Securely processing client credentials used for Web-based access to resources
First Claim
1. In a server computer system, a method for determining the validity of user credentials used for Web-based access to resources at the server computer system, the method comprising:
- an act of the server computer system receiving a request from a client computer system for Web-based access to a resource at the server, the request including;
a unique session identifier which is unique to a particular session between the server computer system and the client computer system; and
encrypted information representing at least a portion of user credentials and a time-dependent signature, the time-dependent signature being derived from the at least a portion of the user credentials and a signature time-dependent key, the encrypted information received from the client computer being encrypted using at least one key obtained from a rotating key store of the server computer system and by using an encryption time-dependent key, the signature time-dependent key being derived from the key in the rotating key store at the server, and the encryption time-dependent key being derived from the key in the rotating key store at the server and the unique session identifier, wherein a key generation module at the server generates keys for the rotating key store and which are passed to the client computer system;
an act of the server computer system attempting to validate at least a portion of the user credentials using the most current key in a rotating key store and determining that the at least a portion of the user credentials cannot be validated using the most current key in the rotating key store;
an act of the server computer attempting to validate the at least a portion of the user credentials using other keys in the rotating key store;
an act of the server computer validating the user credentials using a key in the key store other than the most current key of the rotating key store;
an act of the server computer system forwarding the request to a module that controls Web-based access to the requested resource; and
in response to the server computer validating the user credentials with a key other than the most current key of the rotating key store, an act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature are to be derived from the most current key in the rotating key store.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides for securely processing client credentials used for Web-based access to resources. A login page with an interface for entering user credentials is presented at a client and entered user credentials are sent to the server. In response to receiving user credentials, the server generates a unique session identifier for the client. The server also derives a digital signature for the user credentials based on a current key in a rotating key store and the unique session identifier. The server then encrypts the digital signature and the user credentials based on an encryption key derived from the current key and the unique session identifier. When encrypted credentials are received back at the client, keys from the rotating key store are used to attempt to validate the credentials. If user credentials can not be validated, a user is again presented with the login page.
69 Citations
10 Claims
-
1. In a server computer system, a method for determining the validity of user credentials used for Web-based access to resources at the server computer system, the method comprising:
-
an act of the server computer system receiving a request from a client computer system for Web-based access to a resource at the server, the request including; a unique session identifier which is unique to a particular session between the server computer system and the client computer system; and encrypted information representing at least a portion of user credentials and a time-dependent signature, the time-dependent signature being derived from the at least a portion of the user credentials and a signature time-dependent key, the encrypted information received from the client computer being encrypted using at least one key obtained from a rotating key store of the server computer system and by using an encryption time-dependent key, the signature time-dependent key being derived from the key in the rotating key store at the server, and the encryption time-dependent key being derived from the key in the rotating key store at the server and the unique session identifier, wherein a key generation module at the server generates keys for the rotating key store and which are passed to the client computer system; an act of the server computer system attempting to validate at least a portion of the user credentials using the most current key in a rotating key store and determining that the at least a portion of the user credentials cannot be validated using the most current key in the rotating key store; an act of the server computer attempting to validate the at least a portion of the user credentials using other keys in the rotating key store; an act of the server computer validating the user credentials using a key in the key store other than the most current key of the rotating key store; an act of the server computer system forwarding the request to a module that controls Web-based access to the requested resource; and in response to the server computer validating the user credentials with a key other than the most current key of the rotating key store, an act of the server computer system determining that refreshed encrypted information representing the at least a portion of the user credentials and a time-dependent signature are to be derived from the most current key in the rotating key store. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification