Remotable information cards

US 8,151,324 B2
Filed: 04/29/2008
Issued: 04/03/2012
Est. Priority Date: 03/16/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

an untrusted client, wherein the untrusted client is a machine whose security cannot be trusted;

an identity provider operative to receive a selection of an information card from a user of the untrusted client and to issue a security token generated using the selected information card;

a relying party to authenticate said user of the untrusted client using said security token and to allow access to a resource on the relying party; and

an accessor function to interface between the untrusted client and the relying party, where the accessor function is operative to invoke a card selector on the untrusted client on behalf of the relying party and the accessor function is on a separate machine from the untrusted client, the identity provider, and the relying party.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An accessor function interfaces among a client, a relying party, and an identity provider. The identity provider can “manage” personal (i.e., self-asserted) information cards on behalf of a user, making the personal information cards available on clients on which the personal information cards are not installed. The client can be an untrusted client, vulnerable to attacks such as key logging, screen capture, and memory interrogation. The accessor function can also asked as a proxy for the relying party in terms of invoking and using the information cards system, for use with legacy relying parties.

167 Citations

22 Claims

1. A system, comprising:
- an untrusted client, wherein the untrusted client is a machine whose security cannot be trusted;
  
  an identity provider operative to receive a selection of an information card from a user of the untrusted client and to issue a security token generated using the selected information card;
  
  a relying party to authenticate said user of the untrusted client using said security token and to allow access to a resource on the relying party; and
  
  an accessor function to interface between the untrusted client and the relying party, where the accessor function is operative to invoke a card selector on the untrusted client on behalf of the relying party and the accessor function is on a separate machine from the untrusted client, the identity provider, and the relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A system according to claim 1, wherein the relying party is a legacy relying party.
  - 3. A system according to claim 1, wherein the identity provider is operative to require a user of the untrusted client to authenticate himself before the identity provider releases any sensitive information.
  - 4. A system according to claim 3, wherein the identity provider is further operative to require said user of the untrusted client to authenticate himself using an out-of-band authentication mode before the identity provider releases any sensitive information.
  - 5. A system according to claim 1, wherein the accessor function is operative to require a user of the untrusted client to authenticate himself to the accessor function.
  - 6. A system according to claim 5, wherein the accessor function is further operative to require a user of the untrusted client to authenticate himself to the accessor function using an out-of-band authentication mode.
  - 7. A system according to claim 1, wherein the identity provider is operative to transmit to the untrusted client a security token generated using said selected information card.
  - 8. A system according to claim 7, wherein:
    - said selected information card is a personal information card; and
      
      the identity provider is further operative to manage said personal information card on behalf of a user of the untrusted client.
  - 9. A system according to claim 8, wherein the identity provider is further operative to transmit an image of at least one information card to the untrusted client.
  - 10. A system according to claim 7, wherein the untrusted client is coupled to a data store to store a reference to said selected information card.
  - 11. A system according to claim 1, further comprising a secure data store coupled to the untrusted client to securely store a selected information card.

12. A method, comprising:
- requesting access to a resource of a relying party from an untrusted client;
  
  receiving a request on the untrusted client to invoke a card selector from an accessor function, wherein the accessor function interfaces between the untrusted client and the relying party, and the accessor function is on a separate machine from the untrusted client, an identity provider, and the relying party;
  
  invoking the card selector on the untrusted client by the accessor function;
  
  authenticating a user of the untrusted client at the identity provider;
  
  transmitting from the untrusted client to the identity provider a selection of an information card from the user of the untrusted client via the card selector;
  
  receiving at the untrusted client a security token from the identity provider, the security token generated from the selected information card;
  
  transmitting the security token from the untrusted client to the relying party via the accessor function; and
  
  gaining access to the resource of the relying party by the untrusted client after authentication of the user by the relying party using the security token.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. A method according to claim 12, wherein authenticating the user of the untrusted client to an identity provider includes authenticating the user of the untrusted client to the identity provider using an out-of-band authentication mode.
  - 14. A method according to claim 12, wherein authenticating a user of the untrusted client at the identity provider includes authenticating the user of the untrusted client to the accessor function.
  - 15. A method according to claim 14, wherein authenticating the user of the untrusted client to the accessor function includes authenticating the user of the untrusted client to the accessor function using an out-of-band authentication mode.
  - 16. A method according to claim 12, further comprising requesting a list of information cards available at the untrusted client.
  - 17. A method according to claim 16, wherein requesting a list of information cards available at the untrusted client includes requesting the list of information cards available at the untrusted client from the identity provider.
  - 18. A method according to claim 17, wherein requesting the list of information cards available at the untrusted client from the identity provider includes:
    - requesting from the accessor function the list of information cards available at the untrusted client from the identity provider; and
      
      receiving from the accessor function the list of information cards available at the untrusted client from the identity provider.
  - 19. A method according to claim 17, wherein requesting the list of information cards available at the untrusted client from the identity provider includes requesting the list of information cards available at the untrusted client from a the identity provider, the list of information cards including a personal information card managed by the identity provider.
  - 20. A method according to claim 12, wherein transmitting from the untrusted client to the identity provider a selection of an information card from the user of the untrusted client via the card selector includes requesting the security token from the identity provider.
  - 21. A method according to claim 16, wherein requesting a list of information cards available at the untrusted client includes accessing the list of information cards available at the untrusted client from a data store coupled to the untrusted client.
  - 22. A method according to claim 21, further comprising requesting the security token from the identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Burch, Lloyd Leon, Sanders, Daniel S., Hodgkinson, Andrew A., Carter, Stephen R.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HERZOG, MADHURI R

Application Number

US12/111,874
Publication Number

US 20090328166A1
Time in Patent Office

1,435 Days
Field of Search

726 2- 10, 713168-172, 713182-186, 709223-229
US Class Current

726/4
CPC Class Codes

G06F 21/34 involving the use of extern...

Remotable information cards

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

167 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Remotable information cards

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

167 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others