Session key security protocol
First Claim
1. A method of securing information in a multi-site authentication system, said method comprising:
- generating a message having content, said message content including authenticating information provided by a user of a client computer to a first network server, said client computer and said first network server being coupled to a data communication network;
randomly generating, by the first network server, a session key;
encrypting the message content, by the first network server, using the generated session key;
encrypting the generated session key, by the first network server, using a public key associated with a second network server selected by the user, said selected second network server also being coupled to the data communication network;
generating, by the first network server, a signature for the encrypted message content and encrypted generated session key using a private key associated with the first network server, wherein said signature includes address information for the selected second network server;
generating, by the first network server, an authentication ticket only for the selected second network server, said authentication ticket including the encrypted message content, the encrypted generated session key, and the generated signature; and
directing the client computer along with the authentication ticket from the first network server to the selected second network server, wherein the selected second network server decrypts the encrypted generated session key using a private key associated therewith, decrypts the encrypted message content of the ticket using the generated session key, and identifiesits own address information in the generated signature to validate the signature.
2 Assignments
0 Petitions
Accused Products
Abstract
A security protocol for use in a multi-site authentication system. After authenticating a user, an authentication server generates a ticket including information associated with the user. The authentication server encrypts content of the ticket using a symmetric key shared with an affiliate server. The affiliate server has a public key that the authentication server uses to encrypt the shared key. The authentication server has private key for creating a signature on the ticket. The affiliate server decrypts the shared key with its private key and then decrypts the content of the ticket using the decrypted shared key. The affiliate server validates the signature with the authentication server'"'"'s public key.
-
Citations
16 Claims
-
1. A method of securing information in a multi-site authentication system, said method comprising:
-
generating a message having content, said message content including authenticating information provided by a user of a client computer to a first network server, said client computer and said first network server being coupled to a data communication network; randomly generating, by the first network server, a session key; encrypting the message content, by the first network server, using the generated session key; encrypting the generated session key, by the first network server, using a public key associated with a second network server selected by the user, said selected second network server also being coupled to the data communication network; generating, by the first network server, a signature for the encrypted message content and encrypted generated session key using a private key associated with the first network server, wherein said signature includes address information for the selected second network server; generating, by the first network server, an authentication ticket only for the selected second network server, said authentication ticket including the encrypted message content, the encrypted generated session key, and the generated signature; and directing the client computer along with the authentication ticket from the first network server to the selected second network server, wherein the selected second network server decrypts the encrypted generated session key using a private key associated therewith, decrypts the encrypted message content of the ticket using the generated session key, and identifies its own address information in the generated signature to validate the signature. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
- 11. A system of securing information comprising an authentication server and a plurality of affiliate servers associated with a multi-site user authentication system and coupled to a data communication network, said authentication server retrieving login information from a user of a client computer for authenticating the user requesting access to a service being provided by one of the plurality of affiliate servers, said authentication server further generating a message having content, said message content including login information associated with the user of the client computer, said authentication server generating a session key used by the authentication server for encrypting the message content, said requested affiliate server having a public key and said authentication server using the public key to encrypt the generated session key, said authentication server having a private key and said authentication server using the private key to generate a signature for the encrypted message content and the encrypted session key, said signature including address information for the requested affiliate server, said authentication server generating an authentication ticket including the encrypted message content, the encrypted session key, and the generated signature for directing the client computer to the requested affiliate server, and wherein the requested affiliate server has a private key for decrypting the encrypted generated session key, said affiliate server decrypting the content of the ticket using the decrypted generated session key and validating the signature by identifying its own address information in the signature.
Specification