Encryption-based session establishment

US 8,949,596 B2
Filed: 07/10/2012
Issued: 02/03/2015
Est. Priority Date: 07/10/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a first server, a first token from a user device,the first token including information to authenticate the user device to communicate with the first server;

determining, by the first server, that the first token is invalid;

sending, by the first server, a login instruction to the user device, responsive to the determining that the first token is invalid,the login instruction requesting the user device to provide a set of credentials to a second server,the set of credentials being provided by the user device to the second server based on the login instruction, andthe second server being different from the first server;

receiving, by the first server, a first response from the user device,the first response being provided to the user device by the second server based on the user device providing the set of credentials to the second server, andthe first response including information identifying whether the user device is authenticated to communicate with the first server;

sending, by the first server, the first response to a third server,the third server generating a second response based on the first response,the third server being different from the first server and the second server,the second response including information that indicates that the user device is authenticated to communicate with the first server, andthe second response being sent by the third server to the first server;

receiving, by the first server, the second response from the third server;

generating, by the first server, a second token, based on receiving the second response,the second token including information to authenticate the user device to communicate with the first server; and

sending, by the first server, the second token to the user device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Citations

23 Claims

1. A method comprising:
- receiving, by a first server, a first token from a user device,the first token including information to authenticate the user device to communicate with the first server;
  
  determining, by the first server, that the first token is invalid;
  
  sending, by the first server, a login instruction to the user device, responsive to the determining that the first token is invalid,the login instruction requesting the user device to provide a set of credentials to a second server,the set of credentials being provided by the user device to the second server based on the login instruction, andthe second server being different from the first server;
  
  receiving, by the first server, a first response from the user device,the first response being provided to the user device by the second server based on the user device providing the set of credentials to the second server, andthe first response including information identifying whether the user device is authenticated to communicate with the first server;
  
  sending, by the first server, the first response to a third server,the third server generating a second response based on the first response,the third server being different from the first server and the second server,the second response including information that indicates that the user device is authenticated to communicate with the first server, andthe second response being sent by the third server to the first server;
  
  receiving, by the first server, the second response from the third server;
  
  generating, by the first server, a second token, based on receiving the second response,the second token including information to authenticate the user device to communicate with the first server; and
  
  sending, by the first server, the second token to the user device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1,where the second response is an encrypted second response,where the method further comprises:
    - decrypting the encrypted second response; and
      
      validating a signature associated with the second response based on the decrypting of the encrypted second response, andwhere generating the second token comprises;
      
      generating the second token based on the validating of the signature associated with the second response.
  - 3. The method of claim 1, further comprising:
    - receiving a third token from a different user device;
      
      determining that the third token is valid; and
      
      establishing a session with the different user device based on the determining that the third token is valid.
  - 4. The method of claim 1, where determining that the first token is invalid includes:
    - calculating a first value based on a set of parameters;
      
      decrypting a first key, associated with the first token, via a second key associated with the first server;
      
      decrypting a third key, associated with the first token, using the decrypted first key;
      
      identifying a second value based on decrypting the third key;
      
      determining that the first value does not match the second value; and
      
      determining that the first token is invalid based on the determining that the first value does not match the second value.
  - 5. The method of claim 1, where determining that the first token is invalid includes:
    - identifying a timestamp associated with the first token;
      
      determining that the timestamp has expired based on a current time at which the first token was received by the first server;
      
      anddetermining that the first token is invalid based on the determining that the timestamp has expired.
  - 6. The method of claim 1, where generating the second token includes:
    - calculating a value based on a set of parameters;
      
      generating and encrypting a first key based on a second key associated with the first server;
      
      storing the value in a secure storage;
      
      encrypting the value, in the secure storage, based on the first key; and
      
      storing the encrypted value in the second token.
  - 7. The method of claim 1, where generating the second token includes:
    - generating a timestamp,the timestamp including information to identify an expiration time associated with the second token;
      
      generating a time period threshold,the time period threshold relating to an idle time period associated with the second token; and
      
      storing the timestamp and the time period threshold in the second token.
  - 8. The method of claim 1,where the first server is associated with a first party, andwhere the first party is different from a second party that is associated with the second server and the third server.

9. A system comprising:
- a first server, at least partially implemented in hardware, to;
  
  receive a first token from a user device,the first token including information to authenticate the user device to communicate with the first server via a session with the first server;
  
  determine that the first token is invalid;
  
  send a login instruction to the user device responsive to the determining that the first token is invalid,the login instruction requesting the user device to provide a set of credentials to a second server,the set of credentials being provided by the user device to the second server based on the login instruction, andthe second server being different from the first server;
  
  receive a first response from the user device,the first response being provided to the user device by the second server based on the user device providing the set of credentials to the second server, andthe first response including information identifying whether the user device is authenticated to communicate with the first server;
  
  send the first response to a third server,the third server generating a second response based on the first response,the third server being different from the first server and the second server, andthe second response indicating authentication of the user device to communicate with the first server;
  
  receive the second response from the third server;
  
  generate a second token, based on the second response,the second token including information that indicates that the user device is authenticated to communicate with the first server, andthe second response being sent by the third server to the first server;
  
  send the second token to the user device; and
  
  establish a session with the user device based on the second token.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9,where the second response is an encrypted second response,where the first server is further to:
    - decrypt the encrypted second response; and
      
      validate a signature associated with the second response based on the decrypting of the encrypted second response, andwhere, when generating the second token, the first server is to;
      
      generate the second token based on the validating of the signature associated with the second response.
  - 11. The system of claim 9, where the first server is further to:
    - receive a third token from a different user device;
      
      determine that the third token is valid; and
      
      establish a session with the different user device based on the determining that the third token is valid.
  - 12. The system of claim 9, where, when determining that the first token is invalid, the first server is to:
    - calculate a first value based on a set of parameters;
      
      decrypt a first key, associated with the first token, via a second key associated with the first server;
      
      decrypt a third key, associated with the first token, using the decrypted first key;
      
      identify a second value based on decrypting the third key;
      
      determine that the first value does not match the second value; and
      
      determine that the first token is invalid based on the determining that the first value does not match the second value.
  - 13. The system of claim 9, where, when determining that the first token is invalid, the first server is to:
    - determine a current time at which the first token was received by the first server;
      
      determine a time difference between a first time and a second time;
      
      the first time corresponding to when the first token was previously received by the first server, andthe second time corresponding to the current time; and
      
      determine that the first token is invalid based on the time difference.
  - 14. The system of claim 9, where, when generating the second token, the first server is to:
    - calculate a value based on a set of parameters;
      
      generate and encrypt a first key based on a second key associated with the first server;
      
      encrypt the value based on the first key; and
      
      store the encrypted value in the second token.
  - 15. The system of claim 9, where, when generating the second token, the first server is to:
    - generate a timestamp,the timestamp including information to identify an expiration time associated with the second token;
      
      generate a time period threshold,the time period threshold relating to an idle time period associated with the second token; and
      
      store the timestamp and the time period threshold in the second token.
  - 16. The system of claim 9,where the first server is associated with a first party, andwhere the first party is different from a second party that is associated with the second server and the third server.

17. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- a plurality of instructions which, when executed by one or more processors associated with a first server, cause the one or more processors to;
  
  receive a first token from a user device,the first token including information to authenticate the user device to communicate with the first server;
  
  determine whether that the first token is invalid;
  
  send a login instruction to the user device, based on responsive to the determining that the first token is invalid,the login instruction requesting the user device to provide a set of credentials to a second server,the set of credentials being provided by the user device to the second server based on the login instruction, andthe second server being different from the first server;
  
  receive a first response from the user device,the first response being provided to the user device by the second server based on the user device providing the set of credentials to the second server, andthe first response including information identifying whether the user device is authenticated to communicate with the first server;
  
  send the first response to a third server,the third server generating a second response based on the first response,the third server being different from the first server and the second server,the second response including information that indicates that the user device is authenticated to communicate with the first server, via a session with the first server, andthe second response being sent by the third server to the first server;
  
  receive the second response from the third server;
  
  generate a second token, based on the second response,the second token including information to authenticate the user device to communicate with the first server via a session with the first server;
  
  send the second token to the user device; and
  
  establish a session between the user device and the first server based on the second token.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The non-transitory computer-readable medium of claim 17,where the second response is an encrypted second response,where the instructions further comprise:
    - one or more instructions which, when executed by the one or more processors ae further, cause the one or more processors to;
      
      decrypt the encrypted second response; and
      
      validate a signature associated with the second response based on the decrypting of the encrypted second response, andwhere one or more instructions, of the plurality of instructions, to generate the second token include;
      
      one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      generate the second token based on the validating of the signature associated with the second response.
  - 19. The non-transitory computer-readable medium of claim 17, where one or more instructions, of the plurality of instructions, to determine that the first token is invalid, include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      calculate a first value based on a set of parameters;
      
      decrypt a first key, associated with the first token, via a second key associated with the first server;
      
      decrypt a third key, associated with the first token, using the decrypted first key;
      
      identify a second value based on decrypting the third key;
      
      determine that the first value does not match the second value; and
      
      determine that the first token is invalid based on the determining that the first value does not match the second value.
  - 20. The non-transitory computer-readable medium of claim 17, where one or more instructions, of the plurality of instructions, to determine that the first token is invalid, include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      identify a timestamp associated with the first token;
      
      determine whether the timestamp has expired based on a current time at which the first token was received by the first server;
      
      determine a time difference between a first time and a second time;
      
      the first time corresponding to when the first token was previously received by the first server,the second time corresponding to the current time; and
      
      determine that the first token is invalid based on the time difference.
  - 21. The non-transitory computer-readable medium of claim 17, where one or more instructions, of the plurality of instructions, to generate the second token include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      calculate a value based on a set of parameters;
      
      generate and encrypt a first key based on a second key associated with the first server;
      
      store the value in a secure storage;
      
      encrypt the value, in the secure storage, based on the first key; and
      
      store the encrypted value in the second token.
  - 22. The non-transitory computer-readable medium of claim 17, where one or more instructions, of the plurality of instructions, to generate the second token include:
    - one or more instructions which, when executed by the one or more processors, cause the one or more processors to;
      
      generate a timestamp,the timestamp including information to identify an expiration time associated with the second token;
      
      generate a time period threshold,the time period threshold relating to an idle time period associated with the second token; and
      
      store the timestamp and the time period threshold in the second token.
  - 23. The non-transitory computer-readable medium of claim 17, where the first server is associated with a first party, andwhere the first party is different from a second party that is associated with the second server and the third server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Yin, Fenglin, Hao, Jianxiu, Jin, Zhiying
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Baum, Ronald

Application Number

US13/545,369
Publication Number

US 20140019752A1
Time in Patent Office

938 Days
Field of Search

713/155
US Class Current

713/155
CPC Class Codes

H04L 2463/062   applying encryption of the ...

H04L 63/0435   wherein the sending and rec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/108   when the policy decisions a...

H04L 63/126   the source of the received ...

Encryption-based session establishment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption-based session establishment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links