Method for reading an attribute from an ID token

US 8,812,851 B2
Filed: 04/20/2011
Issued: 08/19/2014
Est. Priority Date: 04/22/2010
Status: Active Grant

First Claim

Patent Images

1. A method for reading at least one attribute stored in an ID token using first, second and third computer systems, the third computer system comprising a browser and a client, and a service certificate being assigned to the second computer system, the service certificate containing an identifier which identifies the second computer system, the ID token being assigned to a user, comprising:

establishing a first cryptographically protected connection between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate;

the third computer system storing the first certificate;

the third computer system receiving a signed attribute specification via the first connection;

establishing a second cryptographically protected connection be-tween the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate;

the third computer system forwarding the signed attribute specification via the second connection to the first computer system;

the first computer system accessing an authorization certificate, wherein the authorization certificate contains the identifier;

establishing a third cryptographically protected connection between the first computer system and the client of the third computer system, wherein the third computer system receives the authorization certificate containing the identifier via the third connection;

the client checking the third computer system as to whether the identifier is present in the first certificate as proof that the first certificate matches the service certificate;

the user authenticating himself with respect to the ID token;

the first computer system authenticating itself with respect to the ID token;

establishing a fourth cryptographically protected connection between the ID token and the first computer system with end-to-end encryption;

after successful authentication of the user and of the first computer system with respect to the ID token, the first computer system receiving read access to the at least one attribute stored in the ID token via the fourth connection so as to read the one or more attributes specified in the attribute specification from the ID token; and

the first computer system transmitting the at least one attribute to the second computer system after the attribute has been signed,wherein the signed attribute specification is received as a SAML object, and the first computer system comprises a SAML logic component, to which the second connection is established via which the SAML logic component receives the SAML object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for reading at least one attribute stored in an ID token (106, 106′) using first (136), second (150) and third (100) computer systems, wherein the third computer system comprises a browser (112) and a client (113), and wherein a service certificate (144) is assigned to the second computer system, wherein the service certificate comprises an identifier which is used to identify the second computer system, wherein the ID token is assigned to a user (102), having the following steps: —a first cryptographically protected connection (TLS1) is set up between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate (176), —the first certificate is stored by the third computer system, —the third computer system receives a signed attribute specification (182) via the first connection, —a second cryptographically protected connection (TLS2) is set up between the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate (190), —the signed attribute specification is forwarded from the third computer system to the first computer system via the second connection, —the first computer system accesses an authorization certificate (186), wherein the authorization certificate comprises the identifier, —a third cryptographically protected connection (TLS3) is set up between the first computer system and the client of the third computer system, wherein the third computer system receives the authorization certificate containing the identifier via the third connection, —the client of the third computer system checks whether the first certificate comprises the identifier as proof of the fact that the first certificate matches the service certificate, —the user is authenticated with respect to the ID token, —the first computer system (136) is authenticated with respect to the ID token, —a fourth cryptographically protected connection with end-to-end encryption is set up between the ID token and the first computer system, —after the user and the first computer system have been successfully authenticated with respect to the ID token, the first computer system has read access to the at least one attribute stored in the ID token via the fourth connection in order to read the one or more attributes specified in the attribute specification from the ID token, —the first computer system transmits the at least one attribute to the second computer system (150) after said attribute has been signed.

39 Citations

View as Search Results

11 Claims

1. A method for reading at least one attribute stored in an ID token using first, second and third computer systems, the third computer system comprising a browser and a client, and a service certificate being assigned to the second computer system, the service certificate containing an identifier which identifies the second computer system, the ID token being assigned to a user, comprising:
- establishing a first cryptographically protected connection between the browser of the third computer system and the second computer system, wherein the third computer system receives a first certificate;
  
  the third computer system storing the first certificate;
  
  the third computer system receiving a signed attribute specification via the first connection;
  
  establishing a second cryptographically protected connection be-tween the browser of the third computer system and the first computer system, wherein the third computer system receives a second certificate;
  
  the third computer system forwarding the signed attribute specification via the second connection to the first computer system;
  
  the first computer system accessing an authorization certificate, wherein the authorization certificate contains the identifier;
  
  establishing a third cryptographically protected connection between the first computer system and the client of the third computer system, wherein the third computer system receives the authorization certificate containing the identifier via the third connection;
  
  the client checking the third computer system as to whether the identifier is present in the first certificate as proof that the first certificate matches the service certificate;
  
  the user authenticating himself with respect to the ID token;
  
  the first computer system authenticating itself with respect to the ID token;
  
  establishing a fourth cryptographically protected connection between the ID token and the first computer system with end-to-end encryption;
  
  after successful authentication of the user and of the first computer system with respect to the ID token, the first computer system receiving read access to the at least one attribute stored in the ID token via the fourth connection so as to read the one or more attributes specified in the attribute specification from the ID token; and
  
  the first computer system transmitting the at least one attribute to the second computer system after the attribute has been signed,wherein the signed attribute specification is received as a SAML object, and the first computer system comprises a SAML logic component, to which the second connection is established via which the SAML logic component receives the SAML object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method according to claim 1, wherein the first computer system is authenticated with respect to the I D token using the authorization certificate, the authorization certificate containing information about those attributes stored in the I D token for which the first computer system has read access authorization.
  - 3. The method according to claim 2, wherein the ID token checks the read authorization of the first computer system for the read access to at least one of the attributes using the authorization certificate.
  - 4. The method according to claim 1, wherein the first, second and third connections are transport layer connections, respectively, and the fourth connection is established via the third connection.
  - 5. The method according to claim 1, wherein the first computer system contains a protocol stack component, to which the third connection is established.
  - 6. A method according to claim 1, wherein an ID provider certificate which contains an identifier of the first computer system is assigned to the first computer system, wherein the ID provider certificate is used to establish the second cryptographically protected connection, and the second certificate received thereupon from the first computer system is stored, and wherein the authorization certificate contains both the identifier of the first computer system and the identifier of the second computer system, wherein the client of the third computer system checks whether an identifier of the first certificate and an identifier of the second certificate are present in the authorization certificate, and wherein the fourth cryptographically protected connection is only established if the identifier of the first certificate and the identifier of the second certificate are present in the authorization certificate.
  - 7. A method according to claim 1, comprising identifying the authorization certificate based on the attribute specification.
  - 8. A non-transitory computer program product, comprising instructions which can be executed by a computer system for carrying out the method according to claim 1.

9. A computer system,comprising:
- a browser and a client;
  
  a first communications interface capable of establishing a first cryptographically protected connection between the browser and a second computer system for receiving a first certificate and a signed attribute specification, wherein the first certificate contains an identifier;
  
  a non-transitory computer readable medium capable of storing the first certificate;
  
  a second communications interface capable of establishing a second cryptographically protected connection between the browser and a first computer system using a second certificate, wherein the second certificate contains a further identifier;
  
  a forwarding module capable of forwarding the signed attribute specification, which was received via the first connection, via the second connection;
  
  a third communications interface capable of establishing a third cryptographically protected connection between the client and the first computer system, wherein an authorization certificate is received, the authorization certificate containing the identifiers of the first and second computer systems;
  
  an identification module capable of checking whether the identifiers of the authorization certificate match the identifiers of the first and second certificates; and
  
  a fourth communications interface capable of establishing a fourth cryptographically protected connection between an ID token and the first computer system with end-to-end encryption so as to give the first computer system read access to the at least one attribute stored in the ID token via the fourth connection after the user and the first computer system have been successfully authenticated with respect to the ID token,wherein the signed attribute specification is received as a SAML object, and the first computer system comprises a SAML logic component, to which the second connection is established via which the SAML logic component receives the SAML object.
- View Dependent Claims (10, 11)
- - 10. The computer system according to claim 9, wherein the identification module is designed to carry out a redirect.
  - 11. The computer system according to claim 9, wherein the browser comprises a plug-in program which is used to start the client after the browser has received the signed attribute specification and via which the first certificate is transferred to the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bundesdruckerei GmbH (Government of Germany)
Original Assignee
Bundesdruckerei GmbH (Government of Germany)
Inventors
Schwarz, Carsten, Koch, Gnter
Primary Examiner(s)
Zecher, Cordelia
Assistant Examiner(s)
LAKHIA, VIRAL S

Application Number

US13/637,691
Publication Number

US 20130219181A1
Time in Patent Office

1,217 Days
Field of Search

713/175, 713/185, 726/4, 726 7- 9
US Class Current

713/175
CPC Class Codes

G06F 21/33   using certificates

G06F 21/34   involving the use of extern...

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/1466   Active attacks involving in...

Method for reading an attribute from an ID token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method for reading an attribute from an ID token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links