User authentication system for providing online services based on the transmission address

US 7,861,288 B2
Filed: 07/12/2004
Issued: 12/28/2010
Est. Priority Date: 07/11/2003
Status: Active Grant

First Claim

Patent Images

1. In an authentication system in which an authentication server which authenticates a user, a user terminal which transmits a user authentication information, and an application server which provides a service to the user through the user terminal are connected together to enable a communication therebetween through a network, the address based authentication system including:

the authentication server which comprisesauthentication means for authenticating a user based on the user authentication information transmitted together with a key information as an authentication request from the user terminal, the key information representing a public key K_PUof the user terminal;

an address allocating means for allocating an address to the user terminal for a successful authentication of the user;

generating means for generating information-for-authentication using at least the allocated address;

a ticket issuing means for issuing a ticket containing the allocated address, the key information which is received from the user terminal and the information-for-authentication;

and a ticket transmitting means for transmitting the ticket issued by the ticket issuing means to the user terminal;

the user terminal which has a pair of the public key K_PUand a private key K_SUand comprises;

transmitting means for transmitting the user authentication information and the key information to the authentication server for purpose of an authentication request;

a ticket reception means for receiving the ticket which contains the allocated address, the key information and the information-for-authentication and which is transmitted from the authentication server;

means for setting up the allocated address contained in the ticket as a source address for each packet which is to be transmitted from the user terminal to the application server;

a first session key generating means for calculating a first session secret key which is shared with the application server, from the private key K_SUof the user terminal and a public key K_PSof the application server;

a packet cryptographic processing means for processing each packet to be transmitted to the application server by the first session secret key to guarantee that there is no forgery in each packet;

means for transmitting a first packet including the ticket to the application server for establishing a session; and

a service request means for transmitting a second packet requesting the service to the application server through the session;

and the application server which has a pair of the public key K_PSand a private key K_SSand comprises;

a second session key generating means for calculating a second session secret key which is shared with the user terminal, from the private key K_SSof the application server and the public key K_PUof the user terminal;

a packet verifying means for confirming whether or not each packet received from the user terminal is forged using the second session secret key;

a ticket memory means for storing the ticket transmitted from the user terminal;

ticket verifying means for verifying the presence or absence of any forgery in the information-for-authentication in the ticket transmitted from the user terminal to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means in the presence of a forgery and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key K_PUof the user terminal, and if not, prevent the ticket from being stored in the ticket memory means;

an address comparison means for determining whether or not the allocated address contained in the ticket which is stored in the ticket memory means coincides with the source address of the second packet which is transmitted from the user terminal through the session; and

a service providing means for transmitting to the user terminal packets which provide the service to the user when a coincidence between the addresses is determined by the address comparison means.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session. If the source address coincides with the address contained in the stored ticket, the server 300 provides a service to the user.

Citations

11 Claims

1. In an authentication system in which an authentication server which authenticates a user, a user terminal which transmits a user authentication information, and an application server which provides a service to the user through the user terminal are connected together to enable a communication therebetween through a network, the address based authentication system including:
- the authentication server which comprisesauthentication means for authenticating a user based on the user authentication information transmitted together with a key information as an authentication request from the user terminal, the key information representing a public key K_PUof the user terminal;
  
  an address allocating means for allocating an address to the user terminal for a successful authentication of the user;
  
  generating means for generating information-for-authentication using at least the allocated address;
  
  a ticket issuing means for issuing a ticket containing the allocated address, the key information which is received from the user terminal and the information-for-authentication;
  
  and a ticket transmitting means for transmitting the ticket issued by the ticket issuing means to the user terminal;
  
  the user terminal which has a pair of the public key K_PUand a private key K_SUand comprises;
  
  transmitting means for transmitting the user authentication information and the key information to the authentication server for purpose of an authentication request;
  
  a ticket reception means for receiving the ticket which contains the allocated address, the key information and the information-for-authentication and which is transmitted from the authentication server;
  
  means for setting up the allocated address contained in the ticket as a source address for each packet which is to be transmitted from the user terminal to the application server;
  
  a first session key generating means for calculating a first session secret key which is shared with the application server, from the private key K_SUof the user terminal and a public key K_PSof the application server;
  
  a packet cryptographic processing means for processing each packet to be transmitted to the application server by the first session secret key to guarantee that there is no forgery in each packet;
  
  means for transmitting a first packet including the ticket to the application server for establishing a session; and
  
  a service request means for transmitting a second packet requesting the service to the application server through the session;
  
  and the application server which has a pair of the public key K_PSand a private key K_SSand comprises;
  
  a second session key generating means for calculating a second session secret key which is shared with the user terminal, from the private key K_SSof the application server and the public key K_PUof the user terminal;
  
  a packet verifying means for confirming whether or not each packet received from the user terminal is forged using the second session secret key;
  
  a ticket memory means for storing the ticket transmitted from the user terminal;
  
  ticket verifying means for verifying the presence or absence of any forgery in the information-for-authentication in the ticket transmitted from the user terminal to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means in the presence of a forgery and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key K_PUof the user terminal, and if not, prevent the ticket from being stored in the ticket memory means;
  
  an address comparison means for determining whether or not the allocated address contained in the ticket which is stored in the ticket memory means coincides with the source address of the second packet which is transmitted from the user terminal through the session; and
  
  a service providing means for transmitting to the user terminal packets which provide the service to the user when a coincidence between the addresses is determined by the address comparison means.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The authentication system according to claim 1the application server further comprisingan address collating means for collating the allocated address in the ticket transmitted from the user terminal against the source address of the first packet which includes the ticket and for preventing the ticket from being stored in the ticket memory means if a coincidence is not found.
  - 3. The authentication system according to claim 1 in which the authentication server comprises a user identifier allocating means for allocating a user identifier which corresponds to the authenticated user in response to the authentication request for a successful authentication of the user,the ticket issuing means being configured to issue the ticket inclusive of the user identifier.
  - 4. The authentication system according claim 1in which the authentication information generating means of the authentication server is configured to process the information including the allocated address with a shared secret key which is shared beforehand between the authentication server and the application server,the ticket verifying means of the application server is configured to further verify the information-for-authentication contained in the ticket using a shared secret key which is beforehand shared between the authentication server and the application server.
  - 5. The system according to claim 1, in which the authentication server has a secret key and a public key for a digital signature,and said ticket issuing means comprises:
    - an authentication information generating means for computing a digital signature on the information including at least the allocated address using the secret key for the digital signature to produce the information for authentication so that the application server can verify the presence or absence of any forgery in the information for authentication in the ticket using the public key of the authentication server.

6. An application server in an authentication system in which an authentication of a user utilizing a user terminal is performed by an authentication server and a request to provide a service is made to an application server on the basis of the authentication, comprisinga session establishing means for establishing a session with a user terminal in response to a reception of a session establishment request packet containing a ticket from the user terminal, said ticket containing an address allocated by the authentication server to the user terminal, a key information representing a public key K_PUof the user terminal and information-for-authentication generated by the authentication server using at least the allocated address;
- a ticket memory means in which the ticket transmitted from the user terminal is stored;
  
  an address comparison means to which a source address of a service request packet which is transmitted from the user terminal and received through the established session is input and which determines whether or not the source address coincides with an allocated address of the user terminal contained in the ticket stored in the ticket memory means; and
  
  a service providing means which provides a service to the user terminal when the output of the address comparison means indicates a coincidence,wherein said session establishing means comprises a ticket verifying means for verifying authenticity of the ticket, which is received from the user terminal for establishing the session, by checking the information-for-authentication contained in the ticket to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means when verification is not successful, and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key K_PUof the user terminal, and if not, prevent the ticket from being stored in the ticket memory means.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The application server according to claim 6, further comprisinga session key generating means for calculating a session secret key which is shared with the user terminal from a private key of the application server and a public key of the user terminal;
    - and a packet verifying means for verifying whether or not the session establishment request packet received from the user terminal is forged using the session secret key and for preventing the ticket from being stored in response to a verification output indicating the presence of a forgery.
  - 8. The application server according to claim 7 in which the ticket verifying means comprises collating means for verifying, when the received session establishment request packet has been verified by the packet verifying means as not forged, whether or not key information contained in the ticket corresponds to the public key of the user terminal which has been used in the calculation of the session secret key.
  - 9. The application server according to claim 6 in which the ticket verifying means comprises terminal authenticating means to which an authentication purpose shared secret key which is shared with the user terminal and a random number which changes each time a session is established are input and which processes the random number using the authentication purpose shared secret key, collates a result of the processing against a key information in the ticket and verifies the authenticity of the ticket by seeing whether or not a matching between the result of processing and the key information applies.
  - 10. An application server according to claim 6 in which the ticket verifying means comprises means for verifying whether or not the source address of the received session establishment request packet coincides with the allocated address contained in the ticket within the session establishment request packet and for preventing the ticket from being stored in response to a detection output which indicates a non-coincidence.

11. A non-transitory computer readable storage medium having stored thereon an application server program for programming a computer to function as an application server in an authentication system in which an authentication of a user utilizing a user terminal is performed by an authentication server and a request to provide a service is made by the user terminal to the application server on the basis of the authentication, the application server comprising:
- a session establishing means for establishing a session with a user terminal in response to a reception of a session establishment request packet containing a ticket from the user terminal, said ticket containing an address allocated by the authentication server to the user terminal, a key information representing a public key K_PUof the user terminal and information-for-authentication generated by the authentication server using at least the allocated address;
  
  a ticket memory means in which the ticket transmitted from the user terminal is stored;
  
  an address comparison means to which a source address of a service request packet which is transmitted from the user terminal and received through the established session is input and which determines whether or not the source address coincides with an allocated address of the user terminal contained in the ticket stored in the ticket memory means; and
  
  a service providing means which provides a service to the user terminal when the output of the address comparison means indicates a coincidence,wherein said session establishing means comprises a ticket verifying means for verifying authenticity of the ticket, which is received from the user terminal for establishing the session, by checking the information-for-authentication contained in the ticket to determine if the allocated address contained in the ticket is forged or not and preventing the ticket from being stored in the ticket memory means when verification is not successful and further verifying whether or not the key information contained in the ticket in the first packet, which has been verified as not being forged, is the key information representing the public key K_PUof the user terminal, and if not, prevent the ticket from being stored in the ticket memory means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Kikuchi, Yoshinao, Mizuno, Shintaro, Takahashi, Kenji, Karasawa, Kei, Tsuruoka, Yukio
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Vaughan; Michael R

Application Number

US10/534,541
Publication Number

US 20060048212A1
Time in Patent Office

2,360 Days
Field of Search

370/352, 380/277, 709/204, 709/219, 709/223, 709/225, 709/227, 709/229, 713/168, 726/3, 726/5
US Class Current

726/10
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 9/0866   involving user or device id...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

User authentication system for providing online services based on the transmission address

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication system for providing online services based on the transmission address

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links