Distributed single sign-on service

US 7,690,026 B2
Filed: 08/22/2005
Issued: 03/30/2010
Est. Priority Date: 08/22/2005
Status: Active Grant

First Claim

Patent Images

1. A method performed at a computing device to provide services to at least one other computing device, the method comprising:

receiving an authentication request that includes at least a client identifier and an encrypted authentication token derived from a partial authentication token encrypted with a split key generated from a secret key known only by the computing device, the partial authentication token including the client identifier, a network address and a nonce;

attempting to decrypt the encrypted authentication token using the secret key; and

granting authenticated communication if decryption is possible with the secret key and a decrypted content of the encrypted authentication token is acceptable.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The described implementations relate to establishing authenticated communication between a client computing device and a service provider. In one implementation, once a registration procedure is complete, multiple authentication servers are used by a client computing device and a service provider to facilitate the establishment of an authenticated communication session. However, the authentication servers are not necessarily trusted authorities. That is, secrets of the various described devices are not revealed to each other.

Citations

12 Claims

1. A method performed at a computing device to provide services to at least one other computing device, the method comprising:
- receiving an authentication request that includes at least a client identifier and an encrypted authentication token derived from a partial authentication token encrypted with a split key generated from a secret key known only by the computing device, the partial authentication token including the client identifier, a network address and a nonce;
  
  attempting to decrypt the encrypted authentication token using the secret key; and
  
  granting authenticated communication if decryption is possible with the secret key and a decrypted content of the encrypted authentication token is acceptable.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the encrypted authentication token includes a client identifier and a challenge.
  - 3. The method according to claim 2, wherein the client identifier identifies a client device desiring authenticated communication with the computing device to provide services to at least one other computing device.
  - 4. The method according to claim 2, wherein the challenge is supplied by the computing device to provide services to at least one other computing device attempting to decrypt the encrypted authentication token.
  - 5. The method according to claim 1, wherein the encrypted authentication token further includes a network address of a client device.

6. A method performed at an authentication server to provide authentication services, the method comprising:
- establishing a secure session with a session key if such a secure session was not established in a previous procedure;
  
  receiving a service provider ID, a challenge supplied by a service provider, and a unique ID of a client computing device seeking access to the service provider;
  
  encrypting the unique ID of the client computing device, a network address of the client computing device and the challenge supplied by the service provider using an encryption key split from a secret key unknown to the authentication server; and
  
  offering the encryption to the client computing device, the encryption usable when attempting gain access to the service provider.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method according to claim 6, wherein the session key is generated from an authentication key, the authentication key derived from login credentials of the client computing device desiring authentication and an ID of the authentication server.
  - 8. The method according to claim 7, wherein the login credentials include a password and a user name.
  - 9. The method according to claim 6, wherein the unique ID of the client computing device desiring authentication is derived from at least a login name.
  - 10. The method according to claim 7, wherein the authentication key and the unique ID of the client computing device desiring authentication are generated by a module at the client computing device desiring authentication during an authentication procedure establishing a secure session, the authentication key and the unique ID made known to and stored by an authentication in a previous procedure.
  - 11. The method according to claim 6, wherein encrypting further includes encrypting an item or a signature of an item, the item being used to generate another session key for subsequent secure communications.
  - 12. The method according to claim 6, wherein receiving further includes receiving an item, the item will be used to generate another session key for subsequent secure communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chen, Tierui, Zhu, Bin, Li, Shipeng
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Wyszynski; Aubrey H

Application Number

US11/208,509
Publication Number

US 20070044143A1
Time in Patent Office

1,681 Days
Field of Search

726/8
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Distributed single sign-on service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed single sign-on service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links