Method and apparatus for presenting anonymous group names
First Claim
1. A method for providing access to a resource in a network, said network including a client, an application server, and a group membership server, said method comprising:
- at said application server;
receiving a request for service from an applicant associated with said client;
in response to receiving said request for service, generating a first message portion that includes an identification of a group authorized to perform said service;
encrypting said first message portion to form an encrypted first message portion that permits decryption by said group membership server, but not by said client; and
transmitting said encrypted first message portion over said network for delivery to said client;
at said group membership server;
receiving said encrypted first message portion from said client;
decrypting said encrypted first message portion;
if said applicant is a member of said group identified by the first message portion thereby decrypted, generating a response message portion containing an indication that said applicant is a member of said group;
transmitting said response message portion over said network for delivery to said client; and
at said application server;
in response to receiving said response message portion from said client, performing said requested service.
3 Assignments
0 Petitions
Accused Products
Abstract
A method and system for granting an applicant associated with a client computer in a client-server system access to a requested service without providing the applicant with intelligible information regarding group membership. The applicant transmits a request for service to an application server over a computer network. In response, the application server prepares an encrypted message which includes the identification of the group or groups having access privileges and transmits the encrypted message to the client along with a request that the client prove membership in at least one of the groups. The message is encrypted with an encryption key which can be decrypted by a group membership server.
102 Citations
54 Claims
-
1. A method for providing access to a resource in a network, said network including a client, an application server, and a group membership server, said method comprising:
-
at said application server;
receiving a request for service from an applicant associated with said client;
in response to receiving said request for service, generating a first message portion that includes an identification of a group authorized to perform said service;
encrypting said first message portion to form an encrypted first message portion that permits decryption by said group membership server, but not by said client; and
transmitting said encrypted first message portion over said network for delivery to said client;
at said group membership server;
receiving said encrypted first message portion from said client;
decrypting said encrypted first message portion;
if said applicant is a member of said group identified by the first message portion thereby decrypted, generating a response message portion containing an indication that said applicant is a member of said group;
transmitting said response message portion over said network for delivery to said client; and
at said application server;
in response to receiving said response message portion from said client, performing said requested service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
generating a first extension value;
combining said first extension value with said group identification to form an extended group identifier; and
encrypting said extended group identifier to form said encrypted first message portion.
-
-
3. The method of claim 2 wherein generating a first extension value comprises generating a random number.
-
4. The method of claim 2 wherein generating a first extension value comprises generating a pseudo random number.
-
5. The method of claim 2 wherein generating a first extension value comprises generating a number within a sequence of numbers.
-
6. The method of claim 2 wherein generating a first extension value comprises generating a date and time stamp.
-
7. The method of claim 1 wherein encrypting said first message portion comprises encrypting said first message portion with an encryption key which permits decryption of said first message portion only by said group membership server.
-
8. The message of claim 7 wherein said encryption key comprises a symmetric key shared by said application server and said group membership server.
-
9. The method of claim 7 wherein said group membership server maintains a public key pair comprising a public key and a private key and said encryption key comprises the group membership server public key.
-
10. The method of claim 1 wherein transmitting said encrypted first message portion from said application server to said client comprises transmitting said encrypted first message portion and an address of said group membership server from said application server to said client.
-
11. The method of claim 1 wherein generating said response message portion comprises generating an authenticated message which contains said indication that said applicant is a member of said group.
-
12. The method of claim 11 wherein generating said authenticated message comprises generating a certificate which is digitally signed by said group membership server and which contains said indication that said applicant is a member of said group.
-
13. The method of claim 1 wherein generating said response message portion comprises generating an authenticated message which contains an indication that said applicant is a member of said encrypted first message portion.
-
14. The method of claim 13 wherein generating said authenticated message comprises generating a certificate which is digitally signed by said group membership server and which contains an indication that said the applicant is a member of said encrypted first message portion.
-
15. The method of claim 1 wherein generating said response message portion comprises generating an encrypted authenticated message which contains an indication that said applicant is a member of said group, wherein said encrypted authenticated message is encrypted such that it is decipherable by said application server, but not by said client.
-
16. The method of claim 15 wherein said encrypted authenticated message comprises an encrypted certificate which is digitally signed by said group membership server.
-
17. The method of claim 15 wherein said authenticated message further includes an extension value that is unrelated to said indication that said applicant is a member of said group.
-
18. The method of claim 1 wherein generating said response message portion comprises generating an encrypted authenticated message which contains a group membership list that includes an indication of said applicant, wherein said encrypted authenticated message is encrypted such that it is decipherable by said application server, but not by said client.
-
19. The method of claim 18 wherein said encrypted authenticated message comprises an encrypted certificate which is digitally signed by said group membership server.
-
20. The method of claim 18 wherein said authenticated message further includes an extension value that is unrelated to said group membership list.
-
21. The method of claim 1 wherein generating said response message portion comprises generating an encrypted authenticated message which contains a group membership criterion identifying the requirements for group membership, wherein said encrypted authenticated message is encrypted such that it is decipherable by said application server, but not by said client.
-
22. The method of claim 21 wherein said encrypted authenticated message comprises an encrypted certificate which is digitally signed by said group membership server.
-
23. The method of claim 21 wherein said authenticated message further includes an extension value that is unrelated to said group membership criterion.
-
24. The method of claim 1 further including, at said group membership server, encrypting said response message portion with an encryption key.
-
25. The method of claim 24 wherein said encryption key comprises a symmetric key shared by said group membership server and said application server.
-
26. The method of claim 24 wherein said application server maintains an application server public key pair including an application server public key and an application server private key and said encryption key comprises said application server public key.
-
27. The method of claim 1 further including, at said group membership server, ascertaining, from at least one other server, information indicative of whether said applicant is a member of said group.
-
28. The method of claim 27 wherein said group includes a plurality of subgroups which are each served by a respective subgroup server and ascertaining comprises ascertaining from at least one of said subgroup servers whether said applicant is a member of the respective at least one subgroup.
-
29. The method of claim 28 wherein said applicant is deemed to be a member of said group if the applicant is a member of at least one of said subgroups.
-
30. The method of claim 28 wherein said applicant is deemed to be a member of said group only if the applicant is a member of all of said subgroups.
-
31. The method of claim 1 wherein transmitting said encrypted first message portion from said application server to said client further comprises:
transmitting to said client along with said encrypted first message portion an unencrypted group membership server identifying portion that identifies the group membership server to which said client should transmit said encrypted first message portion.
-
32. A method for providing an indication at a first computer that a request for service that is received over a computer network from an applicant associated with a second computer is authorized, comprising:
-
at said first computer;
receiving said request for service from said second computer over said computer network;
in response to receiving said request for service, generating a first message portion that includes an identification of a group authorized to obtain the requested service;
encrypting said first message portion to form an encrypted first message portion that permits decryption by a third computer on said computer network, but not by said second computer;
transmitting said encrypted first message portion over said computer network for delivery to said second computer;
receiving a response message over said network from said second computer, said response message containing group membership defining information provided by said third computer;
determining, at least in part from group membership defining information contained in said response message, whether said applicant is a member of said group; and
if said applicant is thereby determined to be a member of said group, providing an indication of group membership. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
generating an extension value;
combining said extension value with said group identification to form an extended group identifier; and
encrypting said extended group identifier to form said encrypted first message portion.
-
-
34. The method of claim 33 wherein generating said extension value comprises generating a random number.
-
35. The method of claim 33 wherein generating said extension value comprises generating a pseudo random number.
-
36. The method of claim 33 wherein generating said extension value comprises generating a number within a sequence of numbers.
-
37. The method of claim 33 wherein generating an extension value comprises generating a date and time stamp.
-
38. The method of claim 32 wherein encrypting said first message portion comprises encrypting said first message portion with an encryption key which permits decryption of said first message portion only by said third computer.
-
39. The message of claim 38 wherein said encryption key comprises a symmetric key shared by said first and third computers.
-
40. The method of claim 38 wherein said third computer maintains a third computer public key pair comprising a third computer public key and a third computer private key and said encryption key comprises said third computer public key.
-
41. The method of claim 32 wherein transmitting said encrypted first message portion for delivery to said second computer comprises transmitting said encrypted first message portion to said second computer along with an unencrypted identification of said third computer to allow said second computer to transmit said encrypted first message portion to said third computer.
-
42. The method of claim 32 wherein receiving said response message comprises receiving a certificate containing a digital signature of said third computer and containing said information from which said first computer can determine whether said applicant is a member of said group.
-
43. The method of claim 32 wherein receiving said response message comprises receiving a certificate containing a digital signature of said third computer and an indication that said applicant is a member of said encrypted first message portion.
-
44. The method of claim 32 wherein receiving said response message comprises receiving an encrypted certificate containing a digital signature of said third computer and containing an indication that said applicant is a member of said group, wherein said certificate is encrypted with an encryption key which is decipherable only by said first computer.
-
45. The method of claim 32 wherein receiving said response message comprises receiving an encrypted certificate containing a digital signature of said third computer and containing a group membership list which includes an indication of said applicant within said list, wherein said certificate is encrypted with an encryption key which is decipherable only by said first computer.
-
46. The method of claim 32 wherein receiving said response message comprises receiving an encrypted certificate containing a digital signature of said third computer and containing a group membership criterion identifying the requirements for group membership, wherein said certificate is encrypted with an encryption key which is decipherable by said first computer.
-
47. The method of claim 32 wherein receiving said response message comprises receiving an encrypted response message wherein said response message is encrypted with an encryption key that is decipherable only by said first computer.
-
48. The method of claim 47 wherein said encryption key comprises a symmetric key shared by said first and third computers.
-
49. The method of claim 47 wherein said first computer maintains a first computer public key pair comprising a first computer public key and a first computer private key and said encryption key comprises said first computer public key.
-
50. The method of claim 32 wherein transmitting said encrypted first message portion over said network for delivery to said second computer further comprises transmitting to said second computer, along with said encrypted first message portion, an unencrypted third computer identifying portion that identifies the third computer to which said second computer should forward said encrypted first message portion.
-
51. Apparatus for providing an indication that a request for service received from an applicant over a network and associated with a client is authorized, said apparatus comprising:
an application server, said application server operative to receive said request for service, generate a first message portion than includes an identification of a group authorized to obtain the requested service, encrypt said first message portion to form an encrypted first message portion that permits decryption by a group membership server, transmit said encrypted first message portion over said network for delivery to said client, receive a response message over said network from said client, said response message containing group membership defining information provided by said group membership server, determining from said group membership defining information whether said applicant is a member of said group and, if said applicant is thereby determined to be a member of said group, providing an indication of group membership.
-
52. A computer program product including a computer readable medium, said computer readable medium having an application server computer program stored thereon, said application server computer program for execution in a computer and comprising:
-
program code for receiving a request for service over a computer network from an applicant associated with a second computer;
program code for generating, in response to the receipt of said request for service, a first message portion comprising an identification of a group authorized to obtain the requested service, program code for encrypting said first message portion to form an encrypted first message portion that permits decryption by a third computer;
program code for transmitting said encrypted first message portion over said network for delivery to said second computer;
program code for receiving over said network a second message portion from said second computer said second message portion containing group membership defining information that is provided by said third computer and that serves to identify whether said applicant is a member of said group;
program code for verifying, upon receipt of said second message portion, whether said applicant is a member of said group authorized to obtain said requested service; and
program code for providing an indication that the applicant is authorized to obtain the requested service in response to said verification.
-
-
53. A computer data signal, said computer data signal including a computer program for use in determining whether an applicant associated with a client is a member of a group authorized to obtain a requested service, said computer program comprising:
-
program code for receiving a request for service over a computer network from an applicant associated with a second computer;
program code for generating, in response to the receipt of said request for service, a first message portion comprising an identification of a group authorized to obtain the requested service, program code for encrypting said first message portion to form an encrypted first message portion that permits decryption by a third computer;
program code for transmitting said encrypted first message portion over said network for delivery to said second computer;
program code for receiving over said network a second message portion from said second computer said second message portion containing group membership defining information that is provided by said third computer and that serves to identify whether said applicant is a member of said group;
program code for verifying, upon receipt of said second message portion, whether said applicant is a member of said group authorized to obtain said requested service; and
program code for providing an indication that the applicant is authorized to obtain the requested service in response to said verification.
-
-
54. Apparatus for providing an indication that a request for service received from an applicant over a network and associated with a client is authorized, said apparatus comprising:
-
means for receiving said request for service over said network;
means for generating a first message portion that includes an identification of a group authorized to obtain the requested service;
means for encrypting said first message portion to form an encrypted first message portion that permits decryption by a group membership server, but not by said client;
means for transmitting said encrypted first message portion over said network for delivery to said client;
means for receiving a response message over said network from said client, said response message containing group membership defining information provided by said group membership server;
means for determining from said group membership defining information whether said applicant is a member of said groups; and
,means for providing an indication of group membership if said applicant is thereby determined to be a member of said group.
-
Specification