Web access to secure data

US 7,452,278 B2
Filed: 05/09/2003
Issued: 11/18/2008
Est. Priority Date: 05/09/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to a secure data service within a secure data service environment, said access being requested by a user of a versatile computing device that is not dedicated to communicating with the secure data service environment over a secure private communication network, so that the access is outside of the secure data service environment and is over an insecure public network, wherein the secure data service environment provides online data and services to dedicated devices through the secure private communication network, the method comprising the steps of:

(a) linking a user-partner identifier with a user-service identifier, wherein;

(i) the user-partner identifier is used to authenticate the user with a partner network service that has been previously certified by the secure data service environment and that is in communication with the versatile computing device, the user-partner identifier being used by the versatile computing device and partner network service to authenticate the user with the secure data service environment through the insecure public network; and

(ii) the user-service identifier is used to authenticate the user with the secure data service environment that provides the online service to the dedicated devices through the secure private communication network without passing through any partner network service, the dedicated devices being distinguished from versatile devices which communicate with the partner network service through the insecure public network in that dedicated devices are dedicated to a primary function;

(b) determining whether a request for access to the secure data service within the secure data service environment is authentic when the request for access is received from the partner network service on behalf of the user of the versatile computing device; and

(c) providing the requested access to the secure data service over the insecure public network to the partner network service, and thus to the versatile computing device over the insecure public network, if the request is authentic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling access to secure data and services by versatile computers outside a secure environment, which communicates with limited dedicated devices such as game consoles, over a secure network such as a virtual private network. The versatile computing devices obtain access over an insecure network, such as the Internet, through a trusted partner Web site that authenticates users of the site and relays requests to the secure environment. The Web site uses a certificate for a predefined level of secure access to the secure environment. A link is established between a user'"'"'s Web ID authenticated by the Web site and a gamer tag used within the secure environment. Access is limited as a function of the Web ID, gamer tag, and a Web site partner ID. A Web cache stores and provides some secure data, minimizing disruption to the secure environment'"'"'s primary function to service the dedicated devices.

71 Citations

View as Search Results

34 Claims

1. A method for controlling access to a secure data service within a secure data service environment, said access being requested by a user of a versatile computing device that is not dedicated to communicating with the secure data service environment over a secure private communication network, so that the access is outside of the secure data service environment and is over an insecure public network, wherein the secure data service environment provides online data and services to dedicated devices through the secure private communication network, the method comprising the steps of:
- (a) linking a user-partner identifier with a user-service identifier, wherein;
  
  (i) the user-partner identifier is used to authenticate the user with a partner network service that has been previously certified by the secure data service environment and that is in communication with the versatile computing device, the user-partner identifier being used by the versatile computing device and partner network service to authenticate the user with the secure data service environment through the insecure public network; and
  
  (ii) the user-service identifier is used to authenticate the user with the secure data service environment that provides the online service to the dedicated devices through the secure private communication network without passing through any partner network service, the dedicated devices being distinguished from versatile devices which communicate with the partner network service through the insecure public network in that dedicated devices are dedicated to a primary function;
  
  (b) determining whether a request for access to the secure data service within the secure data service environment is authentic when the request for access is received from the partner network service on behalf of the user of the versatile computing device; and
  
  (c) providing the requested access to the secure data service over the insecure public network to the partner network service, and thus to the versatile computing device over the insecure public network, if the request is authentic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein a person participating within the secure data service environment communicates through a secure gateway that only permits the dedicated device employed by the person to access the secure data service environment, said secure gateway being inaccessible by a user communicating through the versatile computing device, over the insecure public network, from outside of the secure data service environment.
  - 3. The method of claim 1, wherein the method further comprises, prior to providing access to the requested secure data service, the step of determining access limits associated with at least one of the partner network service, the user-partner identifier, and the user-service identifier.
  - 4. The method of claim 1, wherein the secure data service environment comprises a secure gaming environment providing online gaming data and services to the dedicated devices through the secure private communication network.
  - 5. The method of claim 1, wherein the secure private communication network comprises a virtual private network.
  - 6. The method of claim 1, wherein the partner network service is accessed through a Web site that issues the user-partner identifier.
  - 7. The method of claim 1, wherein the step of linking comprises the steps of:
    - (a) receiving the user-partner identifier, the user-service identifier, and private information from the partner network service, wherein the private information is unique to the user;
      
      (b) determining whether the private information matches corresponding private information stored within the secure data service environment, wherein the corresponding private information stored within the secure data service environment is associated with the user-service identifier; and
      
      (c) associating the user-partner identifier with the user-service identifier if the private information matches the corresponding private information stored within the secure data service environment.
  - 8. The method of claim 6, further comprising the step of associating a credential type with the user-partner identifier, wherein the credential type indicates a user authentication system, thereby enabling the user to access the secure data service with the user-partner identifier through any partner network service that uses a common user authentication system.
  - 9. The method of claim 1, wherein the method further comprises, prior to the step of linking, the step of issuing the partner network service a certificate that authenticates the partner network service, to enable communication with the secure data service environment.
  - 10. The method of claim 9, wherein the step of determining whether the request received from the partner network service is authentic comprises the steps of:
    - (a) receiving the certificate from the partner network service along with the request;
      
      (b) determining whether a public key of the certificate corresponds to a private key associated with the partner network service;
      
      (c) denying access to the secure data service if the public key of the certificate does not corresponds to the private key; and
      
      (d) enabling access to the secure data service if the public key of the certificate corresponds to the private key.
  - 11. The method of claim 9, further comprising the step of decrypting the request received from the partner network service on behalf of the user of the computing device for access to the secure data service from within the secure data service environment.
  - 12. The method of claim 11, wherein the step of decrypting comprises the steps of:
    - (a) determining at least one of;
      
      (i) a partner identifier as a function of the certificate; and
      
      (ii) a communication source identifier as a function of a network communication source of the request;
      
      (b) adding at least one of the partner identifier and the communication source identifier to a header of the request, forming a modified request; and
      
      (c) communicating the modified request through an insecure public communication channel to a service module for providing the requested secure data service.
  - 13. The method of claim 1, wherein the step of providing the requested access to the secure data service comprises the steps of:
    - (a) determining whether the requested access to the secure data service is available, using a Web cache module;
      
      (b) providing the requested access to the secure data service with the Web cache, if the requested access to the secure data service is available from the Web cache; and
      
      otherwise(c) accessing a core portion of the secure data service environment to provide the requested access to the secure data service, wherein the core portion has a primary function of providing secure data services to the dedicated devices through the secure private communication network.
  - 14. The method of claim 1, wherein the secure data service comprises at least one of:
    - (a) a leaderboard secure data service that selectively provides current information regarding performance of users of the secure data environment;
      
      (b) a statistics secure data service that selectively provides current information regarding usage of at least one service within the secure data environment;
      
      (c) a friends list secure data service that selectively provides current status regarding users associated with the user of the versatile computing device, and provides services for at least one of viewing, adding, deleting, modifying, and communicating with users associated with the user of the versatile computing device;
      
      (d) an account status secure data service that provides current information regarding an account with the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters of the account with the secure data environment;
      
      (e) a tournaments secure data service that selectively provides current information regarding a tournament hosted by the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters of the tournament hosted by the secure data environment;
      
      (f) a team management secure data service that selectively provides current information regarding a team of users of the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters relating to the team of users of the secure data environment;
      
      (g) a user control secure data service that selectively provides current information regarding a limited user of the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying limits controlling use and access by the limited user of the secure data environment;
      
      (h) a messaging secure data service that selectively provides current information regarding messages associated with the secure data environment that are available to the user of the computing device, and provides messaging services for the user of the computing device to communicate with other users who are within the secure data environment; and
      
      (i) a download secure data service that selectively provides current information regarding secure data and execution modules retrieved from the secure data environment, and provides services for viewing and selectively retrieving secure data and execution modules from the secure data environment.
  - 15. The method of claim 1, further comprising the step of formatting secure data accessed in response to the requested access to the secure data service, wherein the formatting conforms to standard specifications of a markup language for transferring formatted data to a partner network service.
  - 16. The method of claim 1, further comprising the step of formatting secure data accessed in response to the requested access to the secure data service, wherein the formatting conforms to standard specifications of a markup language for displaying the secure data in a Web page rendered by a Web browser executed by the computing device.
  - 17. A memory medium on which are stored machine instructions for carrying out the steps of claim 1.

18. A system for controlling access to a secure data service within a secure data service environment, said access being requested by a user of a versatile computing device that is outside the secure data service environment and that communicates with the secure data service environment through an insecure public network, wherein the secure data service environment provides online data and services to dedicated devices that communicate through a secure private communication network, the system comprising:
- (a) a processor;
  
  (b) a network communication interface coupled to the processor for communicating with a partner network service through the insecure public network, said partner network service communicating with the versatile computing device through the insecure public network;
  
  (c) a secure communication interface coupled to the processor for communicating with the secure data service environment that provides online data and services to the dedicated devices through the secure private communication network, the dedicated devices being distinguished from the versatile computing devices in that dedicated devices are dedicated to a primary function; and
  
  (d) a memory coupled to the processor and storing a plurality of machine instructions that cause the processor to carry out a plurality of functions, including;
  
  (i) linking a user-partner identifier with a user-service identifier, wherein;
  
  (A) the user-partner identifier is used to authenticate the user with a partner network service that has been previously certified by the secure data service environment and that is in communication with the versatile computing device, the user-partner identifier being used by the versatile computing device and partner network service to authenticate the user with the secure data service environment through the insecure public network; and
  
  (B) the user-service identifier is used to authenticate the user with the secure data service environment that provides the online service to the dedicated devices through the secure private communication network and without passing through any partner network service;
  
  (ii) determining whether a request for access to the secure data service within the secure data service environment is authentic when the request for access is received from the partner network service on behalf of the user of the versatile computing device; and
  
  (iii) providing the requested access to the secure data service over the insecure public network to the partner network service, and thus to the versatile computing device over the insecure public network, if the request is authentic.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 19. The system of claim 18, wherein a person participating within the secure data service environment communicates through a secure gateway that only permits the dedicated device employed by the person to access the secure data service environment, said secure gateway being inaccessible by a user communicating through the versatile computing device, over the insecure public network, from outside of the secure data service environment.
  - 20. The system of claim 18, wherein prior to providing access to the requested secure data service, the machine instructions further cause the processor to carry out the function of determining access limits associated with at least one of the partner network service, the user-partner identifier, and the user-service identifier.
  - 21. The system of claim 18, wherein the secure data service environment comprises a secure gaming environment providing online gaming data and services to the dedicated devices through the secure private communication network.
  - 22. The system of claim 18, wherein the secure private communication network comprises a virtual private network.
  - 23. The system of claim 18, wherein the partner network service is accessed through a Web site that issues the user-partner identifier.
  - 24. The system of claim 18, wherein the machine instructions further cause the processor to carry out the functions of:
    - (a) receiving the user-partner identifier, the user-service identifier, and private information from the partner network service, wherein the private information is unique to the user;
      
      (b) determining whether the private information matches corresponding private information stored within the secure data service environment, wherein the corresponding private information stored within the secure data service environment is associated with the user-service identifier; and
      
      (c) associating the user-partner identifier with the user-service identifier if the private information matches the corresponding private information stored within the secure data service environment.
  - 25. The system of claim 23, wherein the machine instructions further cause the processor to carry out the function of associating a credential type with the user-partner identifier, wherein the credential type indicates a user authentication system, thereby enabling the user to access the secure data service with the user-partner identifier through any partner network service that uses a common user authentication system.
  - 26. The system of claim 18, wherein prior to the function of linking, the machine instructions further cause the processor to carry out the function of issuing the partner network service a certificate that authenticates the partner network service to enable communication with the secure data service environment.
  - 27. The system of claim 26, wherein the machine instructions further cause the processor to carry out the functions of:
    - (a) receiving the certificate from the partner network service along with the request;
      
      (b) determining whether a public key of the certificate corresponds to a private key associated with the partner network service;
      
      (c) denying access to the secure data service if the public key of the certificate does not correspond to the private key; and
      
      (d) enabling access to the secure data service if the public key of the certificate corresponds to the private key.
  - 28. The system of claim 26, wherein the machine instructions further cause the processor to carry out the function of decrypting the request received from the partner network service on behalf of the user of the versatile computing device for access to the secure data service from within the secure data service environment.
  - 29. The system of claim 28, wherein the machine instructions further cause the processor to carry out the functions of:
    - (a) determining at least one of;
      
      (i) a partner identifier as a function of the certificate; and
      
      (ii) a communication port identifier as a function of a network communication source of the request;
      
      (b) adding at least one of the partner identifier and the communication port identifier to a header of the request, forming a modified request; and
      
      (c) communicating the modified request through an insecure public communication channel to a Web cache module for providing the requested secure data service.
  - 30. The system of claim 18, wherein the machine instructions further cause the processor to carry out the functions of:
    - (a) determining whether the requested access to the secure data service is available, using a Web cache module;
      
      (b) providing the requested access to the secure data service with the Web cache, if the requested access to the secure data service is available from the Web cache; and
      
      otherwise(c) accessing a core portion of the secure data service environment to provide the requested access to the secure data service, wherein the core portion has a primary function of providing secure data services to the dedicated devices through the secure private communication network.
  - 31. The system of claim 18, wherein the secure data service comprises at least one of:
    - (a) a leaderboard secure data service that selectively provides current information regarding performance of users of the secure data environment;
      
      (b) a statistics secure data service that selectively provides current information regarding usage of the secure data environment;
      
      (c) a friends list secure data service that selectively provides current status regarding users associated with the user of the versatile computing device, and provides services for at least one of viewing, adding, deleting, modifying, and communicating with users associated with the user of the versatile computing device;
      
      (d) an account status secure data service that provides current information regarding an account with the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters of the account with the secure data environment;
      
      (e) a tournaments secure data service that selectively provides current information regarding a tournament hosted by the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters of the tournament hosted by the secure data environment;
      
      (f) a team management secure data service that selectively provides current information regarding a team of users of the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying parameters relating to the team of users of the secure data environment;
      
      (g) a user control secure data service that selectively provides current information regarding a limited user of the secure data environment, and provides services for at least one of viewing, adding, deleting, and modifying limits controlling use and access by the limited user of the secure data environment;
      
      (h) a messaging secure data service that selectively provides current information regarding messages associated with the secure data environment that are available to the user of the computing device, and provides messaging services for the user of the computing device to communicate with other users who are within the secure data environment; and
      
      (i) a download secure data service that selectively provides current information regarding secure data and execution modules retrieved from the secure data environment, and provides services for viewing and selectively retrieving secure data and execution modules from the secure data environment.
  - 32. The system of claim 18, wherein the machine instructions further cause the processor to carry out the function of formatting secure data accessed in response to the requested access to the secure data service, wherein the formatting conforms to standard specifications of a markup language for transferring formatted data to a partner network service.
  - 33. The system of claim 18, further comprising the step of formatting secure data accessed in response to the requested access to the secure data service, wherein the formatting conforms to standard specifications of a markup language for displaying the secure data in a Web page rendered by a Web browser executed by the versatile computing device.

34. In a secure gaming environment which includes a public gateway and a private gateway, the private gateway for communicating directly with dedicated gaming devices over a secure private communication network, and the public gateway for communicating indirectly with versatile computing devices through a partner Web site, a method for controlling access to secure data within the secure gaming environment, the method comprising:
- through the public gateway of the secure gaming environment, a secure gaming service providing a partner Web site with a certificate that authenticates the partner Web site with the secure gaming service;
  
  establishing a user account with the secure gaming service, wherein the user account includes a first user ID, and wherein the first user ID is used by the secure gaming service when interacting with a dedicated gaming device of the user, the dedicated gaming device being configured to communicate with the secure gaming service only over a secure private communication network and through the private gateway;
  
  the secure gaming service receiving a second user ID from the partner Web site and adding it to the user account, the second user ID being received through the public gateway over an insecure public communication network, wherein the second user ID was established by the user interacting with the partner Web site using a versatile computing device which is distinguished from the dedicated gaming device of the user in that a versatile computing device is not dedicated primarily to gaming, the second user ID being configured to allow the partner Web site to authenticate the user when the user communicates with the partner Web site;
  
  linking the first user ID to the second user ID in the user account at the secure gaming service;
  
  receiving a user request to access secure data of the secure gaming service, wherein the request is received over the insecure public communication network and from the partner Web site which authenticates the user using the second user ID, the partner Web site acting as an intermediary for the user request;
  
  determining the user request is authentic; and
  
  the secure gaming service providing the requested access to the secure data of the secure gaming service over the insecure public communication network to the partner Web site, and thus to the versatile computing device over the insecure public communication network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chen, Ling Tony, Heller, Noah, Van, Van Christopher, VanAntwerp, Mark
Primary Examiner(s)
Pezzuto; Robert E
Assistant Examiner(s)
Pandya; Sunit

Application Number

US10/434,569
Publication Number

US 20040224771A1
Time in Patent Office

2,020 Days
Field of Search

463/40, 463/42
US Class Current

463/42
CPC Class Codes

A63F 13/335   using Internet

A63F 13/35   Details of game servers

A63F 13/71   using secure communication ...

A63F 13/79   involving player-related da...

A63F 13/792   for payment purposes, e.g. ...

A63F 13/795   for finding other players; ...

A63F 13/87   Communicating with other pl...

A63F 2300/208   for storing personal settin...

A63F 2300/401   Secure communication, e.g. ...

A63F 2300/407   Data transfer via internet

A63F 2300/50   characterized by details of...

A63F 2300/5513   involving billing

A63F 2300/5546   using player registration d...

A63F 2300/5566   by matching opponents or fi...

A63F 2300/572   Communication between playe...

G06Q 20/027   involving a payment switch ...

G06Q 20/0855   involving a third party

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 67/02 : based on web technology, e....

H04L 67/131 : Protocols for games, networ...

H04L 69/329 : in the application layer [O...

H04L 9/40 : Network security protocols

View All

Web access to secure data

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Web access to secure data

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links