Securely processing client credentials used for Web-based access to resources

US 7,360,096 B2
Filed: 06/12/2003
Issued: 04/15/2008
Est. Priority Date: 11/20/2002
Status: Expired due to Fees

First Claim

Patent Images

1. In a server computer system, a method for determining the validity of user credentials used for Web-based access to resources at the server computer system, the method comprising:

an act of the server computer system receiving a request from a client computer system for Web-based access to a resource at the server, the request including;

a unique session identifier which is unique to a particular session between the server computer system and the client computer system; and

encrypted information representing at least a portion of user credentials and a time-dependent signature, the time-dependent signature being derived from the at least a portion of the user credentials and a signature time-dependent key, the encrypted information received from the client computer being encrypted using at least one key obtained from a rotating key store of the server computer system and by using an encryption time-dependent key, the signature time-dependent key being derived from the key in the rotating key store at the server, and the encryption time-dependent key being derived from the key in the rotating key store at the server and the unique session identifier, wherein a key generation module at the server generates keys for the rotating key store and which are passed to the client computer system;

an act of the server computer system attempting to validate at least a portion of the user credentials using the most current key in a rotating key store and determining that the at least a portion of the user credentials cannot be validated using the most current key in the rotating key store;

an act of the server computer attempting to validate the at least a portion of the user credentials using other keys in the rotating key store;

an act of the server computer validating the user credentials using a key in the key store other than the most current key of the rotating key store;

an act of the server computer system forwarding the request to a module that controls Web-based access to the requested resource; and

in response to the server computer validating the user credentials with a key other than the most current key of the rotating key store, an act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature are to be derived from the most current key in the rotating key store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides for securely processing client credentials used for Web-based access to resources. A login page with an interface for entering user credentials is presented at a client and entered user credentials are sent to the server. In response to receiving user credentials, the server generates a unique session identifier for the client. The server also derives a digital signature for the user credentials based on a current key in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from the current key and the unique session identifier. When encrypted credentials are received back at the client, keys from the rotating key store are used to attempt to validate the credentials. If user credentials can not be validated, a user is again presented with the login page.

69 Citations

View as Search Results

10 Claims

1. In a server computer system, a method for determining the validity of user credentials used for Web-based access to resources at the server computer system, the method comprising:
- an act of the server computer system receiving a request from a client computer system for Web-based access to a resource at the server, the request including;
  
  a unique session identifier which is unique to a particular session between the server computer system and the client computer system; and
  
  encrypted information representing at least a portion of user credentials and a time-dependent signature, the time-dependent signature being derived from the at least a portion of the user credentials and a signature time-dependent key, the encrypted information received from the client computer being encrypted using at least one key obtained from a rotating key store of the server computer system and by using an encryption time-dependent key, the signature time-dependent key being derived from the key in the rotating key store at the server, and the encryption time-dependent key being derived from the key in the rotating key store at the server and the unique session identifier, wherein a key generation module at the server generates keys for the rotating key store and which are passed to the client computer system;
  
  an act of the server computer system attempting to validate at least a portion of the user credentials using the most current key in a rotating key store and determining that the at least a portion of the user credentials cannot be validated using the most current key in the rotating key store;
  
  an act of the server computer attempting to validate the at least a portion of the user credentials using other keys in the rotating key store;
  
  an act of the server computer validating the user credentials using a key in the key store other than the most current key of the rotating key store;
  
  an act of the server computer system forwarding the request to a module that controls Web-based access to the requested resource; and
  
  in response to the server computer validating the user credentials with a key other than the most current key of the rotating key store, an act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature are to be derived from the most current key in the rotating key store.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the server computer validating the user credentials using a key in the key store other than the most current key of the rotating key store further comprises:
    - an act of the server computer system determining that based on a previously generated key in the rotating key store the at least a portion of the user credentials are valid, the previously generated key being inserted into the rotating key store before the most current key.
  - 3. The method as recited in claim 1, further comprising:
    - an act of the server computer system re-directing the client computer system to a login page that provides an interface for receiving user credentials.
  - 4. A method as recited claim 1, wherein the rotating key store maintains a plurality of keys therein, and such that when a new key is generated by the key generation module, the newly generated key is rotated into the rotating key store and an older key is rotated out of the rotating key store.
  - 5. The method as recited in claim 1, wherein the act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature should be derived from the most current key in the rotating key store comprises an act of determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature should be derived from the most current key in the rotating key store.
  - 6. The method as recited in claim 5, wherein the act of determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature should be derived from the most current key in the rotating key store comprises an act of determining that the server computer system validated the at least a portion of the user credentials based on a previously generated key in the rotating key store, the previously generated key being inserted into the rotating key store before the most current key.
  - 7. The method as recited in claim 1, wherein the act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature are to be derived from the most current key in the rotating key store comprises an act of deriving refreshed encrypted information and a time-dependent signature from the most current key in the rotating key store.
  - 8. The method as recited in claim 7, further comprising:
    - an act of the server computer system sending the requested resource, an updated unique session identifier, and refreshed encrypted information to the client computer system.
  - 9. A computer program product for use in a server computer system, the computer program product for implementing a method as recited in claim 1.
  - 10. The computer program product as recited in claim 9, wherein the one or more computer-readable media are physical media.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Simpson, Russell Lee Jr., Bracewell, Shawn Derek, Ward, Richard B., Batthish, Karim Michel
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Lipman; Jacob

Application Number

US10/459,863
Publication Number

US 20040098609A1
Time in Patent Office

1,769 Days
Field of Search

713/183, 726 5- 10
US Class Current

713/183
CPC Class Codes

H04L 2209/30   Compression, e.g. Merkle-Da...

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless network architectu...

H04L 63/0435   wherein the sending and rec...

H04L 63/068   using time-dependent keys, ...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/123   received data contents, e.g...

H04L 67/02   based on web technology, e....

H04L 9/3247   involving digital signatures

Securely processing client credentials used for Web-based access to resources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Securely processing client credentials used for Web-based access to resources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links