Facilitating single sign-on by using authenticated code to access a password store

US 7,150,038 B1
Filed: 04/06/2000
Issued: 12/12/2006
Est. Priority Date: 04/06/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for facilitating access to a plurality of applications that require passwords, comprising:

receiving a request for a password from an application running on a remote computer system, the request being received at a local computer system;

authenticating the request as originating from a trusted source, wherein authenticating the request involves authenticating the remote computer system that sent the request;

using an identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;

if the password exists in the password store, sending the password or a function of the password to the application on the remote computer system;

receiving a second request to change the password from the application on the remote computer system;

automatically generating a replacement password;

storing the replacement password in the password store; and

forwarding the replacement password or the password function to the application on the remote computer system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that facilitates accessing to a plurality of applications that require passwords. When the system receives a request for a password from an application running on a remote computer system, the system first authenticates the request to ensure that it originated from a trusted source. Next, the system uses an identifier for the application to look up the password for the application in a password store, which contains passwords associated with the plurality of applications. If the password exists in the password store, the system sends the password or a function of the password to the application on the remote computer system. Hence, the system creates the illusion that there is a single sign on to a large number of applications, whereas in reality the system automatically provides different passwords to the applications as they are requested. In one embodiment of the present invention, the request for the password includes computer code that when run on the local computer system requests the password on behalf of the application on the remote computer system. In a variation on this embodiment, the computer code is in the form of a JAVA™ applet that runs on a JAVA™ virtual machine on the local computer system. In one embodiment of the present invention, the JAVA™ applet is a signed JAVA™ applet, and authenticating the request involves authenticating the JAVA™ applet'"'"'s certificate chain.

84 Citations

View as Search Results

49 Claims

1. A method for facilitating access to a plurality of applications that require passwords, comprising:
- receiving a request for a password from an application running on a remote computer system, the request being received at a local computer system;
  
  authenticating the request as originating from a trusted source, wherein authenticating the request involves authenticating the remote computer system that sent the request;
  
  using an identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;
  
  if the password exists in the password store, sending the password or a function of the password to the application on the remote computer system;
  
  receiving a second request to change the password from the application on the remote computer system;
  
  automatically generating a replacement password;
  
  storing the replacement password in the password store; and
  
  forwarding the replacement password or the password function to the application on the remote computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein authenticating the request involves authenticating a creator of the request.
  - 3. The method of claim 1, further comprising, if the password store is being accessed for the first time,prompting a user for a single sign on password for the password store;
    - andusing the single sign on password to open the password store.
  - 4. The method of claim 3, wherein if a time out period for the password store expires,prompting the user again for the single sign on password for the password store;
    - andusing the single sign on password to open the password store.
  - 5. The method of claim 1, wherein if the password store is being accessed for the first time, the method further comprises authenticating the user through an authentication mechanism, wherein the authentication mechanism includes one of:
    - a smart card;
      
      a biometric authentication mechanism; and
      
      a public key infrastructure.
  - 6. The method of claim 1, wherein if the password does not exist in the password store, the method further comprises:
    - adding the password to the password store; and
      
      sending the password to the application on the remote computer system.
  - 7. The method of claim 6, wherein adding the password to the password store further comprises automatically generating the password.
  - 8. The method of claim 6, wherein adding the password to the password store further comprises asking a user to provide the password.
  - 9. The method of claim 1, further comprising decrypting data in the password store prior to looking up the password in the password store.
  - 10. The method of claim 1, wherein the password store is located on a second remote computer system.
  - 11. The method of claim 1, wherein the password store is located on one of:
    - a local smart card;
      
      a removable storage medium; and
      
      a memory button.
  - 12. The method of claim 1, wherein the request for the password includes computer code that when run on the local computer system requests the password on behalf of the application on the remote computer system.
  - 13. The method of claim 12, wherein the computer code is in the form of a platform-independent applet that runs on a platform-independent virtual machine on the local computer system.
  - 14. The method of claim 13, wherein sending the password or the function of the password to the application to the remote computer system involves:
    - communicating the password to the platform-independent applet; and
      
      allowing the platform-independent applet to forward the password to the application on the remote computer system.
  - 15. The method of claim 13, wherein the platform-independent applet is a signed platform-independent applet, and wherein authenticating the request includes authenticating the platform-independent applet'"'"'s certificate chain.

16. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating access to a plurality of applications that require passwords, the method comprising:
- receiving a request for a password from an application running on a remote computer system, the request being received at a local computer system;
  
  authenticating the request as originating from a trusted source, wherein authenticating the request involves authenticating the remote computer system that sent the request;
  
  using an identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;
  
  if the password exists in the password store, sending the password or a function of the password to the application on the remote computer system;
  
  receiving a second request to change the password from the application on the remote computer system;
  
  automatically generating a replacement password;
  
  storing the replacement password in the password store; and
  
  forwarding the replacement password or the password function to the application on the remote computer system.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The computer-readable storage medium of claim 16, wherein authenticating the request involves authenticating a creator of the request.
  - 18. The computer-readable storage medium of claim 16, wherein the method further comprises, if the password store is being accessed for the first time,prompting a user for a single sign on password for the password store;
    - andusing the single sign on password to open the password store.
  - 19. The computer-readable storage medium of claim 18, wherein if a time out period for the password store expires, the method further comprises:
    - prompting the user again for the single sign on password for the password store; and
      
      using the single sign on password to open the password store.
  - 20. The computer-readable storage medium of claim 16, wherein if the password store is being accessed for the first time, the method further comprises authenticating the user through an authentication mechanism, wherein the authentication mechanism includes one of:
    - a smart card;
      
      a biometric authentication mechanism; and
      
      a public key infrastructure.
  - 21. The computer-readable storage medium of claim 16, wherein if the password does not exist in the password store, the method further comprises:
    - adding the password to the password store; and
      
      sending the password to the application on the remote computer system.
  - 22. The computer-readable storage medium of claim 21, wherein adding the password to the password store further comprises automatically generating the password.
  - 23. The computer-readable storage medium of claim 21, wherein adding the password to the password store further comprises asking a user to provide the password.
  - 24. The computer-readable storage medium of claim 16, wherein the method further comprises decrypting data in the password store prior to looking up the password in the password store.
  - 25. The computer-readable storage medium of claim 16, wherein the password store is located on a second remote computer system.
  - 26. The computer readable storage medium of claim 16, wherein the password store is located on one of:
    - a local smart card;
      
      a removable storage medium; and
      
      a memory button.
  - 27. The computer-readable storage medium of claim 16, wherein the request for the password includes computer code that when run on the local computer system requests the password on behalf of the application on the remote computer system.
  - 28. The computer-readable storage medium of claim 27, wherein the computer code is in the form of a platform-independent applet that runs on a platform-independent virtual machine on the local computer system.
  - 29. The computer-readable storage medium of claim 28, wherein sending the password or the function of the password to the application to the remote computer system involves:
    - communicating the password to the platform-independent applet; and
      
      allowing the platform-independent applet to forward the password to the application on the remote computer system.
  - 30. The computer-readable storage medium of claim 28, wherein the platform-independent applet is a signed platform-independent applet, and wherein authenticating the request includes authenticating the platform-independent applet'"'"'s certificate chain.

31. An apparatus that facilitates accessing a plurality of applications that require passwords, comprising:
- a receiving mechanism that receives a request for a password from an application running on a remote computer system, the request being received at a local computer system;
  
  an authentication mechanism that authenticates the request as originating from a trusted source, wherein the authentication mechanism is configured to authenticate the remote computer system that sent the request;
  
  a lookup mechanism that uses an identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;
  
  a forwarding mechanism that sends the password to the application on the remote computer system if the password exists in the password store; and
  
  a password changing mechanism that is configured to;
  
  receive a request to change the password from the application on the remote computer system;
  
  automatically generate a replacement password;
  
  store the replacement password in the password store; and
  
  toforward the replacement password to the application on the remote computer system.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The apparatus of claim 31, wherein the authentication mechanism is configured to authenticate a creator of the request.
  - 33. The apparatus of claim 31, wherein if the password store is being accessed for the first time, the lookup mechanism is configured to:
    - prompt a user for a single sign on password for the password store; and
      
      touse the single sign on password to open the password store.
  - 34. The apparatus of claim 33, wherein if a time out period for the password store expires, the lookup mechanism is configured to:
    - prompt the user again for the single sign on password for the password store; and
      
      touse the single sign on password to open the password store.
  - 35. The apparatus of claim 31, wherein if the password store is being accessed for the first time, the lookup mechanism is configured to authenticate the user through an authentication mechanism, wherein the authentication mechanism includes one of:
    - a smart card;
      
      a biometric authentication mechanism; and
      
      a public key infrastructure.
  - 36. The apparatus of claim 31, further comprising an insertion mechanism, wherein if the password does not exist in the password store the insertion mechanism is configured to:
    - add the password to the password store; and
      
      tosend the password to the application on the remote computer system.
  - 37. The apparatus of claim 36, wherein the insertion mechanism is additionally configured to automatically generate the password.
  - 38. The apparatus of claim 36, wherein the insertion mechanism is additionally configured to ask a user to provide the password.
  - 39. The apparatus of claim 31, further comprising a decryption mechanism that is configured to decrypt data in the password store.
  - 40. The apparatus of claim 31, wherein the password store is located on a second remote computer system.
  - 41. The apparatus of claim 31, wherein the password store is located on one of:
    - a local smart card;
      
      a removable storage medium; and
      
      a memory button.
  - 42. The apparatus of claim 31, wherein the request for the password includes computer code that when run on the local computer system requests the password on behalf of the application on the remote computer system.
  - 43. The apparatus of claim 42, wherein the computer code is in the form of a platform-independent applet that runs on a platform-independent virtual machine on the local computer system.
  - 44. The apparatus of claim 43, wherein the forwarding mechanism is configured to send the password to the application on the remote computer system by:
    - communicating the password to the platform-independent applet; and
      
      allowing the platform-independent applet to forward the password to the application on the remote computer system.
  - 45. The apparatus of claim 43, wherein the platform-independent applet is a signed platform-independent applet, and wherein the authentication mechanism is configured to authenticate a certificate chain.

46. A method for facilitating access to a plurality of applications that require passwords, comprising:
- receiving a request to look up a password at a password server;
  
  authenticating the request as originating from a trusted source, wherein authenticating the request involves authenticating the remote computer system that sent the request;
  
  wherein the request is received from a client and includes an identifier for an application requesting the password from the client;
  
  using the identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;
  
  if the password exists in the password store, sending the password or a function of the password to the client, so that the client can present the password to the application;
  
  receiving a second request from the client to change the password at the password server;
  
  automatically generating a replacement password;
  
  storing the replacement password in the password store; and
  
  forwarding the replacement password or the password to the client.
- View Dependent Claims (47, 48)
- - 47. The method of claim 46, wherein the request is received from computer code running on the client that requests the password on behalf of the application.
  - 48. The method of claim 47, wherein the computer code is in the form of a platform-independent applet that runs on a platform-independent virtual machine on the client.

49. A server that distributes code for facilitating access to a plurality of applications that require passwords, wherein the code operates by:
- receiving a request for a password from an application running on a remote computer system, the request being received at a local computer system;
  
  authenticating the request as originating from a trusted source, wherein authenticating the request involves authenticating the remote computer system that sent the request;
  
  using an identifier for the application to look up the password for the application in a password store containing a plurality of passwords associated with the plurality of applications, wherein the plurality of passwords allows a different password to be used with each application of the plurality of applications;
  
  if the password exists in the password store, sending the password or a function of the password to the application on the remote computer system;
  
  receiving a second request to change the password from the application on the remote computer system;
  
  automatically generating a replacement password;
  
  storing the replacement password in the password store; and
  
  forwarding the replacement password or the password function to the application on the remote computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Samar, Vipin
Primary Examiner(s)
Louis-Jacques, Jacques
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US09/544,709
Time in Patent Office

2,441 Days
Field of Search

713/202, 713/157
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

Facilitating single sign-on by using authenticated code to access a password store

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Facilitating single sign-on by using authenticated code to access a password store

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links