Personal token and a method for controlled authentication

US 8,307,413 B2
Filed: 08/24/2005
Issued: 11/06/2012
Est. Priority Date: 08/24/2004
Status: Active Grant

First Claim

Patent Images

1. An assembly comprising:

a personal token and a telecommunication terminal (20) which hosts said personal token (10),said telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and to which SSL connection requests from other programs executing on the telecommunication terminal are redirected and including instructions;

to request said personal token (10) to verify a remote authentication server (30);

a built-in SSL implementation to establish an SSL communications channel using a certificate from the personal token without storing the certificate in the telecommunications terminal;

to use the built-in SSL implementation to establish an SSL communications channel to the remote authentication server upon successful verification of the remote server by the personal token;

to receive a SAML token from the remote authentication server; and

to transfer the SAML token to a said other program from which an SSL connection request originated thereby allowing said other program to establish an SSL connection to a remote service provider server;

the personal token comprises a processor and storage including;

data which is specifically associated with the remote server;

instructions to operate the processor of the personal token to receive a server verification request from the proxy program, in response to receiving the server verification request verifying that the server corresponds to an authorized server, in response to successfully verifying the remote server, initiating an SSL connection according to the non-standard SSL protocol by generating a message authenticating said personal token to the remote server and by signing said message with said data so that only the specific remote server can interpret the authenticating message.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a personal token (10) for authentication in a network comprising a piece of software for initiating an SSL connection by generating a message authenticating said token to a remote server (30) characterized in that the piece of software controls the processing of the message so as to use of a data (12) which is prestored in the token (10) and which is specifically associated with the remote server (30) so that the message can be interpreted only by the specific remote server (30).

74 Citations

View as Search Results

4 Claims

1. An assembly comprising:
- a personal token and a telecommunication terminal (20) which hosts said personal token (10),said telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and to which SSL connection requests from other programs executing on the telecommunication terminal are redirected and including instructions;
  
  to request said personal token (10) to verify a remote authentication server (30);
  
  a built-in SSL implementation to establish an SSL communications channel using a certificate from the personal token without storing the certificate in the telecommunications terminal;
  
  to use the built-in SSL implementation to establish an SSL communications channel to the remote authentication server upon successful verification of the remote server by the personal token;
  
  to receive a SAML token from the remote authentication server; and
  
  to transfer the SAML token to a said other program from which an SSL connection request originated thereby allowing said other program to establish an SSL connection to a remote service provider server;
  
  the personal token comprises a processor and storage including;
  
  data which is specifically associated with the remote server;
  
  instructions to operate the processor of the personal token to receive a server verification request from the proxy program, in response to receiving the server verification request verifying that the server corresponds to an authorized server, in response to successfully verifying the remote server, initiating an SSL connection according to the non-standard SSL protocol by generating a message authenticating said personal token to the remote server and by signing said message with said data so that only the specific remote server can interpret the authenticating message.
- View Dependent Claims (2)
- - 2. The assembly according to claim 1, wherein the data, which is specifically associated with the server, is a public key of the server.

3. A method for authentication in a network using a personal token, said method comprising the following steps:
- a) providing a personal token which embeds a piece of software for initiating an SSL connection including generating a message which authenticates said token to a remote authentication server,b) providing a telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and including instructions to request said personal token to verify the remote authentication server,c) redirecting control to the proxy program upon user attempt to initiate an SSL session with a remote service provider server in another program on the telecommunication terminal,d) operating the telecommunication terminal according to the instructions of the proxy program to initiate an SSL session with the remote authentication server and to receive a server certificate from the remote authentication server;
  
  e) operating the telecommunication terminal according to the instructions of the proxy program to request, from the personal token, a server verification request based on the received server certificate,f) receive on the personal token the server verification request from the proxy, and in response to successfully verifying the server, generating by said piece of software a message authenticating said token to the remote server, using data which is pre-stored in the token and which is specifically associated with the remote server using a function whereby said message can be interpreted only by the specific remote server,g) receive on the telecommunications terminal, operating according to instructions of the proxy program, a certificate of the personal token and transmit the certificate of the personal token to the remote authentication server,h) operating the telecommunications terminal according to instructions of the proxy program to receive a SAML token from the remote authentication server, andi) redirecting the SAML token to the another program that attempted to initiate an SSL session with a remote service provider server thereby allowing the another program to communicate with the remote service provider using SSL.

4. A method for restricting the use of a personal token connected to a host computer to authenticate a user and to establish an authenticated session with an IT server operating a browser on the host computer to a remote authentication server, the method restricting the use of the personal token to authorized remote authentication servers, the method comprising:
- receiving a server logon request from a user to logon to the IT server in a first program executing on the host computer;
  
  redirecting the server logon to a proxy program also executing on the host computer for connection to a remote authorization server;
  
  operating the host computer according to the instructions of the proxy program to initiate an SSL session with the remote authentication server and to receive a server certificate from the remote authentication server;
  
  operating the host computer according to instructions of the proxy program to request the personal token to verify that the remote authorization server is an authorized server based on the received server certificate;
  
  operating the personal token;
  
  to receive the request to verify the remote authorization server and verify the remote authorization server as an authorized server;
  
  upon verification of the remote server as an authorized server, to use data stored on the personal token and associated uniquely with the remote server to generate a message only interpretable by the remote authorization server in a non-standard protocol;
  
  operating the host computer operating according to instructions of the proxy program;
  
  receive a certificate of the personal token and transmit the certificate of the personal token to the remote authentication server,to receive a SAML token from the remote authorization server; and
  
  to transfer the SAML token to the browser; and
  
  operating the host computer operating according to instructions of the browser toupon receiving the SAML token from the proxy program to initialize a secure session with the IT server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Thales DIS France SA
Original Assignee
Gemalto SA (Thales SA)
Inventors
Smadja, Philippe, Aussel, Jean-Daniel
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Olion, Brian

Application Number

US11/574,125
Publication Number

US 20080263649A1
Time in Patent Office

2,631 Days
Field of Search

713168-175
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0853   using an additional device,...

H04L 63/166   at the transport layer

Personal token and a method for controlled authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

74 Citations

4 Claims

Specification

Solutions

Use Cases

Quick Links

Personal token and a method for controlled authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

74 Citations

4 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links