Simple, secure login with multiple authentication providers

US 7,765,584 B2
Filed: 12/04/2006
Issued: 07/27/2010
Est. Priority Date: 02/26/2002
Status: Active Grant

First Claim

Patent Images

1. An apparatus for distributed authentication comprising:

at least one client;

at least one authentication server being communicatively coupled to said at least one client via a telecommunications network; and

an application running on said at least one client and said at least one authentication server, said application comprising a client portion and a server portion;

wherein said client portion performs a hash operation on a group of identification elements extracted via a client to generate a first hash value and sends said first hash value to a selected authentication server; and

wherein said server portion performs a same hash operation on a same group of identification elements extracted via said selected authentication server, compares said first hash value and said second hash value, and distributes a matching result of said two hash values which indicates a successful authentication to any affiliated authentication server without central control.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure distributed single-login authentication system comprises a client and a server. The client collects a user name and password from a user and tests that user name and password at a variety of potential authentication servers to check where the login is valid. It combines the password with a time varying salt and a service specific seed in a message digesting hash and generates a first hash value. The client sends the hash value along with the user name and the time varying salt to a currently selected server. The server extracts the user name and looks up an entry under the user name from the selected server'"'"'s database. If an entry is found, it retrieves the password and performs the same hash function on the combination of the user name, the service specific seed, and the retrieved password to generate a second hash value. Then, it compares two hash values. If these two values match, the user is authenticated. In this way, the system never sufficiently reveals the password to authentication agents that might abuse the information.

129 Citations

View as Search Results

13 Claims

1. An apparatus for distributed authentication comprising:
- at least one client;
  
  at least one authentication server being communicatively coupled to said at least one client via a telecommunications network; and
  
  an application running on said at least one client and said at least one authentication server, said application comprising a client portion and a server portion;
  
  wherein said client portion performs a hash operation on a group of identification elements extracted via a client to generate a first hash value and sends said first hash value to a selected authentication server; and
  
  wherein said server portion performs a same hash operation on a same group of identification elements extracted via said selected authentication server, compares said first hash value and said second hash value, and distributes a matching result of said two hash values which indicates a successful authentication to any affiliated authentication server without central control.
- View Dependent Claims (2, 3)
- - 2. The apparatus of claim 1, wherein said group of identification elements comprises:
    - entered user name and password; and
      
      a service specific seed unique to an authentication server selected from said at least one authentication server.
  - 3. The apparatus of claim 2, wherein said group of identification elements further comprises:
    - a time stamp generated at said client when said user name and password were entered.

4. An apparatus for distributed authentication comprising:
- at least one client;
  
  at least one authentication server being communicatively coupled to said at least one client via a telecommunications network;
  
  an application running on said at least one client and said at least one authentication server, said application comprising a client portion and a server portion;
  
  wherein said client portion comprises;
  
  means for taking and parsing an entered user name and password;
  
  means for combining said password and a service specific seed unique to an authentication server selected from said at least one authentication server;
  
  means for applying a hash algorithm to said combination to generate a first hash value;
  
  means for finding an address representing said selected authentication server;
  
  means for sending a data packet to said selected authentication server, said data packet comprising said user name and said first hash value; and
  
  means for iterating said at least one authentication server to find a correct authentication server; and
  
  wherein said server portion comprises;
  
  means for extracting said user name and said first hash value from said data packet;
  
  means for checking and retrieving said user'"'"'s password from said selected authentication server'"'"'s database;
  
  means for combining said retrieved password and said service specific seed unique to said selected authentication server;
  
  means for applying said hash algorithm to said combination completed in said server portion to generate a second hash value;
  
  means for comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and
  
  means for caching and distributing said positive authentication result to any affiliated authentication server without central control.

5. In a computerized network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, a distributed authentication system comprising:
- a client; and
  
  a server;
  
  wherein said client comprises;
  
  means for taking and parsing an entered user name and password;
  
  means for generating a time stamp;
  
  means for combining said password and a service specific seed unique to an authentication server selected from a list of authentication servers;
  
  means for applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  means for finding an address representing said selected authentication server;
  
  means for sending a data packet to said selected authentication server, said data packet comprising said user name, said time stamp, and said first hash value; and
  
  means for iterating said list of authentication servers to find a correct authentication server; and
  
  wherein said server comprises;
  
  means for extracting said user name, said time stamp, and said first hash value from said data packet;
  
  means for checking and retrieving said user'"'"'s password from said selected authentication server'"'"'s database;
  
  means for combining said time stamp, said retrieved password and said service specific seed unique to said selected authentication server;
  
  means for applying said hash algorithm to said combination completed in said server portion to generate a second hash value;
  
  means for comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication;
  
  means for caching and distributing said positive authentication result to any affiliated server without central control.
- View Dependent Claims (6, 7, 8)
- - 6. The distributed authentication system of claim 5, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 7. The distributed authentication system of claim 5, wherein said service specific seed is a domain name of said selected authentication server.
  - 8. The distributed authentication system of claim 5, wherein said means for finding an address representing said selected authentication server comprises:
    - means for looking up a local mapping list; and
      
      means for consulting to a domain name system (DNS).

9. In a computerized network which is registered with a unique domain name, said network comprising at least one client and a plurality of authentication servers, said client and said authentication servers being communicatively coupled to each other via a global telecommunications network, each of said authentication servers having a fully qualified domain name (FQDN) which is a local host name with said unique domain name appended, a distributed authentication system for providing distributed authentication service, wherein a given user enters a global user identification (GUID) and a password for authentication to be carried out at a target authentication server, said GUID comprising a user name, a delimitation symbol, and a domain which is same as said local host name of said target authentication server, said distributed authentication system comprising:
- a client; and
  
  a server;
  
  wherein said client comprises;
  
  means for parsing an entered GUID and extracting said domain therefrom;
  
  means for appending said unique domain to said domain to form a fully qualified domain name (FQDN) for said target authentication server;
  
  means for translating said FQDN to an address representing said target authentication server;
  
  means for generating a time stamp;
  
  means for combining said password and a service specific seed unique to said target authentication server;
  
  means for applying a hash algorithm to said combination and said time stamp to generate a first hash value; and
  
  means for sending a data packet to said target authentication server, said data packet comprising said first hash value, said user name, and said time stamp;
  
  and wherein said server comprises;
  
  means for extracting said first hash value, said user name, and said time stamp from said data packet received from said client;
  
  means for checking and retrieving said user'"'"'s password from said target authentication server'"'"'s database;
  
  means for combining said time stamp, said retrieved password, and said service specific seed unique to said target authentication server;
  
  means for applying said hash algorithm to said combination completed in said server portion to generate a second hash value;
  
  means for comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and
  
  means for caching and distributing said positive authentication result to any of said plurality of authentication servers without central control.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The distributed authentication system of claim 9, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 11. The distributed authentication system of claim 9, wherein said service specific seed is a domain name of said target authentication server.
  - 12. The distributed authentication system of claim 9, wherein said means for translating said FQDN comprises:
    - means for looking up said FQDN from a local mapping list; and
      
      means for looking up said FQDN from a domain name system (DNS).
  - 13. The distributed authentication system of claim 9, further comprising:
    - means for automatically mapping any unrecognized FQDN into a default server which carries out authentication on said user'"'"'s authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
AOL Inc. (Apollo Global Management, Inc.)
Inventors
Roskind, James
Primary Examiner(s)
ZIA, SYED

Application Number

US11/566,648
Publication Number

US 20070169181A1
Time in Patent Office

1,331 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2151   Time stamp

H04L 2463/102   applying security measure f...

H04L 61/4511   using domain name system [DNS]

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Simple, secure login with multiple authentication providers

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Simple, secure login with multiple authentication providers

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links