer and said second computer share a common domain.
  - 6. The method of claim 3, wherein said voucher includes an expiration time.
  - 7. The method of claim 3, wherein said voucher includes an instruction to send said user to another computer after communication with said second computer.
  - 8. The method of claim 3, wherein said voucher includes an instruction to return said user to said first computer after communication with said second computer.
  - 9. The method of claim 3, wherein said first computer and said second computer have synchronized timeouts.
  - 10. The method of claim 3, wherein said user characteristic comprises the user'"'"'s network identity.
  - 11. The method of claim 3, wherein said user characteristic comprises the user'"'"'s session preferences.
  - 12. The method of claim 3, wherein said user computer includes a web browser.
  - 13. The method of claim 3, wherein at least one of said first and second computers is a web site.
  - 14. The method of claim 13, wherein said first computer is a web site of a content service provider.
  - 15. The method of claim 13, wherein said second computer is a web site for electronic bill presentment and payment.
  - 16. The method of claim 3, wherein said cryptographic assurance includes RSA cryptography.
  - 17. The method of claim 3, wherein said cryptographic assurance includes encryption of said user characteristic under a symmetric key shared between said first computer and said second computer.
  - 18. The method of claim 17, further comprising exchanging between said first computer and said second computer via a cookie on said user'"'"'s computer a cryptographic assurance of said symmetric key under an asymmetric key of at least one of said first computer or said second computer.

19. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
- a) at said second computer, receiving at least a portion of a cookie from a user wherein said cookie was;
  
  (1) created by said first computer, (2) sent to the user, and (3) cryptographically assured with a digital voucher of a user characteristic created by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
  
  b) receiving said cryptographically assured session key from said first computer via said user;
  
  c) authenticating said digital voucher created by said first computer;
  
  d) extracting said user characteristic from said voucher; and
  
  e) performing an action based on said user characteristic.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 20. The method of claim 19, wherein said first computer and said second computer are not collocated.
  - 21. The method of claim 19, wherein said first computer and said second computer have different owners.
  - 22. The method of claim 19, wherein said first computer and said second computer share a common domain.
  - 23. The method of claim 19, wherein said voucher includes an expiration time.
  - 24. The method of claim 19, wherein said voucher includes an instruction to send said user to another computer after communication with said second computer.
  - 25. The method of claim 19, wherein said voucher includes an instruction to return said user to said first computer after communication with said second computer.
  - 26. The method of claim 19, wherein said first computer and said second computer have synchronized timeouts.
  - 27. The method of claim 19, wherein said user characteristic comprises the user'"'"'s network identity.
  - 28. The method of claim 19, wherein said user characteristic comprises the user'"'"'s session preferences.
  - 29. The method of claim 19, wherein said user computer includes a web browser.
  - 30. The method of claim 19, wherein at least one of said first and second computers is a web site.
  - 31. The method of claim 30 wherein said first computer is a web site of a content service provider.
  - 32. The method of claim 30, wherein said second computer is a web site for electronic bill presentment and payment.
  - 33. The method of claim 19, wherein said cryptographic assurance includes RSA cryptography.
  - 34. The method of claim 19, wherein said cryptographic assurance includes encryption of said user characteristic under a symmetric key shared between said first computer and said second computer.
  - 35. The method of claim 34, further comprising exchanging between said first computer and said second computer via a cookie on said user'"'"'s computer a cryptographic assurance of said symmetric key under an asymmetric key of at least one of said first computer or said second computer.

36. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
- a) transmitting an access request from a user'"'"'s computer to said first computer;
  
  b) authenticating said user to said first computer;
  
  c) creating a cookie containing a user characteristic at said first computer;
  
  d) cryptographically assuring said cookie with a digital voucher of said user characteristic at said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
  
  e) transmitting said cryptographically assured session key from said first computer to said second computer via said user'"'"'s computer;
  
  f) transmitting said cookie to said user'"'"'s computer;
  
  g) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of said user characteristic, said voucher being cryptographically assured by said first computer;
  
  h) sending at least a portion of said cookie, including said voucher, to said second computer, i) authenticating said digital voucher created by said first computer at said second computer;
  
  j) extracting said user characteristic from said voucher at said second computer; and
  
  k) performing an action based on said user characteristic.

37. A system for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising:
- a) means for transmitting an access request from a user'"'"'s computer to a first computer;
  
  b) means for authenticating said user to said first computer;
  
  c) means for creating a cookie containing a user characteristic at said first computer;
  
  d) means for cryptographically assuring said cookie with a digital voucher of said user characteristic at said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
  
  e) means for transmitting said cryptographically assured session key from said first computer to said second computer via said user'"'"'s computer;
  
  f) means for transmitting said cookie to said user'"'"'s computer;
  
  g) means for receiving from said first computer a cookie including said first computer'"'"'s digital voucher of said user characteristic, said voucher being cryptographically assured by said first computer;
  
  h) means for sending at least a portion of said cookie, including said voucher, to said second computer;
  
  i) means for authenticating said digital voucher created by said first computer at said second computer;
  
  j) means for extracting said user characteristic from said voucher at said second computer; and
  
  k) means for performing an action based on said user characteristic.

38. A data structure for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising:
- a) a digital voucher (1) containing a user characteristic available to said first computer; and
  
  (2) cryptographically assured by said first computer;
  
  b) said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computers, said session key being transmitted from said first computer to said second computer via said user'"'"'s computer;
  
  c) said digital voucher embedded in a cookie configured to be transmitted from said first computer to a user'"'"'s computer and then at least partially forwarded to said second computer configured to;
  
  (1) authenticate said voucher without requiring said user to explicitly identify himself to said second computer;
  
  (2) extract said user characteristic from said voucher; and
  
  (3) perform an action based on said user characteristic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Reliance Data LP
Original Assignee
First Data Corporation (Fiserv Incorporated)
Inventors
Purpura, Stephen J.
Primary Examiner(s)
Hudspeth, David
Assistant Examiner(s)
TZENG, FRED

Application Number

US09/305,423
Time in Patent Office

1,169 Days
Field of Search

711/164, 711/100, 711/156, 713/177, 713/202, 713/201, 713/171, 713/175, 713/180, 705/200
US Class Current

711/164
CPC Class Codes

G06F 21/41 where a single sign-on prov...

H04L 63/0815 providing single-sign-on or...

Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

292 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

292 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links