Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment
First Claim
1. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
- a) at a user'"'"'s computer, accessing said first computer;
b) authenticating said user to said first computer;
c) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of a user characteristic, said voucher being cryptographically assured by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
d) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and
e) sending at least a portion of said cookie, including said voucher, to said second computer configured to;
(1) authenticate said voucher without necessarily requiring said user to explicitly identify himself to said second computer;
(2) extract said user characteristic from said voucher; and
(3) perform an action based on said user characteristic.
8 Assignments
0 Petitions
Accused Products
Abstract
Cryptographically assured data structures are created to enable a single sign on and/or authentication method for securely transferring user authentication information from a first computer to a second computer to allow the user to seamlessly interact with the second computer without necessarily re-authenticating himself thereto. Thus, if a second computer trusts the methods used by a first computer to authenticate a user, then the second computer can use a cryptographically assured cookie created by the first computer to authenticate the user, without requiring the user to perform an explicit authentication step at the second computer. More particularly, a cryptographically assured cookie is made by creating a cryptographically assured voucher of a user characteristic at the first computer, and embedding the voucher into a cookie for transmission to the user'"'"'s computer and hence to the second computer.
292 Citations
38 Claims
-
1. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
-
a) at a user'"'"'s computer, accessing said first computer;
b) authenticating said user to said first computer;
c) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of a user characteristic, said voucher being cryptographically assured by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
d) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and
e) sending at least a portion of said cookie, including said voucher, to said second computer configured to;
(1) authenticate said voucher without necessarily requiring said user to explicitly identify himself to said second computer;
(2) extract said user characteristic from said voucher; and
(3) perform an action based on said user characteristic.
-
-
2. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
-
a) at said first computer, receiving an access request from said user;
b) receiving authentication information from said user;
c) creating a cookie containing a user characteristic;
d) cryptographically assuring said cookie with a digital voucher of said user characteristic, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
e) transmitting said cryptographically assured session key to said second computer via said user'"'"'s computer; and
f) sending said cookie to said user'"'"'s computer to be at least partially forwarded to said second computer that can;
(1) authenticate said voucher;
(2) extract said user characteristic from said voucher; and
(3) perform an action based on said user characteristic. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
-
a) at said second computer, receiving at least a portion of a cookie from a user wherein said cookie was;
(1) created by said first computer, (2) sent to the user, and (3) cryptographically assured with a digital voucher of a user characteristic created by said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
b) receiving said cryptographically assured session key from said first computer via said user;
c) authenticating said digital voucher created by said first computer;
d) extracting said user characteristic from said voucher; and
e) performing an action based on said user characteristic. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising the steps of:
-
a) transmitting an access request from a user'"'"'s computer to said first computer;
b) authenticating said user to said first computer;
c) creating a cookie containing a user characteristic at said first computer;
d) cryptographically assuring said cookie with a digital voucher of said user characteristic at said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
e) transmitting said cryptographically assured session key from said first computer to said second computer via said user'"'"'s computer;
f) transmitting said cookie to said user'"'"'s computer;
g) receiving from said first computer a cookie including said first computer'"'"'s digital voucher of said user characteristic, said voucher being cryptographically assured by said first computer;
h) sending at least a portion of said cookie, including said voucher, to said second computer, i) authenticating said digital voucher created by said first computer at said second computer;
j) extracting said user characteristic from said voucher at said second computer; and
k) performing an action based on said user characteristic.
-
-
37. A system for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising:
-
a) means for transmitting an access request from a user'"'"'s computer to a first computer;
b) means for authenticating said user to said first computer;
c) means for creating a cookie containing a user characteristic at said first computer;
d) means for cryptographically assuring said cookie with a digital voucher of said user characteristic at said first computer, said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computer;
e) means for transmitting said cryptographically assured session key from said first computer to said second computer via said user'"'"'s computer;
f) means for transmitting said cookie to said user'"'"'s computer;
g) means for receiving from said first computer a cookie including said first computer'"'"'s digital voucher of said user characteristic, said voucher being cryptographically assured by said first computer;
h) means for sending at least a portion of said cookie, including said voucher, to said second computer;
i) means for authenticating said digital voucher created by said first computer at said second computer;
j) means for extracting said user characteristic from said voucher at said second computer; and
k) means for performing an action based on said user characteristic.
-
-
38. A data structure for transferable authentication, by which a user accessing a first computer can be authenticated to a second computer remote from said first computer, without necessarily requiring the user to explicitly identify himself to said second computer, comprising:
-
a) a digital voucher (1) containing a user characteristic available to said first computer; and
(2) cryptographically assured by said first computer;
b) said user characteristic being encrypted and incorporated into said digital voucher by said first computer using a session key confidential to said first computer and said second computer but unknown to said user, said session key being cryptographically assured using an asymmetric key of at least one of said first computer and said second computers, said session key being transmitted from said first computer to said second computer via said user'"'"'s computer;
c) said digital voucher embedded in a cookie configured to be transmitted from said first computer to a user'"'"'s computer and then at least partially forwarded to said second computer configured to;
(1) authenticate said voucher without requiring said user to explicitly identify himself to said second computer;
(2) extract said user characteristic from said voucher; and
(3) perform an action based on said user characteristic.
-
Specification