Simple, secure login with multiple authentication providers

US 8,196,189 B2
Filed: 06/11/2010
Issued: 06/05/2012
Est. Priority Date: 02/26/2002
Status: Expired due to Term

First Claim

Patent Images

1. An apparatus for distributed authentication comprising:

a plurality of participating authentication servers communicatively coupled in a network;

at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server;

wherein at least one of said participating authentication servers is communicatively coupled to said at least one client via a telecommunications network, each of said participating authentication server being programmed for;

performing a same hash operation on a same group of identification elements extracted via at least one participating authentication server to generate a second hash value; and

comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to any other participating authentication servers without central control.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure distributed single-login authentication system comprises a client and a server. The client collects authentication credentials from a user and tests credentials at a variety of potential authentication servers to check where the login is valid. It combines a password with a time-varying salt and a service-specific seed in a message digesting hash, generating a first hash value. The client sends the hash value with a user name and the time-varying salt to a selected server. The server extracts the user name and looks up the user name in the server'"'"'s database. If an entry is found, it retrieves the password, performing the same hash function on the combination of user name, service-specific seed, and password to generate a second hash value, comparing the values. If the values match, the user is authenticated. Thus, the system never reveals the password to authentication agents that might abuse the information.

93 Citations

View as Search Results

13 Claims

1. An apparatus for distributed authentication comprising:
- a plurality of participating authentication servers communicatively coupled in a network;
  
  at least one client programmed for performing a hash operation on a group of identification elements extracted via a client to generate a first hash value and sending said first hash value to a selected authentication server;
  
  wherein at least one of said participating authentication servers is communicatively coupled to said at least one client via a telecommunications network, each of said participating authentication server being programmed for;
  
  performing a same hash operation on a same group of identification elements extracted via at least one participating authentication server to generate a second hash value; and
  
  comparing said first hash value and said second hash value, and distributing a matching result of said two hash values which indicates a successful authentication to any other participating authentication servers without central control.
- View Dependent Claims (2, 3)
- - 2. The apparatus of claim 1, wherein said group of identification elements comprises:
    - entered user name and password; and
      
      a service specific seed unique to an authentication server selected from said at least one authentication server.
  - 3. The apparatus of claim 2, wherein said group of identification elements further comprises:
    - a time stamp generated at said client when said user name and password were entered.

4. An apparatus for distributed authentication comprising:
- at least one client programmed for;
  
  taking and parsing an entered user name and password;
  
  combining said password and a service specific seed unique to a selected participating authentication server;
  
  applying a hash algorithm to said combination to generate a first hash value;
  
  finding an address representing said selected participating authentication server;
  
  sending a data packet to said selected authentication server, said data packet comprising said user name and said first hash value; and
  
  iterating said at least one authentication server to find a correct authentication server; and
  
  a plurality of participating authentication servers communicatively coupled in a network;
  
  whereinat least one of said plurality of participating authentication servers is communicatively coupled to said at least one client via said network, each of said plurality of authentication servers being programmed for;
  
  extracting said user name and said first hash value from said data packet;
  
  checking and retrieving said user'"'"'s password from said selected participating authentication server'"'"'s database;
  
  combining said retrieved password and said service specific seed unique to said selected participating authentication server;
  
  applying said hash algorithm to said combination to generate a second hash value;
  
  comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and
  
  caching said positive authentication result and distributing said positive authentication result to any other participating authentication server without central control.

5. In a computerized network comprising at least one client and a plurality of participating authentication servers communicatively coupled by said network, said client and at least one of said participating authentication servers being communicatively coupled to each other via said network, a distributed authentication system comprising:
- a clientwherein said client comprises computer-readable code executing on a processing element for;
  
  taking and parsing an entered user name and password;
  
  means for generating a time stamp;
  
  combining said password and a service specific seed unique to a participating authentication server selected from said plurality of participating authentication servers;
  
  applying a hash algorithm to said combination and said time stamp to generate a first hash value;
  
  finding an address representing said selected participating authentication server;
  
  sending a data packet to said selected participating authentication server, said data packet comprising said user name, said time stamp, and said first hash value; and
  
  iterating said list plurality of participating authentication servers to find a correct participating authentication server; and
  
  wherein at least said selected participating server comprises computer-readable code executing on a processing element for;
  
  extracting said user name, said time stamp, and said first hash value from said data packet;
  
  checking and retrieving said user'"'"'s password from said selected participating authentication server'"'"'s database;
  
  combining said time stamp, said retrieved password and said service specific seed unique to said selected participating authentication server;
  
  applying said hash algorithm to said combination completed in said participating server portion to generate a second hash value;
  
  comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and
  
  means for caching said positive authentication result and distributing said positive authentication result to any participating authentication server without central control.
- View Dependent Claims (6, 7, 8)
- - 6. The distributed authentication system of claim 5, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 7. The distributed authentication system of claim 5, wherein said service specific seed is a domain name of said selected participating authentication server.
  - 8. The distributed authentication system of claim 5, wherein said computer-readable code for finding an address representing said selected participating authentication server comprises:
    - computer-readable code for looking up a local mapping list; and
      
      computer-readable code for consulting to a domain name system (DNS).

9. In a computerized network which is registered with a unique domain name, said network comprising at least one client and a plurality of participating authentication servers, said client and said authentication servers being communicatively coupled to each other via said network, each of said participating authentication servers having a fully qualified domain name (FQDN) which is a local host name with said unique domain name appended, a distributed authentication system for providing distributed authentication service, wherein a given user enters a global user identification (GUID) and a password for authentication to be carried out at a target participating authentication server, said GUID comprising a user name, a delimitation symbol, and a domain which is same as said local host name of said target authentication server, said distributed authentication system comprising:
- a client,wherein said client comprises computer-readable code executing on said client on a processing element for;
  
  parsing an entered GUID and extracting said domain therefrom;
  
  appending said unique domain to said domain to form a fully qualified name (FQDN) for said target authentication server;
  
  translating said FQDN to an address representing said target participating authentication server;
  
  generating a time stamp;
  
  means for combining said password and a service specific seed unique to said target participating authentication server;
  
  applying a hash algorithm to said combination and said time stamp to generate a first hash value; and
  
  sending a data packet to said target participating authentication server,said data packet comprising said first hash value, said user name, and said time stamp;
  
  wherein said participating authentication server comprises computer-readable code executing on a processing element for;
  
  extracting said first hash value, said user name, and said time stamp from said data packet received from said client;
  
  checking and retrieving said user'"'"'s password from said target participating authentication server'"'"'s database;
  
  combining said time stamp, said retrieved password, and said service specific seed unique to said target participating authentication server;
  
  applying said hash algorithm to said combination to generate a second hash value;
  
  comparing said first hash value and said second hash value, wherein a matching result of said two hash values indicates a successful authentication; and
  
  caching said positive authentication result and distributing said positive authentication result to any other participating authentication server without central control.
- View Dependent Claims (10, 11, 12, 13)
- - 10. distributed authentication system of claim 9, wherein said hash algorithm is a message digesting (MD) algorithm or its equivalent.
  - 11. The distributed authentication system of claim 9, wherein said service specific seed is a domain name of said target participating authentication server.
  - 12. The distributed authentication system of claim 9, wherein said computer-readable code for translating said FQDN comprises:
    - computer-readable code for looking up said FQDN from a local mapping list; and
      
      computer-readable code for looking up said FQDN from a domain name system (DNS).
  - 13. The distributed authentication system of claim 9, further comprising:
    - computer-readable code executing on a processing element for automatically mapping any unrecognized FQDN into a default authentication server which carries out authentication on said user'"'"'s authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
AOL LLC (Apollo Global Management, Inc.)
Inventors
Roskind, James
Primary Examiner(s)
ZIA, SYED

Application Number

US12/813,708
Publication Number

US 20100251347A1
Time in Patent Office

725 Days
Field of Search

None
US Class Current

726/5
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2151   Time stamp

H04L 2463/102   applying security measure f...

H04L 61/4511   using domain name system [DNS]

H04L 63/0815   providing single-sign-on or...

H04L 63/083   using passwords cryptograph...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3271   using challenge-response

Simple, secure login with multiple authentication providers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Simple, secure login with multiple authentication providers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others