Simple secure login with multiple-authentication providers

US 7,228,417 B2
Filed: 11/07/2002
Issued: 06/05/2007
Est. Priority Date: 02/26/2002
Status: Active Grant

First Claim

Patent Images

1. In a computerized network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, a method for providing distributed authentication service comprising said steps of:

(a) taking and parsing, by said client, an entered user name and password;

(b) generating a time stamp;

(c) selecting an authentication server from a list of authentication servers;

(d) combining said password and a service specific seed unique to an authentication server selected from said list of authentication servers;

(e) applying a hash algorithm to said combination and said time stamp to generate a first hash value;

(f) finding an address representing said selected authentication server;

(g) sending a data packet to said selected authentication server, said data packet comprising said first hash value, said user name, and said time stamp;

(h) extracting said first hash value, said user name, and said time stamp from said data packet received from said client;

(i) checking whether an entry under said user name is available in said selected authentication server'"'"'s database;

(j) if no entry under said user name is found, then returning a failure message to said client and repeating steps (b) to (g) for a next selected authentication server;

(k) if an entry under said user name is found, then retrieving said user'"'"'s password;

(l) combining said time stamp, said retrieved password, and said service specific seed unique to said selected authentication server;

(m) applying said hash algorithm to said combination from Step (l) to generate a second hash value;

(n) comparing said first hash value and said second hash value;

(o) if said first hash value and said second hash value do not match, then returning a failure message to said client and repeating steps (b) to (g) for a next selected authentication server;

(p) if said first hash value and said second hash value match, then returning a successful authentication message to said client;

(q) caching and distributing said positive authentication result; and

(r) when said entire list has been tested and no one authenticates said user, then resulting in authentication failure.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure distributed single-login authentication system comprises a client and a server. The client collects a user name and password from a user and tests that user name and password at a variety of potential authentication servers to check where the login is valid. It combines the password with a time varying salt and a service specific seed in a message digesting hash and generates a first hash value. The client sends the hash value along with the user name and the time varying salt to a currently selected server. The server extracts the user name and looks up an entry under the user name from the selected server'"'"'s database. If an entry is found, it retrieves the password and performs the same hash function on the combination of the user name, the service specific seed, and the retrieved password to generate a second hash value. Then, it compares two hash values. If these two values match, the user is authenticated. In this way, the system never sufficiently reveals the password to authentication agents that might abuse the information.

160 Citations

11 Claims

1. In a computerized network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, a method for providing distributed authentication service comprising said steps of:
- (a) taking and parsing, by said client, an entered user name and password;
  
  (b) generating a time stamp;
  
  (c) selecting an authentication server from a list of authentication servers;
  
  (d) combining said password and a service specific seed unique to an authentication server selected from said list of authentication servers;
  
  (e) applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  (f) finding an address representing said selected authentication server;
  
  (g) sending a data packet to said selected authentication server, said data packet comprising said first hash value, said user name, and said time stamp;
  
  (h) extracting said first hash value, said user name, and said time stamp from said data packet received from said client;
  
  (i) checking whether an entry under said user name is available in said selected authentication server'"'"'s database;
  
  (j) if no entry under said user name is found, then returning a failure message to said client and repeating steps (b) to (g) for a next selected authentication server;
  
  (k) if an entry under said user name is found, then retrieving said user'"'"'s password;
  
  (l) combining said time stamp, said retrieved password, and said service specific seed unique to said selected authentication server;
  
  (m) applying said hash algorithm to said combination from Step (l) to generate a second hash value;
  
  (n) comparing said first hash value and said second hash value;
  
  (o) if said first hash value and said second hash value do not match, then returning a failure message to said client and repeating steps (b) to (g) for a next selected authentication server;
  
  (p) if said first hash value and said second hash value match, then returning a successful authentication message to said client;
  
  (q) caching and distributing said positive authentication result; and
  
  (r) when said entire list has been tested and no one authenticates said user, then resulting in authentication failure.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 3. The method of claim 1, wherein said service specific seed is a domain name of said selected authentication server.
  - 4. The method of claim 1, wherein Step (f) further comprising said steps of:
    - (s) looking up a local mapping list; and
      
      (t) if Step (s) fails, consulting to a domain name system (DNS).

5. In a computerized network which is registered with a unique domain name, said network comprising at least one orient and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, each of said authentication servers having a fully qualified domain name which is a local host name with said unique domain name appended, a method for providing distilbuted authentication service, wherein a given user enters a global user identification (GUID) and a password for authentication to be carried out at a target authentication server, said GUID comprising a user name, a delimitation symbol, and a domain which is same as said local host name of said target authentication server, said method comprising said steps of:
- (a) parsing, by said client, an entered GUID and password;
  
  (b) generating a time stamp;
  
  (c) extracting said user name from said GUID;
  
  (d) extracting a domain from said GUID;
  
  (e) combining said password and a service specific seed unique to said target authentication server;
  
  (f) applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  (g) appending a unique domain name to said domain to form a fully qualified domain name (FQDN) for said target authentication server;
  
  (h) looking up said FQDN from a local mapping list to obtain an address representing said target authentication server;
  
  (i) if Step (h) fails, looking up said FQDN in a domain name system (DNS) to obtain an address representing said target authentication server;
  
  (j) sending a data packet to said target authentication server, said data packet comprising said first hash value, said user name, and said time stamp;
  
  (k) extracting said first hash value, said user name, and said time stamp from said data packet received from said client;
  
  (l) checking whether an entry under said user name is available in said target authentication server'"'"'s database;
  
  (m) if no entry under said user name is found, then returning a failure message to said client;
  
  (n) if an entry under said user name is found, then retrieving said user'"'"'s password;
  
  (o) combining said time stamp, said retrieved password and said service specific seed unique to said target authentication server;
  
  (p) applying said hash algorithm to said combination from Step (o) to generate a second hash value;
  
  (q) comparing said first hash value and said second hash value;
  
  (r) if said first hash value and said second hash value do not match, then returning a failure message to said client;
  
  (s) if said first hash value and said second hash value match, then returning a successful authentication message to said client; and
  
  (t) caching and distributing said positive authentication result.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, further comprising said step of:
    - if Step (i) fails or if a failure message is returned from Step (m) or Step (r),automatically mapping to a default server which carries out authentication on said user'"'"'s authentication request.
  - 7. The method of claim 5, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 8. The method of claim 5, wherein said service specific seed is a domain name of said target authentication server.

9. In a computerized network comprising at least one client end a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, a method fur providing distributed authentication service comprising said steps of:
- (1) parsing a user'"'"'s login information which includes a user ID and a password;
  
  (2) if said entered user ID is a global user ID (GUID), proceeding to process A; and
  
  (3) if said entered user ID is a regular user name, proceeding to process B; and
  
  wherein said process A comprising said steps of;
  
  (a) generating a time stamp;
  
  (b) extracting said user'"'"'s user name and a domain from said GUID;
  
  (c) combining said password and a service specific seed unique to a target authentication server identified by said domain of said GUID;
  
  (d) applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  (e) finding an IP address for said target authentication server;
  
  (f) sending a data packet to said target authentication server, said data packet comprising said first hash value, said user name, and said time stamp;
  
  (g) extracting said first hash value, said user name, and said time stamp from said data packet received from said client;
  
  (h) checking whether an entry under said user name is available in said target authentication servers database;
  
  (i) if no entry under said user name is found, then returning a failure message to said client;
  
  (j) if an entry under said user name is found, then retrieving said user'"'"'s password;
  
  (k) combining said time stamp, said retrieved password, and said service specific seed unique to said target authentication server;
  
  (l) applying said hash algorithm to said combination from Step (k) to generate a second hash value;
  
  (m) comparing said first hash value and said second hash value;
  
  (n) if said first hash value and said second hash value do not match, then returning a failure message to said client;
  
  (o) if said first hash value and said second hash value match, then returning a successful authentication message to said client; and
  
  (p) caching and distributing said positive authentication result; and
  
  wherein said process B comprising said steps of;
  
  (aa) generating a time stamp;
  
  (bb) selecting an authentication server from a list of authentication servers;
  
  (cc) combining said password and a service specific seed unique to an authentication server selected from said list of authentication servers;
  
  (dd) applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  (ee) finding an IP address representing said currently selected authentication server;
  
  (ff) sending a data packet to said currently selected authentication server, said data packet comprising said first hash value, said user name, and said time stamp;
  
  (gg) extracting said first hush value, said user name, and said time stamp from said date packet received from said client;
  
  (hh) checking whether an entry under said user name is available in said currently selected authentication server'"'"'s database;
  
  (ii) if no entry under said user name is found, then returning a failure message to said client and repeating steps (aa) to (if) for a next selected authentication server;
  
  (jj) if an entry under said user name is found, then retrieving said user'"'"'s password;
  
  (kk) combining said time stamp, said retrieved password and said service specific seed unique to said currently selected authentication server;
  
  (ll) applying said hash algorithm to said combination from Step (kk) to generate a second hash value;
  
  (mm) comparing said first hash value and said second hash value;
  
  (nn) if said first hash value and said second hash value do not match, then returning a failure message to said client and repeating steps (aa) to (ff) for a next selected authentication server;
  
  (oo) if said first hash value and said second hash value match, then returning a successful authentication message to said client; and
  
  (pp) caching and distributing said positive authentication result.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 11. The method of claim 9, wherein any of Step (e) and Step (ee) further comprising said steps of:
    - (q) looking up a local mapping list; and
      
      (r) if Step (q) fails, consulting to a domain name system (DNS).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
America Online Inc. (Warner Bros. Discovery, Inc.)
Inventors
Roskind, James
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
SHAW, YIN CHEN

Application Number

US10/291,281
Publication Number

US 20030163737A1
Time in Patent Office

1,671 Days
Field of Search

713/150, 713182-185, 713/168, 713/176, 726 2- 3, 726/5, 726/8, 726/9, 380/255, 709/219, 709/225
US Class Current

713/168
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2151   Time stamp

H04L 2463/102   applying security measure f...

H04L 61/4511   using domain name system [DNS]

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Simple secure login with multiple-authentication providers

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Simple secure login with multiple-authentication providers

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links