Systems and methods for controlling access to a public data network from a visited access provider

US 8,191,128 B2
Filed: 11/26/2004
Issued: 05/29/2012
Est. Priority Date: 11/28/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a data network from a visited access provider, comprisingthe visited access provider receiving from a client device a message indicative of a request to access the data network;

the visited access provider supporting a temporary connection between the client device and a credit provider, the temporary connection comprising a transmission of substitute user credentials from the credit provider in response to transmission of original user credentials from the client device, wherein supporting the temporary connection further comprises redirecting the client device to the credit provider in response to receiving data indicative of the credit provider from the client device;

the visited access provider receiving the substitute user credentials from the client device;

the visited access provider communicating the substitute user credentials to the credit provider to authenticate the client device;

responsive to successful authentication of the client device by the credit provider on the basis of the substitute user credentials, the visited access provider authorizing the client device to access the data network;

wherein the temporary connection is secured to prevent the visited access provider from determining the original user credentials transmitted by the client device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

To allow a user to access a public data network from a region of service operated by a visited access provider, the visited provider is supplied with an identity of a credit provider. The user is redirected to the credit provider, resulting in establishment of a temporary connection with the credit provider. During this temporary connection, the user supplies original user credentials and, in return, receives substitute user credentials if the original user credentials are valid. The substitute user credentials are supplied to the visited provider, which proceeds to have the user authenticated by the credit provider on the basis of the substitute user credentials. In this way, the visited provider authenticates the user with the credit provider before allowing the user to access the public data network, but a secure exchange of the original user credentials between the user and the credit provider prevents unauthorized access to this information by the visited provider.

31 Citations

View as Search Results

49 Claims

1. A method of controlling access to a data network from a visited access provider, comprisingthe visited access provider receiving from a client device a message indicative of a request to access the data network;
- the visited access provider supporting a temporary connection between the client device and a credit provider, the temporary connection comprising a transmission of substitute user credentials from the credit provider in response to transmission of original user credentials from the client device, wherein supporting the temporary connection further comprises redirecting the client device to the credit provider in response to receiving data indicative of the credit provider from the client device;
  
  the visited access provider receiving the substitute user credentials from the client device;
  
  the visited access provider communicating the substitute user credentials to the credit provider to authenticate the client device;
  
  responsive to successful authentication of the client device by the credit provider on the basis of the substitute user credentials, the visited access provider authorizing the client device to access the data network;
  
  wherein the temporary connection is secured to prevent the visited access provider from determining the original user credentials transmitted by the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method defined in claim 1, wherein receiving from the client device the message indicative of the request to access the data network comprises receiving an identity of a Web page attempted to be accessed by a browser on the client device.
  - 3. The method defined in claim 1, further comprising, prior to supporting:
    - identifying to the client device at least one candidate credit provider including said credit provider.
  - 4. The method defined in claim 3, wherein supporting is performed responsive to receipt from the client device of data indicative of a selected one of the at least one candidate credit provider.
  - 5. The method defined in claim 1, wherein supporting is performed responsive to receipt from the client device of data indicative of the credit provider.
  - 6. The method defined in claim 5, further comprising:
    - causing the client device to establish the temporary connection with the credit provider.
  - 7. The method defined in claim 5, further comprising:
    - causing the client device to establish the temporary connection with the credit provider over the data network.
  - 8. The method defined in claim 7, wherein causing the client device to establish the temporary connection with the credit provider over the data network comprises redirecting the client device to an Internet Protocol (IP) address associated with the credit provider.
  - 9. The method defined in claim 7, further comprising:
    - terminating the temporary connection after the transmission of a pre-determined amount of data over the temporary connection.
  - 10. The method defined in claim 7, further comprising:
    - terminating the temporary connection after a pre-determined duration.
  - 11. The method defined in claim 7, further comprising:
    - responsive to unsuccessful authentication of the client device by the credit provider on the basis of the substitute credentials, communicating to the client device an indication of the unsuccessful authentication.
  - 12. The method defined in claim 11, wherein the original user credentials comprise a user name, a realm and a password.
  - 13. The method defined in claim 11, wherein the original user credentials comprise a user name and a credit card number.
  - 14. The method defined in claim 11, wherein the original user credentials comprise an account number and a personal identification number.
  - 15. The method defined in claim 11, wherein the substitute user credentials comprise a user name and a realm.
  - 16. The method defined in claim 15, wherein the original user credentials are characterized by being indecipherable from the substitute user credentials.

17. A network, comprising:
- a network server entity adapted to receive from a client device a message indicative of a credit provider;
  
  a gateway entity adapted to support a temporary connection between the client device and the credit provider via the network server entity, the temporary connection comprising a transmission of substitute user credentials from the credit provider in response to transmission of original user credentials from the client device, the temporary connection being secured to prevent the network server entity from determining the original user credentials transmitted by the client device, wherein to support the temporary connection, the gateway is further adapted to redirect the client device to the credit provider in response to receiving the message indicative of the credit provider from the client device;
  
  the network server entity being further adapted to receive the substitute user credentials from the client device;
  
  an authentication entity adapted to communicate the substitute user credentials to the credit provider to authenticate the client device;
  
  the network server entity being further adapted to authorize the client device to access the data network in response to successful authentication of the client device by the credit provider on the basis of the substitute user credentials.
- View Dependent Claims (18)
- - 18. The network defined in claim 17, wherein the network server entity is a web server.

19. A network, comprising:
- server means for receiving from a client device a message indicative of a credit provider;
  
  means for supporting a temporary connection between the client device and the credit provider via the server means, the temporary connection comprising a transmission of substitute user credentials from the credit provider in response to transmission of original user credentials from the client device, the temporary connection being secured to prevent the server means from determining the original user credentials transmitted by the client device, wherein supporting the temporary connection further comprises redirecting the client device to the credit provider in response to receiving the message indicative of the credit provider from the client device;
  
  means for receiving the substitute user credentials from the client device;
  
  means for communicating the substitute user credentials to the credit provider to authenticate the client device;
  
  means for authorizing the client device to access the data network in response to successful authentication of the client device by the credit provider on the basis of the substitute user credentials.

20. A method of authenticating users having a business relationship with a credit provider, comprising:
- receiving original user credentials from a client device over a temporary connection that passes through a visited provider of access to a data network, the temporary connection being secured to prevent the visited provider of access from determining the original user credentials transmitted by the client device, the client device being redirected to the credit provider in response to the visited provider of access receiving a message indicative of the credit provider from the client device;
  
  sending substitute user credentials to the client device over the temporary connection, the substitute user credentials being associated with the original user credentials;
  
  receiving the substitute user credentials from the visited provider of access;
  
  authenticating the client device on the basis of the substitute user credentials;
  
  responsive to successful authentication of the client device on the basis of the substitute user credentials, indicating to the visited provider of access to the data network that the client device has been successfully authenticated.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 21. The method defined in claim 20, wherein receiving the original user credentials from the client device is effected over the data network.
  - 22. The method defined in claim 21, wherein receiving the original user credentials is effected via the visited provider of access to the data network.
  - 23. The method defined in claim 20, further comprising, between receiving the original user credentials and sending the substitute user credentials:
    - generating the substitute credentials.
  - 24. The method defined in claim 23, further comprising:
    - storing the substitute user credentials in a database in association with the original user credentials.
  - 25. The method defined in claim 24, wherein authenticating the client device on the basis of the substitute user credentials comprises accessing the database, wherein the client device is said to be successfully authenticated on the basis of the substitute user credentials if the substitute user credentials are contained in the database.
  - 26. The method defined in claim 25, further comprising, between receiving the original user credentials and sending the substitute user credentials:
    - authenticating the client device on the basis of the original user credentials.
  - 27. The method defined in claim 26, wherein authenticating the client device on the basis of the original user credentials comprises accessing a database of authorized users, wherein the client device is said to be successfully authenticated on the basis of the original user credentials if the original user credentials are contained in the database of authorized users.
  - 28. The method defined in claim 27, wherein generating the substitute credentials is performed in response to successful authentication of the client device on the basis of the original user credentials.
  - 29. The method defined in claim 23, wherein the original user credentials comprise a user name, a realm and a password.
  - 30. The method defined in claim 23, wherein the original user credentials comprise a user name and a credit card number.
  - 31. The method defined in claim 23, wherein the original user credentials comprise an account number and a personal identification number.
  - 32. The method defined in claim 23, wherein generating the substitute user credentials comprises deriving the substitute credentials from the original user credentials.
  - 33. The method defined in claim 23, wherein the substitute user credentials comprise data indicative of the substitute nature of the substitute user credentials.
  - 34. The method defined in claim 29, wherein the substitute user credentials comprise data indicative of a realm different from the realm indicated by the original user credentials.

35. A credit provider having a business relationship with a plurality of users, comprising:
- a network server entity adapted to;
  
  receive original user credentials from a client device over a temporary connection that passes through a visited provider of network access, the temporary connection being secured to prevent the visited provider of network access from determining the original user credentials transmitted by the client device, the client device being redirected to the credit provider in response to the visited provider of network access receiving a message indicative of the credit provider from the client device;
  
  send substitute user credentials to the client device over the temporary connection, the substitute user credentials being associated with the original user credentials;
  
  an authentication entity adapted to;
  
  receive the substitute user credentials from the visited provider of network access;
  
  authenticate the client device on the basis of the substitute user credentials;
  
  indicate to the visited provider of network access that the client device has been successfully authenticated in response to successful authentication of the client device on the basis of the substitute user credentials.

36. A credit provider having a business relationship with a plurality of users, comprising:
- means for receiving original user credentials from a client device over a temporary connection that passes through a visited provider of access to a data network, the temporary connection being secured to prevent the visited provider of access from determining the original user credentials transmitted by the client device, the client device being redirected to the credit provider in response to the visited provider of access to a data network receiving a message indicative of the credit provider from the client device;
  
  means for sending substitute user credentials to the client device over the temporary connection, the substitute user credentials being associated with the original user credentials;
  
  means for receiving the substitute user credentials from the visited provider of access;
  
  means for authenticating the client device on the basis of the substitute user credentials;
  
  means for responsive to successful authentication of the client device on the basis of the substitute user credentials, indicating to the visited provider of access to the data network that the client device has been successfully authenticated.

37. A method of accessing a data network from a region of service operated by a visited access provider, comprisingsupplying from a client device to the visited access provider an identity of a credit provider;
- establishing a temporary connection with the credit provider via the visited access provider, the client device being redirected to the credit provider in response to the visited access provider receiving the identity of the credit provider from the client device;
  
  receiving substitute user credentials from the credit provider during the temporary connection in response to supplying the credit provider with original user credentials provider during the temporary connection;
  
  supplying the substitute user credentials to the visited access provider for authentication of the client device by the credit provider on the basis of the substitute user credentials;
  
  wherein the temporary connection is secured to prevent the visited access provider from determining the original user credentials supplied to the credit provider.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 38. A method defined in claim 37, wherein supplying the substitute user credentials to the visited access provider is performed automatically in response to receiving the substitute user credentials from the credit provider.
  - 39. A method defined in claim 37, wherein supplying the substitute user credentials to the visited access provider is performed without requiring user input after receiving the substitute user credentials from the credit provider.
  - 40. The method defined in claim 37, further comprising:
    - accessing the data network via the visited access provider in response to successful authentication of the client device on the basis of the substitute user credentials.
  - 41. The method defined in claim 40, further comprising, prior to supplying to the visited access provider the identity of the credit provider:
    - receiving from the visited network provider an identity of at least one candidate credit provider including the credit provider.
  - 42. The method defined in claim 41, further comprising:
    - selecting the credit provider from among the at least one candidate credit provider identified whose identity is received from the visited network provider.
  - 43. The method defined in claim 40, wherein the temporary connection is established over the data network.
  - 44. The method defined in claim 43, wherein the temporary connection is established via the visited access provider.
  - 45. The method defined in claim 44, wherein data sent to a home network during the temporary connection is encrypted at the client device and decrypted at the credit provider.
  - 46. The method defined in claim 45, wherein data sent from the home network during the temporary connection is encrypted at the credit provider and decrypted at the client device.
  - 47. The method defined in claim 37, wherein the temporary connection is a secure socket layer connection.
  - 48. The method defined in claim 37, wherein establishing the temporary connection with the credit provider comprises receiving an Internet Protocol address of the credit provider from the visited access provider and accessing the Internet Protocol address via the Internet.

49. Apparatus for accessing a data network from a region of service operated by a visited access provider, comprisingmeans for supplying from a client device to the visited access provider an identity of a credit provider;
- means for establishing a temporary connection with the credit provider via the visited access provider, the client device being redirected to the credit provider in response to the visited access provider receiving the identity of the credit provider from the client device;
  
  means for receiving substitute user credentials from the credit provider during the temporary connection in response to supplying the credit provider with original user credentials provider during the temporary connection;
  
  means for supplying the substitute user credentials to the visited access provider for authentication of the client device by the credit provider on the basis of the substitute user credentials;
  
  wherein the temporary connection is secured to prevent the visited access provider from determining the original user credentials supplied to the credit provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BCE Incorporated
Original Assignee
BCE Incorporated
Inventors
Nedkov, Nicolas, Wong, Spencer, Smith, Brian Norman
Primary Examiner(s)
REZA, MOHAMMAD W

Application Number

US10/996,439
Publication Number

US 20050198036A1
Time in Patent Office

2,741 Days
Field of Search

726/19, 726/27, 726/2, 726/5, 726/9, 726/10, 726/12, 713/161, 713/168, 713/182
US Class Current

726/9
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2898   Subscriber equipments DSL m...

H04L 63/08   for authentication of entit...

H04W 12/062   Pre-authentication

H04W 48/18   Selecting a network or a co...

H04W 80/00   Wireless network protocols ...

H04W 84/12   WLAN [Wireless Local Area N...

Systems and methods for controlling access to a public data network from a visited access provider

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for controlling access to a public data network from a visited access provider

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links