Simple, secure login with multiple authentication providers
First Claim
1. An apparatus for distributed authentication comprising:
- a plurality of participating authentication servers communicatively coupled in a network;
at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server;
wherein at least one of said participating authentication servers is communicatively coupled to said at least one client via a telecommunications network, each of said participating authentication server being programmed for;
performing a same hash operation on a same group of identification elements extracted via at least one participating authentication server to generate a second hash value; and
comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to any other participating authentication servers without central control.
3 Assignments
0 Petitions
Accused Products
Abstract
A secure distributed single-login authentication system comprises a client and a server. The client collects authentication credentials from a user and tests credentials at a variety of potential authentication servers to check where the login is valid. It combines a password with a time-varying salt and a service-specific seed in a message digesting hash, generating a first hash value. The client sends the hash value with a user name and the time-varying salt to a selected server. The server extracts the user name and looks up the user name in the server'"'"'s database. If an entry is found, it retrieves the password, performing the same hash function on the combination of user name, service-specific seed, and password to generate a second hash value, comparing the values. If the values match, the user is authenticated. Thus, the system never reveals the password to authentication agents that might abuse the information.
93 Citations
13 Claims
-
1. An apparatus for distributed authentication comprising:
-
a plurality of participating authentication servers communicatively coupled in a network; at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server; wherein at least one of said participating authentication servers is communicatively coupled to said at least one client via a telecommunications network, each of said participating authentication server being programmed for; performing a same hash operation on a same group of identification elements extracted via at least one participating authentication server to generate a second hash value; and comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to any other participating authentication servers without central control. - View Dependent Claims (2, 3)
-
-
4. An apparatus for distributed authentication comprising:
-
at least one client programmed for; taking and parsing an entered user name and password; combining said password and a service specific seed unique to a selected participating authentication server; applying a hash algorithm to said combination to generate a first hash value; finding an address representing said selected participating authentication server;
sending a data packet to said selected authentication server, said data packet comprising said user name and said first hash value; anditerating said at least one authentication server to find a correct authentication server; and a plurality of participating authentication servers communicatively coupled in a network;
whereinat least one of said plurality of participating authentication servers is communicatively coupled to said at least one client via said network, each of said plurality of authentication servers being programmed for; extracting said user name and said first hash value from said data packet; checking and retrieving said user'"'"'s password from said selected participating authentication server'"'"'s database; combining said retrieved password and said service specific seed unique to said selected participating authentication server; applying said hash algorithm to said combination to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and caching said positive authentication result and distributing said positive authentication result to any other participating authentication server without central control.
-
-
5. In a computerized network comprising at least one client and a plurality of participating authentication servers communicatively coupled by said network, said client and at least one of said participating authentication servers being communicatively coupled to each other via said network, a distributed authentication system comprising:
-
a client wherein said client comprises computer-readable code executing on a processing element for; taking and parsing an entered user name and password; means for generating a time stamp; combining said password and a service specific seed unique to a participating authentication server selected from said plurality of participating authentication servers; applying a hash algorithm to said combination and said time stamp to generate a first hash value; finding an address representing said selected participating authentication server; sending a data packet to said selected participating authentication server, said data packet comprising said user name, said time stamp, and said first hash value; and iterating said list plurality of participating authentication servers to find a correct participating authentication server; and wherein at least said selected participating server comprises computer-readable code executing on a processing element for; extracting said user name, said time stamp, and said first hash value from said data packet; checking and retrieving said user'"'"'s password from said selected participating authentication server'"'"'s database; combining said time stamp, said retrieved password and said service specific seed unique to said selected participating authentication server; applying said hash algorithm to said combination completed in said participating server portion to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and means for caching said positive authentication result and distributing said positive authentication result to any participating authentication server without central control. - View Dependent Claims (6, 7, 8)
-
-
9. In a computerized network which is registered with a unique domain name, said network comprising at least one client and a plurality of participating authentication servers, said client and said authentication servers being communicatively coupled to each other via said network, each of said participating authentication servers having a fully qualified domain name (FQDN) which is a local host name with said unique domain name appended, a distributed authentication system for providing distributed authentication service, wherein a given user enters a global user identification (GUID) and a password for authentication to be carried out at a target participating authentication server, said GUID comprising a user name, a delimitation symbol, and a domain which is same as said local host name of said target authentication server, said distributed authentication system comprising:
-
a client, wherein said client comprises computer-readable code executing on said client on a processing element for; parsing an entered GUID and extracting said domain therefrom; appending said unique domain to said domain to form a fully qualified name (FQDN) for said target authentication server; translating said FQDN to an address representing said target participating authentication server; generating a time stamp; means for combining said password and a service specific seed unique to said target participating authentication server; applying a hash algorithm to said combination and said time stamp to generate a first hash value; and sending a data packet to said target participating authentication server, said data packet comprising said first hash value, said user name, and said time stamp; wherein said participating authentication server comprises computer-readable code executing on a processing element for; extracting said first hash value, said user name, and said time stamp from said data packet received from said client; checking and retrieving said user'"'"'s password from said target participating authentication server'"'"'s database; combining said time stamp, said retrieved password, and said service specific seed unique to said target participating authentication server; applying said hash algorithm to said combination to generate a second hash value; comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and caching said positive authentication result and distributing said positive authentication result to any other participating authentication server without central control. - View Dependent Claims (10, 11, 12, 13)
-
Specification