Personal token and a method for controlled authentication
First Claim
Patent Images
1. An assembly comprising:
- a personal token and a telecommunication terminal (20) which hosts said personal token (10),said telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and to which SSL connection requests from other programs executing on the telecommunication terminal are redirected and including instructions;
to request said personal token (10) to verify a remote authentication server (30);
a built-in SSL implementation to establish an SSL communications channel using a certificate from the personal token without storing the certificate in the telecommunications terminal;
to use the built-in SSL implementation to establish an SSL communications channel to the remote authentication server upon successful verification of the remote server by the personal token;
to receive a SAML token from the remote authentication server; and
to transfer the SAML token to a said other program from which an SSL connection request originated thereby allowing said other program to establish an SSL connection to a remote service provider server;
the personal token comprises a processor and storage including;
data which is specifically associated with the remote server;
instructions to operate the processor of the personal token to receive a server verification request from the proxy program, in response to receiving the server verification request verifying that the server corresponds to an authorized server, in response to successfully verifying the remote server, initiating an SSL connection according to the non-standard SSL protocol by generating a message authenticating said personal token to the remote server and by signing said message with said data so that only the specific remote server can interpret the authenticating message.
4 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a personal token (10) for authentication in a network comprising a piece of software for initiating an SSL connection by generating a message authenticating said token to a remote server (30) characterized in that the piece of software controls the processing of the message so as to use of a data (12) which is prestored in the token (10) and which is specifically associated with the remote server (30) so that the message can be interpreted only by the specific remote server (30).
74 Citations
4 Claims
-
1. An assembly comprising:
-
a personal token and a telecommunication terminal (20) which hosts said personal token (10), said telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and to which SSL connection requests from other programs executing on the telecommunication terminal are redirected and including instructions; to request said personal token (10) to verify a remote authentication server (30); a built-in SSL implementation to establish an SSL communications channel using a certificate from the personal token without storing the certificate in the telecommunications terminal; to use the built-in SSL implementation to establish an SSL communications channel to the remote authentication server upon successful verification of the remote server by the personal token; to receive a SAML token from the remote authentication server; and to transfer the SAML token to a said other program from which an SSL connection request originated thereby allowing said other program to establish an SSL connection to a remote service provider server; the personal token comprises a processor and storage including; data which is specifically associated with the remote server; instructions to operate the processor of the personal token to receive a server verification request from the proxy program, in response to receiving the server verification request verifying that the server corresponds to an authorized server, in response to successfully verifying the remote server, initiating an SSL connection according to the non-standard SSL protocol by generating a message authenticating said personal token to the remote server and by signing said message with said data so that only the specific remote server can interpret the authenticating message. - View Dependent Claims (2)
-
-
3. A method for authentication in a network using a personal token, said method comprising the following steps:
-
a) providing a personal token which embeds a piece of software for initiating an SSL connection including generating a message which authenticates said token to a remote authentication server, b) providing a telecommunication terminal comprising a proxy program which establishes SSL connections to an authentication server on behalf of other programs and including instructions to request said personal token to verify the remote authentication server, c) redirecting control to the proxy program upon user attempt to initiate an SSL session with a remote service provider server in another program on the telecommunication terminal, d) operating the telecommunication terminal according to the instructions of the proxy program to initiate an SSL session with the remote authentication server and to receive a server certificate from the remote authentication server; e) operating the telecommunication terminal according to the instructions of the proxy program to request, from the personal token, a server verification request based on the received server certificate, f) receive on the personal token the server verification request from the proxy, and in response to successfully verifying the server, generating by said piece of software a message authenticating said token to the remote server, using data which is pre-stored in the token and which is specifically associated with the remote server using a function whereby said message can be interpreted only by the specific remote server, g) receive on the telecommunications terminal, operating according to instructions of the proxy program, a certificate of the personal token and transmit the certificate of the personal token to the remote authentication server, h) operating the telecommunications terminal according to instructions of the proxy program to receive a SAML token from the remote authentication server, and i) redirecting the SAML token to the another program that attempted to initiate an SSL session with a remote service provider server thereby allowing the another program to communicate with the remote service provider using SSL.
-
-
4. A method for restricting the use of a personal token connected to a host computer to authenticate a user and to establish an authenticated session with an IT server operating a browser on the host computer to a remote authentication server, the method restricting the use of the personal token to authorized remote authentication servers, the method comprising:
-
receiving a server logon request from a user to logon to the IT server in a first program executing on the host computer; redirecting the server logon to a proxy program also executing on the host computer for connection to a remote authorization server; operating the host computer according to the instructions of the proxy program to initiate an SSL session with the remote authentication server and to receive a server certificate from the remote authentication server; operating the host computer according to instructions of the proxy program to request the personal token to verify that the remote authorization server is an authorized server based on the received server certificate; operating the personal token; to receive the request to verify the remote authorization server and verify the remote authorization server as an authorized server; upon verification of the remote server as an authorized server, to use data stored on the personal token and associated uniquely with the remote server to generate a message only interpretable by the remote authorization server in a non-standard protocol; operating the host computer operating according to instructions of the proxy program; receive a certificate of the personal token and transmit the certificate of the personal token to the remote authentication server, to receive a SAML token from the remote authorization server; and to transfer the SAML token to the browser; and operating the host computer operating according to instructions of the browser to upon receiving the SAML token from the proxy program to initialize a secure session with the IT server.
-
Specification