Encryption key updating for multiple site automated login

US 7,660,422 B2
Filed: 05/24/2005
Issued: 02/09/2010
Est. Priority Date: 06/15/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

receiving, by an authentication server, authentication information of a user;

encrypting, by the authentication server, a first ticket including the authentication information with a first key of a first affiliated server, the first affiliated server having first authentication requirements;

encrypting, by the authentication server, a second ticket including the authentication information with a second key of a second affiliated server, the second affiliated server having second authentication requirements that are different from the first authentication requirements;

providing, by the authentication server, the first ticket to the first affiliated server to authenticate the user to the first affiliated server;

providing, by the authentication server, the second ticket to the second affiliated server to authenticate the user to the second affiliated server;

refreshing the authentication information of the user, wherein the first ticket and the second ticket each include;

(1) a first timestamp corresponding to when the user last manually entered the authentication information and (2) a second timestamp corresponding towhen the authentication server last refreshed the authentication information of the user;

generating a third key to replace the first key as a current key for the first affiliated server, the first key and the third key being concurrently valid for the first affiliated server for a coexistence period,wherein the first key and the second key each include key data and executable code for decrypting the first ticket and the second ticket, respectively;

encrypting the first ticket with the third key; and

providing the first ticket encrypted with the third key to the first affiliated server to re-authenticate the user to the first affiliated server without requiring the user to reenter the authentication information to the authentication server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A version number is associated with an encrypted key executable to allow real time updating of keys for a system which facilitates users signing on to multiple websites on different domains using an encrypted ticket. Two keys may be used at each site during updating of keys, each having an associated one digit Hex version tag. When a key is to be updated with a new key, the existing or old key is provided an expiration time. A second key is provided from the system in a secure manner with a new version number and made the current key which provides decryption of the encrypted ticket. The system tracks both keys while they are concurrent. After the existing key expires, only the second, or updated key is used to provide login services for users. The system periodically flushes old keys.

34 Citations

View as Search Results

14 Claims

1. A method, comprising:
- receiving, by an authentication server, authentication information of a user;
  
  encrypting, by the authentication server, a first ticket including the authentication information with a first key of a first affiliated server, the first affiliated server having first authentication requirements;
  
  encrypting, by the authentication server, a second ticket including the authentication information with a second key of a second affiliated server, the second affiliated server having second authentication requirements that are different from the first authentication requirements;
  
  providing, by the authentication server, the first ticket to the first affiliated server to authenticate the user to the first affiliated server;
  
  providing, by the authentication server, the second ticket to the second affiliated server to authenticate the user to the second affiliated server;
  
  refreshing the authentication information of the user, wherein the first ticket and the second ticket each include;
  
  (1) a first timestamp corresponding to when the user last manually entered the authentication information and (2) a second timestamp corresponding towhen the authentication server last refreshed the authentication information of the user;
  
  generating a third key to replace the first key as a current key for the first affiliated server, the first key and the third key being concurrently valid for the first affiliated server for a coexistence period,wherein the first key and the second key each include key data and executable code for decrypting the first ticket and the second ticket, respectively;
  
  encrypting the first ticket with the third key; and
  
  providing the first ticket encrypted with the third key to the first affiliated server to re-authenticate the user to the first affiliated server without requiring the user to reenter the authentication information to the authentication server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the refreshing comprises silently refreshing the authentication information of the user.
  - 3. The method of claim 2, wherein the first and second authentication requirements each include either a maximum time since a last logon and entry of authentication information by the user or a maximum time since a refresh of the authentication information.
  - 4. The method of claim 1, wherein the refreshing comprises refreshing the authentication information of the user including requiring the user to manually re-enter at least a part of the authentication information.
  - 5. The method of claim 1, further comprising setting a time for the first key when the first key is no longer accepted by the first affiliated server, wherein the time is set to a reauthorization time determined by the first affiliated server.
  - 6. The method of claim 1, wherein each key is encrypted for decoding at one affiliated server.
  - 7. The method of claim 1, further comprising generating a configuration file to track keys for each affiliated server.
  - 8. The method of claim 1, wherein the keys are encrypted using a hardware address.

9. An article of manufacture, comprising:
- computer-readable non transitory storage media; and
  
  a plurality of executable instructions stored on the computer-readable non transitory storage media which, when executed by an authentication server, case the authentication server to;
  
  receive authentication information of a user;
  
  encrypt a first ticket including the authentication information with a first key of a first affiliated server, the first affiliated server having first authentication requirements;
  
  encrypt a second ticket including the authentication information with a second key of a second affiliated server, the second affiliated server having second authentication requirements that are different from the first authentication requirements;
  
  provide the first ticket to the first affiliated server to authenticate the user to the first affiliated server;
  
  provide the second ticket to the second affiliated server to authenticate the user to the second affiliated server;
  
  refresh the authentication information of the user, wherein the first ticket and the second ticket each include;
  
  (1) a first timestamp corresponding to when the user last manually entered the authentication information and (2) a second timestamp corresponding to when the authentication server last refreshed the authentication information of the user;
  
  generate a third key to replace the first key as a current key for the first affiliated server, the first key and the third key being concurrently valid for the first affiliated server for a coexistence period,wherein the first key and the second key each include key data and executable code for decrypting the first ticket and the second ticket, respectively;
  
  encrypt the first ticket with the third key; and
  
  provide the first ticket encrypted with the third key to the first affiliated server to re-authenticate the user to the first affiliated server without requiring the user to reenter the authentication information to the authentication server.
- View Dependent Claims (10, 11, 12)
- - 10. The article of claim 9, wherein the refresh the authentication information of the user comprises silently refreshing the authentication information of the user.
  - 11. The article of claim 9, wherein the refresh the authentication information of the user comprises requiring the user to manually re-enter at least a part of the authentication information.
  - 12. The article of claim 9, wherein the instructions, when executed, further cause the authentication server to set a time for the first key when the first key is no longer accepted by the first affiliated server, wherein the time is set to a reauthorization time determined by the first affiliated server.

13. An authentication server, comprising:
- a processor; and
  
  logic configured to be operated by the processor to perform operations including;
  
  receiving authentication information of a user;
  
  encrypting a first ticket including the authentication information with a first key of a first affiliated server, the first affiliated server having first authentication requirements;
  
  encrypting a second ticket including the authentication information with a second key of a second affiliated server, the second affiliated server having second authentication requirements that are different from the first authentication requirements,wherein the first ticket and the second ticket each include;
  
  (1) a first timestamp corresponding to when the user last manually entered the authentication information and (2) a second timestamp corresponding to when the authentication server last refreshed the authentication information of the user;
  
  providing the first ticket to the first affiliated server to authenticate the user to the first affiliated server;
  
  providing the second ticket to the second affiliated server to authenticate the user to the second affiliated server;
  
  generating a third key to replace the first key as a current key for the first affiliated server, the first key and the third key being concurrently valid for the first affiliated server for a coexistence period,wherein the first key and the second key each include key data and executable code for decrypting the first ticket and the second ticket, respectively;
  
  encrypting the first ticket with the third key; and
  
  providing the first ticket encrypted with the third key to the first affiliated server to re-authenticate the user to the first affiliated server without requiring the user to reenter the authentication information to the authentication server.
- View Dependent Claims (14)
- - 14. The authentication server of claim 13, wherein the first and second authentication requirements each include either a maximum time allowed since a last manual entry of the authentication information or a maximum time since a last refresh of the authentication information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Kunins, Jeff C., Mitchell, Christopher E., Metral, Max E.
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
PATEL, NIRAV B

Application Number

US11/136,156
Publication Number

US 20050235345A1
Time in Patent Office

1,722 Days
Field of Search

380277-286, 380/44, 380/45, 713/172, 713/189, 713/187, 713/190, 713/193, 726 5- 10, 726 18- 20, 705 55- 59, 705/64, 705/65, 705/71, 705/76, 709223-225, 709/229
US Class Current

380/286
CPC Class Codes

H04L 63/068   using time-dependent keys, ...

H04L 63/0815   providing single-sign-on or...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

Encryption key updating for multiple site automated login

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Encryption key updating for multiple site automated login

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others