Controlling access to information on a network using an extended network universal resource locator

US 7,426,638 B2
Filed: 06/30/2006
Issued: 09/16/2008
Est. Priority Date: 12/23/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving via a network communication, by a first network entity that controls access to stored information, a message requesting access to the stored information, wherein the message includes a first component, a second component, and a third component, wherein the first component is encrypted with a first crypto-key associated with the first network entity that can be decrypted by the first network entity, wherein the second component is encrypted with a second crypto-key associated with a second network entity that controls access to the network by a user and that can be decrypted by the first network entity, and wherein the third component is encrypted with a third crypto-key associated with a third network entity associated with a service provider that can be decrypted by the first network entity;

decrypting, by the first network entity, the received encrypted first component, the received encrypted second component, and the received encrypted third component; and

transmitting the stored information to the user based at least in part on the decrypted first component, at least in part on the decrypted second component, and at least in part on the decrypted third component of the received message requesting access to the stored information,wherein the first component includes user identity information associated with the user and integrity information corresponding to the user identity information, andwherein the third component includes relationship information indicating a relationship between the third network entity and the first network entity wherein the user identity information and the integrity information were received by the third network entity from the first network entity and (ii) indicating a relationship between the third network entity and the second network entity wherein the user identity information and the integrity information were transmitted by the third network entity to the second network entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for controlling access to information on a network where a first network entity receives a message requesting access to stored information via a network communication. The received message includes a first component encrypted with a first crypto-key associated with the first network entity and a second component encrypted with a second crypto-key associated with a second network entity such that both can be decrypted by the first network entity. The second network entity controls access to the network by the user. After receiving the message, the first network entity decrypts the first component and the second component and then transmits the stored information to the user based on the content of the first component and the second component.

32 Citations

View as Search Results

23 Claims

1. A method comprising:
- receiving via a network communication, by a first network entity that controls access to stored information, a message requesting access to the stored information, wherein the message includes a first component, a second component, and a third component, wherein the first component is encrypted with a first crypto-key associated with the first network entity that can be decrypted by the first network entity, wherein the second component is encrypted with a second crypto-key associated with a second network entity that controls access to the network by a user and that can be decrypted by the first network entity, and wherein the third component is encrypted with a third crypto-key associated with a third network entity associated with a service provider that can be decrypted by the first network entity;
  
  decrypting, by the first network entity, the received encrypted first component, the received encrypted second component, and the received encrypted third component; and
  
  transmitting the stored information to the user based at least in part on the decrypted first component, at least in part on the decrypted second component, and at least in part on the decrypted third component of the received message requesting access to the stored information,wherein the first component includes user identity information associated with the user and integrity information corresponding to the user identity information, andwherein the third component includes relationship information indicating a relationship between the third network entity and the first network entity wherein the user identity information and the integrity information were received by the third network entity from the first network entity and (ii) indicating a relationship between the third network entity and the second network entity wherein the user identity information and the integrity information were transmitted by the third network entity to the second network entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method according to claim 1, wherein the first crypto-key is a symmetric crypto-key.
  - 3. The method according to claim 2, wherein the symmetric crypto-key is known only to the first network entity.
  - 4. The method according to claim 1, wherein the second crypto-key is a public crypto-key of a joint private-public crypto-key pair associated with the second network entity.
  - 5. The method according to claim 1, wherein the received message is associated with a network address for the stored information.
  - 6. The method according to claim 1, wherein the decrypted first component further includes an identifier associated with the stored information.
  - 7. The method according to claim 1, wherein the integrity information includes a hash of the user identity information.
  - 8. The method according to claim 1, wherein the second network entity is a network portal.
  - 9. The method according to claim 1, further comprising:
    - validating at least one of the decrypted first component or the decrypted second component of the received message requesting access to the stored information, wherein transmission of the stored information is based at least in part on the validated decrypted first component or the validated decrypted second component.
  - 10. The method according to claim 9, whereinvalidation of the decrypted first component includes verifying that the integrity information corresponds to the user identity information, and wherein user identity information corresponds to at least one portion of the requested stored information.
  - 11. The method according to claim 10, wherein the decrypted first component is signed with a digital signature, and wherein validation of the decrypted first component further includes verifying the digital signature.
  - 12. The method according to claim 9, wherein the decrypted second component includes voucher information, and whereinvalidation of the decrypted second component includes verifying that the voucher information indicates that the second network entity has authenticated the user.
  - 13. The method according to claim 9, wherein validation of the decrypted second component includes confirming the identity of the user of the stored information.
  - 14. The method according to claim 9, wherein the decrypted second component is signed with a digital signature, and wherein validation of the decrypted second component includes verifying the digital signature of the decrypted second component.
  - 15. The method according to claim 9, wherein the decrypted second component includes a timestamp, and whereinvalidation of the decrypted second component includes verifying that the message was received by the first network entity within a predefined time interval beginning at a time represented by the timestamp.
  - 16. The method according to claim 1, wherein the third crypto-key is a public crypto-key of a joint private-public crypto-key pair associated with the third network entity.
  - 17. The method according to claim 1, further comprising:
    - validating the decrypted third component of the received message requesting access to the stored information, wherein transmission of the stored information to the user is based on the validated decrypted third component.
  - 18. The method according to claim 17, wherein validating the decrypted third component of the received message requesting access to the stored information includes confirming that the user identity information and the integrity information were received by the third network entity from the first network entity and that the user identity information and the integrity information were transmitted by the third network entity to the second network entity.
  - 19. The method according to claim 18, wherein the decrypted third component is signed with a digital signature, andvalidation of the decrypted third component further includes verifying the digital signature.

20. A system for providing access to information stored on a network, comprising:
- a data store, wherein the data store contains information associated with a user; and
  
  a network device, wherein the network device is configured to;
  
  receive, via a network communication, a message requesting access to the stored information, wherein the message has an encrypted first component, an encrypted second component, and an encrypted third component, wherein the first component is encrypted with a first crypto-key associated with the first network entity that can be decrypted by the first network entity, wherein the second component is encrypted with a second crypto-key associated with a second network entity that controls access to the network by the user and that can be decrypted by the first network entity, and wherein the third component is encrypted with a third crypto-key associated with a third network entity associated with a service provider that can be decrypted by the first network entity,decrypt the received encrypted first component, the received encrypted second component, and the received encrypted third component, andtransmitt the stored information to the user based at least in part on the decrypted first component, at least in part on the decrypted second component, and at least in part on the decrypted third component of the received message requesting access to the stored information,wherein the first component includes user identity information associated with the user and integrity information corresponding to the user identity information, andwherein the third component includes relationship information (i) indicating a relationship between the third network entity and the first network entity wherein the user identity information and the integrity information were received by the third network entity from the first network entity and (ii) indicating a relationship between the third network entity and the second network entity wherein the user identity information and the integrity information were transmitted by the third network entity to the second network entity.
- View Dependent Claims (21, 22, 23)
- - 21. The system according to claim 20, wherein the network device is further configured to validate at least one of the decrypted first component or the decrypted second component of the received message requesting access to the stored information, wherein transmission of the stored information is based at least in part on the validated decrypted first component and the validated decrypted second component.
  - 22. The system according to claim 20, wherein the network device is further configured to validate the decrypted first component and the decrypted second component of the received message requesting access to the stored information, and whereinthe network device transmits the stored information to the user based at least in part on the validation of both the decrypted first component and the decrypted second component.
  - 23. The system according to claim 20, wherein the network device is further configured to validate the decrypted third component of the received message requesting access to the stored information, andwherein transmission of the stored information to the user is based on the validated decrypted third component.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Checkfree Corporation (Fiserv Incorporated)
Original Assignee
Checkfree Corporation (Fiserv Incorporated)
Inventors
Ganesan, Ravi, Lewis, Matt, Hobday, Kenneth
Primary Examiner(s)
NGUYEN, MINH DIEU T

Application Number

US11/479,319
Publication Number

US 20070022052A1
Time in Patent Office

809 Days
Field of Search

713/168, 713/193, 705/40, 705/53, 705/77, 709/217
US Class Current

713/168
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 2221/2115   Third party

G06Q 20/00   Payment architectures, sche...

G06Q 20/085   involving remote charge det...

G06Q 20/102   Bill distribution or payments

G06Q 20/14   specially adapted for billi...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3829   involving key management

H04L 2463/102   applying security measure f...

H04L 63/0442   wherein the sending and rec...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

Controlling access to information on a network using an extended network universal resource locator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to information on a network using an extended network universal resource locator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links