Method and system for modular authentication and session management

US 8,291,228 B2
Filed: 10/21/2008
Issued: 10/16/2012
Est. Priority Date: 12/31/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving, by a computer for providing security to a networked computing system, authentication credentials from an authentication client, wherein said authentication credentials are provided in response to a first request from a client and, wherein, based upon said first request, said authentication client invokes an Application Programming Interface (API) corresponding to a request type, associated with said first request, causing a corresponding interface to be displayed at a business application of said client, and wherein said interface facilitates collection of said authentication credentials;

validating, by said computer, said authentication credentials received from said business application via said authentication client;

determining, by said computer and based upon stored user data, a manner by which said client was validated and access type information identifying characteristics of said first request; and

issuing, by said computer and in response to said determining, a session token to said client, wherein said session token includes data indicating said manner by which said client was validated and said access type information identifying characteristics of said first request,generating, by said computer, said session token by;

generating random data based on said authentication credentials;

retrieving a timestamp;

creating an incremental token identifier;

concatenating said random data, said timestamp, and said incremental token identifier to create a Binary Large Object (BLOB); and

,applying an encryption algorithm with a fixed key to said BLOB to create said session token;

wherein a separate computer for providing security compares said session token to a previous session token issued to said client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Modular authentication and session management involves the use of discrete modules to perform specific tasks in a networked computing environment. There may be a separate authentication server that verifies the identity of the user and an authorization client that grants various levels of access to users. There may also be an authentication client that receives an initial request from a requesting application and forwards the request to the authentication server to verify the identity of the use. The authorization client may then be invoked to provide the necessary level of access. The use of discrete modules allows multiple business applications to use the same modules to perform user authentication tasks, thus alleviating the unnecessary multiplication of code.

33 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, by a computer for providing security to a networked computing system, authentication credentials from an authentication client, wherein said authentication credentials are provided in response to a first request from a client and, wherein, based upon said first request, said authentication client invokes an Application Programming Interface (API) corresponding to a request type, associated with said first request, causing a corresponding interface to be displayed at a business application of said client, and wherein said interface facilitates collection of said authentication credentials;
  
  validating, by said computer, said authentication credentials received from said business application via said authentication client;
  
  determining, by said computer and based upon stored user data, a manner by which said client was validated and access type information identifying characteristics of said first request; and
  
  issuing, by said computer and in response to said determining, a session token to said client, wherein said session token includes data indicating said manner by which said client was validated and said access type information identifying characteristics of said first request,generating, by said computer, said session token by;
  
  generating random data based on said authentication credentials;
  
  retrieving a timestamp;
  
  creating an incremental token identifier;
  
  concatenating said random data, said timestamp, and said incremental token identifier to create a Binary Large Object (BLOB); and
  
  ,applying an encryption algorithm with a fixed key to said BLOB to create said session token;
  
  wherein a separate computer for providing security compares said session token to a previous session token issued to said client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising generating said session token.
  - 3. The method of claim 1, wherein said fixed key is at least one of:
    - Data Encryption Standard (DES), triple DES, or Advanced Encryption Standard (AES).
  - 4. The method of claim 1, wherein said session token is encrypted using at least one of a standard encryption protocol, a proprietary encryption protocol, or an algorithm.
  - 5. The method of claim 1, wherein said session token comprises at least one of random data, data indicative of a time of creation of said session token, or data indicative of a number of said session tokens previously created.
  - 6. The method of claim 1, wherein said session token facilitates session management based on confirmed identities of said client, a user and a server.
  - 7. The method of claim 1, further comprising receiving a second request from said client, wherein said second request includes said session token, and validating said session token.
  - 8. The method of claim 1, further comprising retrieving from stored user data, using said session token, user permissions corresponding to said session token.
  - 9. The method of claim 1, further comprising retrieving from stored user data using said session token, user permissions corresponding to said session token, wherein said stored user data includes information regarding previous access attempts by a user.
  - 10. The method of claim 1, further comprising comparing said first request to user permissions, evaluating authentication level information, and evaluating said access type information to determine that a second request is permissible.
  - 11. The method of claim 10, further comprising transmitting a response to an application service indicative of said second request being permissible.
  - 12. The method of claim 1, wherein said validating step is performed by an authorization component.
  - 13. The method of claim 1, wherein said authentication credentials comprise at least one of textual input and biometric data.
  - 14. The method of claim 1, further comprising retrieving from stored user data, using said session token, user permissions corresponding to said session token, wherein said stored user data further comprises at least one of an expiration time, host identifier, security realm, public globally unique identifier (GUID), private GUID, electronic signature, process identifier, parent process identifier, token type, version, or maximum inactivity time.
  - 15. The method of claim 1, further comprising retrieving from stored user data, using said session token, user permissions corresponding to said session token, wherein said stored user data further comprises at least one of a most recent session access, a copy of user profile data, current status of a user, expiration time of session, host information where said user logged in, security characteristics of a session, a globally unique identifier, electronic signature, process identifier, parent process identifier, token type, token version, or maximum inactivity time allowed.

16. A method comprising:
- receiving, by an authentication client, a first request from a client;
  
  selecting, by said authentication client, an Application Programming Interface (API) corresponding to a request type associated with said first request;
  
  invoking, by said authentication client, said API causing an interface corresponding to said API to be displayed at a business application of said client;
  
  receiving, by said authentication client, authentication credentials from said client, wherein said authentication credentials are retrieved in accordance with said interface; and
  
  transmitting, by said authentication client, said authentication credentials to an authentication service, wherein said authentication service validates said authentication credentials and, in response to said validating said authentication credentials, issues a session token to said client, wherein said session token includes data indicating a manner by which said client was validated and access type information identifying characteristics of said first request, wherein a separate authentication client compares said session token to a previous session token issued to said client, wherein said authentication service generates said session token by generating random data based on said authentication credentials, retrieves a timestamp, creates an incremental token identifier, concatenates said random data, said timestamp, and said incremental token identifier to create a Binary Large Object (BLOB), and applies an encryption algorithm with a fixed key to said BLOB to create said session token.

17. A method comprising:
- sending, by a client system, a first request from a client to an authentication client, wherein said authentication client selects an Application Programming Interface (API) corresponding to a request type associated with said first request, and invokes said API causing an interface corresponding to said API to be displayed at a business application of said client;
  
  displaying, by said client, said interface;
  
  receiving, by said client, authentication credentials via said interface;
  
  generating, by said client, a session token by generating random data based on said authentication credentials, retrieving a timestamp, creating an incremental token identifier, concatenating said random data, said timestamp, and said incremental token identifier to create a Binary Large Object (BLOB); and
  
  , applying an encryption algorithm with a fixed key to said BLOB to create said session token; and
  
  sending said authentication credentials from said client to said authentication client, wherein said authentication credentials are retrieved by said authentication client in accordance with said interface and said authentication credentials are transmitted by said authentication client to an authentication service, and wherein said authentication service validates said authentication credentials and, in response to said validating said authentication credentials, issues said session token to said client, wherein said session token includes data indicating a manner by which said client was validated and access type information identifying characteristics of said first request, and wherein a separate authentication client compares said session token to a previous session token issued to said client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Liberty Peak Ventures, LLC (Dominion Harbor Enterprises, LLC)
Original Assignee
American Express Travel Related Services Company, Inc. (American Express Company)
Inventors
More, Scott, Johnson, Rick D., Royer, Coby, Laidlaw, Robert
Primary Examiner(s)
Yalew, Fikremariam A

Application Number

US12/255,448
Publication Number

US 20090044020A1
Time in Patent Office

1,456 Days
Field of Search

None
US Class Current

713/176
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/105   Multiple levels of security

Method and system for modular authentication and session management

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for modular authentication and session management

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links