Systems and methods for enhancing security of communication over a public network

US 7,568,098 B2
Filed: 12/02/2003
Issued: 07/28/2009
Est. Priority Date: 12/02/2003
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enhancing the security of communication over a network, the method comprising:

receiving a set of authentication credentials from a user;

receiving from the user a request that requires communication over the network with a remote system;

applying a collection of security privileges to the set of authentication credentials to determine if the user is authorized to carry out the request wherein applying comprises applying based at least in part upon a role-based determination that involves referencing a record that assigns access privileges to various roles that can be assumed by the user;

selectively transmitting a security certificate over the network to the remote system, the certificate containing a public key;

receiving from the remote system a session ticket that has been encrypted with the public key;

decrypting the session ticket with a corresponding private key;

using the session ticket as an authenticator for subsequent communications with the remote system;

wherein the remote system is a service provider configured to extend the functionality of a software application by remotely providing a service, and wherein selectively transmitting therefore comprises selectively transmitting the security certificate to the service provider;

wherein receiving from the user a request comprises receiving from the user a request for delivery of the service provided remotely by the service provider;

wherein selectively transmitting comprises transmitting only when the collection of security privileges indicates that the user is authorized to receive the service provided remotely by the service provider;

wherein using the session ticket comprises using the session ticket to secure communication associated with the service provider extending the functionality of the software application; and

wherein receiving a set of authentication credentials comprises receipt of the authentication credentials by a first computing device, the first computing device being the same computing device upon which operates the software application that receives the extended functionality from service provider, and wherein the first computing device is the same computing device upon which the role-based determination is made, the record that is referenced as part of that determination being stored on the first computing device, and wherein selectively transmitting a security certificate to the service provider further comprises transmitting the security certificate from the first computing device to the service provider, and wherein using the session ticket to secure communications further comprises using the session ticket to secure direct communications between the service provider and the first computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An authentication protocol is disclosed for use in enhancing the security of communications between software applications and Internet-based service providers. The protocol incorporates a two level authentication model based on a distribution of authentication responsibilities, wherein the application authenticates users and the service provider authenticates the application. Embodiments of the protocol incorporate public key infrastructure and digital certificate technology. Other embodiments of the present invention pertain to applying a corresponding protocol to peer-to-peer communication scenarios.

36 Citations

View as Search Results

15 Claims

1. A computer-implemented method for enhancing the security of communication over a network, the method comprising:
- receiving a set of authentication credentials from a user;
  
  receiving from the user a request that requires communication over the network with a remote system;
  
  applying a collection of security privileges to the set of authentication credentials to determine if the user is authorized to carry out the request wherein applying comprises applying based at least in part upon a role-based determination that involves referencing a record that assigns access privileges to various roles that can be assumed by the user;
  
  selectively transmitting a security certificate over the network to the remote system, the certificate containing a public key;
  
  receiving from the remote system a session ticket that has been encrypted with the public key;
  
  decrypting the session ticket with a corresponding private key;
  
  using the session ticket as an authenticator for subsequent communications with the remote system;
  
  wherein the remote system is a service provider configured to extend the functionality of a software application by remotely providing a service, and wherein selectively transmitting therefore comprises selectively transmitting the security certificate to the service provider;
  
  wherein receiving from the user a request comprises receiving from the user a request for delivery of the service provided remotely by the service provider;
  
  wherein selectively transmitting comprises transmitting only when the collection of security privileges indicates that the user is authorized to receive the service provided remotely by the service provider;
  
  wherein using the session ticket comprises using the session ticket to secure communication associated with the service provider extending the functionality of the software application; and
  
  wherein receiving a set of authentication credentials comprises receipt of the authentication credentials by a first computing device, the first computing device being the same computing device upon which operates the software application that receives the extended functionality from service provider, and wherein the first computing device is the same computing device upon which the role-based determination is made, the record that is referenced as part of that determination being stored on the first computing device, and wherein selectively transmitting a security certificate to the service provider further comprises transmitting the security certificate from the first computing device to the service provider, and wherein using the session ticket to secure communications further comprises using the session ticket to secure direct communications between the service provider and the first computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein using the session ticket comprises using the session ticket without requiring the user to re-submit the set of authentication credentials.
  - 3. The method of claim 1, wherein using the session ticket comprises using the session ticket until it expires.
  - 4. The method of claim 1, wherein:
    - selectively transmitting a security certificate to the remote system comprises selectively transmitting a security certificate to a remote application configured to extend the functionality of a software application by providing access to information; and
      
      receiving from the user a request comprises receiving a request for access to the information.
  - 5. The method of claim 1, wherein selectively transmitting a security certificate comprises selectively transmitting a security certificate that contains an embedded indication of the identity of an entity associated with which the user is associated.
  - 6. The method of claim 1, wherein applying a collection of security privileges further comprises applying access rights that are distributed relative to a plurality of user accounts.
  - 7. The method of claim 6, wherein applying a collection of security privileges comprises applying access rights based at least in part upon a determination of which roles are assigned to a user account associated with a user.

8. A computer-implemented method for enhancing the security of communication over a network, the method comprising:
- receiving a set of authentication credentials from a user;
  
  applying a collection of security privileges to the set of authentication credentials to determine if the user is authorized to carry out a request wherein applying comprises applying based at least in part upon a role-based determination that involves referencing a record that assigns access privileges to various roles that can be assumed by the user;
  
  generating a public key and a corresponding private key;
  
  storing the private key;
  
  transmitting the public key over the network to a registration service;
  
  receiving from the registration service a security certificate that includes the public key;
  
  transmitting the security certificate over the network to an entity with which a channel of communication is desired;
  
  receiving from the entity a session ticket encrypted with the public key;
  
  decrypting the session ticket with the private key;
  
  using the session ticket as an authenticator for subsequent communications with the entity, wherein using the session ticket comprises using the session ticket as a cryptography key for encrypting or decrypting messages;
  
  wherein receiving a session ticket from the entity comprises receipt of the session ticket by a first computing device;
  
  wherein decrypting the session ticket with the private key is a function that occurs via processing executed by the first computing device;
  
  wherein using the session ticket as an authenticator further comprises using the session ticket as an authenticator for subsequent communications between the entity and the first computing device; and
  
  wherein transmitting the security certificate over the network comprises transmitting the security certificate to a service provider configured to extend the functionality of a software application by remotely providing a service.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, wherein using the session ticket comprises using the session ticket to secure communications with the service provider.
  - 10. The method of claim 8, wherein transmitting the security certificate over the network comprises transmitting the certificate to a remote peer.
  - 11. The method of claim 10, wherein transmitting the security certificate over the network comprises transmitting the security ticket from a first application host to a second application host.

12. A computer-implemented method for enhancing the security of communication over a network between multiple peer application hosts, the method comprising:
- receiving a set of authentication credentials from a user;
  
  applying a collection of security privileges to the set of authentication credentials to determine if the user is authorized to carry out a request wherein applying comprises applying based at least in part upon a role-based determination that involves referencing a record that assigns access privileges to various roles that can be assumed by the user;
  
  receiving a security certificate from a first application host;
  
  transmitting the security certificate over the network to an entity with which a channel of communication is desired;
  
  generating a session ticket;
  
  encrypting the session ticket with a public key contained in the security certificate;
  
  transmitting the session ticket to the first application host;
  
  receiving a message from the first application host, the message being at least partially encrypted in accordance with the session key prior to its being encrypted with the public key;
  
  wherein said steps of receiving a security certificate, generating, encrypting, transmitting, and receiving a message are all conducted via processing by the same computing device; and
  
  wherein transmitting the security certificate over the network comprises transmitting the security certificate to a service provider configured to extend the functionality of a software application by remotely providing a service.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, further comprising:
    - generating a response message;
      
      encrypting the response message; and
      
      transmitting the message to the first application host.
  - 14. The method of claim 12, further comprising authenticating the certificate.
  - 15. The method of claim 12, wherein authenticating the certificate comprises interacting with an authentication service to validate an expression of the first application host'"'"'s identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Yeates, Anthony, Blackwood, Kirk, Bazlen, Derrick, Belvin, Timothy, O'Meara, Brendan, Dournov, Pavel, Whitlock, Donna
Primary Examiner(s)
Dada; Beemnet W

Application Number

US10/725,881
Publication Number

US 20050120214A1
Time in Patent Office

2,065 Days
Field of Search

713/156, 713/171, 713/1, 713/175, 713/155, 713/168, 726/10, 726/9, 380/277, 380/281, 380/282
US Class Current

713/171
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

Systems and methods for enhancing security of communication over a public network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for enhancing security of communication over a public network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links