Single sign-on for a network system that includes multiple separately-controlled restricted access resources

US 6,629,246 B1
Filed: 04/28/1999
Issued: 09/30/2003
Est. Priority Date: 04/28/1999
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating users in a client-server system, the method comprising the steps of:

a client generating first server-specific authentication information for a first server based on master authentication information stored at said client and data associated with said first server;

said client supplying said first server-specific authentication information to said first server to access restricted resources controlled by said first server; and

wherein said first server-specific authentication information is different from said master authentication information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system are provided for authenticating users in a client-server system in a way that allows a user to sign-on to numerous servers using a different password for each server, while still only having to remember a single master password. According to one aspect of the invention, a client generates a first set of server-specific authentication information for a first server based on master authentication information stored at the client and data associated with the first server. The client then supplies the first server-specific authentication information to the first server to access restricted resources controlled by the first server. The client generates a second set of second server-specific authentication information for a second server based on the same master authentication information. However, to generate the server-specific authentication information for the second server, the master resource information is combined with data associated with the second server. The client supplies the second server-specific authentication information to the second server to access restricted resources controlled by the second server. Both the first and the second server-specific authentication information are different from the master authentication information, and the first server-specific authentication information is different from the second server-specific authentication information. Thus, the administrators of the various servers do not have information that would allow them to access the user'"'"'s account at the other servers.

Citations

42 Claims

1. A method for authenticating users in a client-server system, the method comprising the steps of:
- a client generating first server-specific authentication information for a first server based on master authentication information stored at said client and data associated with said first server;
  
  said client supplying said first server-specific authentication information to said first server to access restricted resources controlled by said first server; and
  
  wherein said first server-specific authentication information is different from said master authentication information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1 further comprising the steps of:
3. The method of claim 2 further comprising the steps of:
- said client receiving a first request from said first server for said first server-specific authentication information;
  
  said client requesting a user to supply said master authentication information in response to said first request;
  
  said client storing said authentication information in response to receiving said master authentication information from said user;
  
  said client receiving a second request from said second server for said second server-specific authentication information; and
  
  said client performing the following steps without again requesting said user to supply said master authentication information;
  
  generating said second server-specific authentication information; and
  
  supplying said second server-specific authentication information to said second server.
4. The method of claim 2 further comprising the steps of:
- said client receiving a first client-side sign-on module from said first server;
  
  wherein said first client-side sign-on module performs the steps of;
  
  generating said first server-specific authentication information for said first server; and
  
  supplying said first server-specific authentication information to said first server;
  
  said client receiving a second client-side sign-on module from said second server;
  
  wherein said second client-side sign-on module performs the steps of;
  
  generating said second server-specific authentication information for said second server; and
  
  supplying said second server-specific authentication information to said second server.
5. The method of claim 4 further comprising the steps of:
- said first client-side sign-on module requesting master authentication information from a user;
  
  said first client-side sign-on module storing said master authentication information in memory on said client in response to receiving said master authentication information from said user.
6. The method of claim 5 further comprising the steps of:
- said second client-side sign-on module detecting said first client-side sign-on module in said client; and
  
  said second client-side sign-on module requesting said master authentication information from said first client-side sign-on module.
7. The method of claim 6 further comprising the steps of:
- the first client-side sign-on module responding to said second client-side sign-on module by determining whether a signature associated with said second client-side sign-on module indicates that said second client-side sign-on module is from a trusted source;
  
  if said signature associated with said second client-side sign-on module indicates that said second client-side sign-on module is from a trusted source, then said first client-side sign-on module supplying said second client-side sign-on module with said master authentication information.
8. The method of claim 1 further comprising the step of requesting a user to supply said master authentication information to said client in response to said first server requesting said first server-specific authentication information from said client.
9. The method of claim 1 further comprising the steps of:
- said client responding to a request from said first server for said first server-specific information by determining whether the client currently stores master authentication information;
  
  if said client determines that said client currently stores master authentication information, then said client performing the step of generating said first server-specific authentication information without requesting said master authentication information from a user; and
  
  if said client determines that said client does not currently store master authentication information, then said client requesting said user to provide said master authentication information, and storing said master authentication in response to receiving said master authentication information from said user.
10. The method of claim 1 further comprising the steps of:
- said client receiving a first client-side sign-on module from a server;
  
  wherein said first client-side sign-on module performs the steps of;
  
  generating said first server-specific authentication information for said first server; and
  
  supplying said first server-specific authentication information to said first server.
11. The method of claim 10 wherein the step of receiving said first client-side sign-on module is performed by receiving said first client-side sign-on module from said first server in response to said client requesting restricted resources from said first server.
12. The method of claim 10 wherein the step of receiving a first client-side sign-on module includes receiving an active content module, wherein the active content module includes one or more of a plug-in module, a JAVA applet, and an ActiveX component.
13. The method of claim 10 wherein the first client-side sign-on module performs the step of generating said first server-specific authentication information based on data associated with said first site after extracting said data associated with said first server from the CodeBase of said first client-side sign-on module.
14. The method of claim 1 wherein the step of said client storing master authentication information includes the step of said client storing one or more of a username, an IP address, and a master password.
15. The method of claim 1 wherein the step of generating said first server-specific authentication information includes generating said first server-specific authentication information based upon a secure one-way hash function.
16. The method of claim 1 wherein said data associated with said first server includes one or more of a URL, an IP address, a software vendor number, and unique server identifier.
17. The method of claim 1 wherein:
- said first server is a web server;
  
  the web server requests said first server-specific authentication information in response to a browser on the client transmitting over the World Wide Web a URL that identifies a restricted web page controlled by the web server; and
  
  the step of supplying said first server-specific authentication information is performed by transmitting the first server-specific authentication information to the web server.

18. A method for authenticating users in a client-server system, the method comprising the steps of:
- a server receiving a request for restricted resources from a client;
  
  said server transmitting to said client a client-side sign-on module which, when executed at said client, generates server-specific authentication information based on data associated with said server and master authentication information stored in said client; and
  
  said server receiving said server-specific authentication information from said client-side sign-on module as said client-side sign-on module executes on said client.
- View Dependent Claims (19, 20, 23)
- - 19. The method of claim 18 wherein the step of transmitting said client-side sign-on module includes transmitting a client-side module that has encoded in its CodeBase the data, associated with said server, that is used in combination with said master authentication information to generate said server-specific authentication information.
  - 20. The method of claim 18 wherein said sign-on module is configured to ask a user of said client for said master authentication information if no pre-existing sign-on module is detected on said client, and to ask said pre-existing sign-on module for said master authentication information if a pre-existing sign-on module is detected on said client.
  - 23. The computer-readable medium of claim 18 further comprising instructions for performing the step of requesting a user to supply said master authentication information to said client in response to said first server requesting said first server-specific authentication information from said client.

21. A computer-readable medium carrying one or more sequences of instructions for authenticating users in a client-server system, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- a client generating first server-specific authentication information for a first server based on master authentication information stored at said client and data associated with said first server;
  
  said client supplying said first server-specific authentication information to said first server to access restricted resources controlled by said first server; and
  
  wherein said first server-specific authentication information is different from said master authentication information.
- View Dependent Claims (22, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 22. The computer-readable medium of claim 21 further comprising instructions for performing the steps of:
24. The computer-readable medium of claim 21 further comprising instructions for performing the steps of:
- said client responding to a request from said first server for said first server-specific information by determining whether the client currently stores master authentication information;
  
  if said client determines that said client currently stores master authentication information, then said client performing the step of generating said first server-specific authentication information without requesting said master authentication information from a user; and
  
  if said client determines that said client does not currently store master authentication information, then said client requesting said user to provide said master authentication information, and storing said master authentication in response to receiving said master authentication information from said user.
25. The computer-readable medium of claim 24 further comprising instructions for performing the steps of:
- said client receiving a first client-side sign-on module from a server;
  
  wherein said first client-side sign-on module performs the steps of;
  
  generating said first server-specific authentication information for said first server; and
  
  supplying said first server-specific authentication information to said first server.
26. The computer-readable medium of claim 25 wherein the step of receiving said first client-side sign-on module is performed by receiving said first client-side sign-on module from said first server in response to said client requesting restricted resources from said first server.
27. The computer-readable medium of claim 24 wherein the step of said client storing master authentication information includes the step of said client storing one or more of a username, an IP address, and a master password.
28. The computer-readable medium of claim 27 further comprising instructions for performing the steps of:
- said first client-side sign-on module requesting master authentication information from a user;
  
  said first client-side sign-on module storing said master authentication information in memory on said client in response to receiving said master authentication information from said user.
29. The computer-readable medium of claim 28 wherein the step of receiving a first client-side sign-on module includes receiving an active content module, wherein the active content module includes one or more of a plug-in module, a JAVA applet, and an ActiveX component.
30. The computer-readable medium of claim 29 further comprising instructions for performing the steps of:
- the first client-side sign-on module responding to said second client-side sign-on module by determining whether a signature associated with said second client-side sign-on module indicates that said second client-side sign-on module is from a trusted source;
  
  if said signature associated with said second client-side sign-on module indicates that said second client-side sign-on module is from a trusted source, then said first client-side sign-on module supplying said second client-side sign-on module with said master authentication information.
31. The computer-readable medium of claim 28 wherein the first client-side sign-on module performs the step of generating said first server-specific authentication information based on data associated with said first site after extracting said data associated with said first server from the CodeBase of said first client-side sign-on module.
32. The computer-readable medium of claim 24 wherein the step of generating said first server-specific authentication information includes generating said first server-specific authentication information based upon a secure one-way hash function.
33. The computer-readable medium of claim 32 further comprising instructions for performing the steps of:
- said second client-side sign-on module detecting said first client-side sign-on module in said client; and
  
  said second client-side sign-on module requesting said master authentication information from said first client-side sign-on module.
34. The computer-readable medium of claim 24 wherein said data associated with said first server includes one or more of a URL, an IP address, a software vendor number, and unique server identifier.
35. The computer-readable medium of claim 24 wherein:
- said first server is a web server;
  
  the web server requests said first server-specific authentication information in response to a browser on the client transmitting over the World Wide Web a URL that identifies a restricted web page controlled by the web server; and
  
  the step of supplying said first server-specific authentication information is performed by transmitting the first server-specific authentication information to the web server.
36. The computer-readable medium of claim 21 further comprising instructions for performing the steps of:
- said client receiving a first request from said first server for said first server-specific authentication information;
  
  said client requesting a user to supply said master authentication information in response to said first request;
  
  said client storing said authentication information in response to receiving said master authentication information from said user;
  
  said client receiving a second request from said second server for said second server-specific authentication information; and
  
  said client performing the following steps without again requesting said user to supply said master authentication information;
  
  generating said second server-specific authentication information; and
  
  supplying said second server-specific authentication information to said second server.
37. The computer-readable medium of claim 36 further comprising instructions for performing the steps of:
- said client receiving a first client-side sign-on module from said first server;
  
  wherein said first client-side sign-on module performs the steps of;
  
  generating said first server-specific authentication information for said first server; and
  
  supplying said first server-specific authentication information to said first server;
  
  said client receiving a second client-side sign-on module from said second server;
  
  wherein said second client-side sign-on module performs the steps of;
  
  generating said second server-specific authentication information for said second server; and
  
  supplying said second server-specific authentication information to said second server.
38. The client-server system of claim 37 wherein said particular server is said first server.

39. A computer-readable medium carrying one or more sequences of instructions for authenticating users in a client-server system, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- a server transmitting to a client a client-side sign-on module which, when executed at said client, generates server-specific authentication information based on data associated with said server and master authentication information stored in said client; and
  
  said server receiving said server-specific authentication information from said client-side sign-on module as said client-side sign-on module executes on said client.
- View Dependent Claims (40, 41)
- - 40. The computer-readable medium of claim 39 wherein the step of transmitting said client-side sign-on module includes transmitting a client-side module that has encoded in its CodeBase the data, associated with said server, that is used in combination with said master authentication information to generate said server-specific authentication information.
  - 41. The computer-readable medium of claim 39 wherein said sign-on module is configured to ask a user of said client for said master authentication information if no pre-existing sign-on module is detected on said client, and to ask said pre-existing sign-on module for said master authentication information if a pre-existing sign-on module is detected on said client.

42. A client-server system comprising:
- a client;
  
  a plurality of servers;
  
  a network operatively connecting said client to said plurality of servers to allow communication between said client and said plurality of servers;
  
  said plurality of servers including at least a first server configured to respond to a resource request issued by said client by sending to said client a sign-on module;
  
  wherein said sign-on module is configured to perform the following steps while executing on said client;
  
  retrieving master authentication information stored in said client, combining said master authentication information with server-specific data;
  
  generating server-specific authentication information based on said master authentication information and the server-specific data; and
  
  transmitting said server-specific authentication information to a particular server of said plurality of servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Gadi, Guy
Primary Examiner(s)
WRIGHT, NORMAN M

Application Number

US09/301,642
Time in Patent Office

1,616 Days
Field of Search

713/202, 713/201
US Class Current

726/8
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/083 using passwords cryptograph...

Single sign-on for a network system that includes multiple separately-controlled restricted access resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Single sign-on for a network system that includes multiple separately-controlled restricted access resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links