System and method for secure identity service

US 9,078,128 B2
Filed: 09/02/2011
Issued: 07/07/2015
Est. Priority Date: 06/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method for managing user identities on a network comprising:

receiving, by an identity service executing on a processor in a server on the network, a request to register an identity for a first user, the request including a token containing a notification service account identifier for a mobile device of the first user that uniquely identifies the mobile device of the first user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the request further including one or more authenticated identification (ID) codes uniquely identifying the first user;

storing, by the identity service, an entry for the first user within a registration database, the entry associating the token with the authenticated ID codes of the first user;

receiving, by the identity service, a query from a second user to communicate with the first user, the query including at least one of the authenticated ID codes of the first user, the query further including at least one authenticated ID code of the second user and a token containing a notification service account identifier for a mobile device of the second user that uniquely identifies the mobile device of the second user to the push notification service on the network;

generating, by the identity service, a first query signature over one or more of the authenticated ID codes and tokens of the first and second users, and a timestamp, the query signature usable by application-specific network services to authenticate communication between the first and second users on the network; and

transmitting, by the identity service, the first query signature and the first user'"'"'s token to the mobile device of second user, the mobile device of the second user subsequently sending a message to the push notification service for delivery to the first user upon verification by a first application-specific network service using the first query signature sent to the first application-specific network service by the push notification service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for securely processing identity information. For example, in one embodiment of the invention, a first user is registered on an identity service with one or more identification (ID) codes and a token. In response to a query from a second user to connect with the first user, a query signature is generated using the one or more ID codes and token of the first and second users, and a timestamp. The query signature is usable by network services to authenticate communication between the first and second users on the network over a specified period of time. In another embodiment, user ID codes and tokens are cached on mobile devices and/or a system cache to improve performance. The validity of the cached data is determined by calculating a fingerprint which, in one embodiment, is a hash of the ID code, token and a timestamp.

75 Citations

View as Search Results

31 Claims

1. A method for managing user identities on a network comprising:
- receiving, by an identity service executing on a processor in a server on the network, a request to register an identity for a first user, the request including a token containing a notification service account identifier for a mobile device of the first user that uniquely identifies the mobile device of the first user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the request further including one or more authenticated identification (ID) codes uniquely identifying the first user;
  
  storing, by the identity service, an entry for the first user within a registration database, the entry associating the token with the authenticated ID codes of the first user;
  
  receiving, by the identity service, a query from a second user to communicate with the first user, the query including at least one of the authenticated ID codes of the first user, the query further including at least one authenticated ID code of the second user and a token containing a notification service account identifier for a mobile device of the second user that uniquely identifies the mobile device of the second user to the push notification service on the network;
  
  generating, by the identity service, a first query signature over one or more of the authenticated ID codes and tokens of the first and second users, and a timestamp, the query signature usable by application-specific network services to authenticate communication between the first and second users on the network; and
  
  transmitting, by the identity service, the first query signature and the first user'"'"'s token to the mobile device of second user, the mobile device of the second user subsequently sending a message to the push notification service for delivery to the first user upon verification by a first application-specific network service using the first query signature sent to the first application-specific network service by the push notification service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as in claim 1 further comprising:
    - receiving a request from the second user at the first application-specific network service to establish a communication channel with the first user;
      
      generating a second query signature at the first application-specific network service using the authenticated ID codes and tokens of the first and second users, and a current timestamp;
      
      if the first query signature and the second query signatures match, then allowing communication between the first user and the second user using the first application-specific network service.
  - 3. The method as in claim 2 wherein if the first query signature does not match the second query signature, then rejecting the request from the second user at the first application-specific network service to establish a communication channel with the first user.
  - 4. The method as in claim 3 wherein the first application-specific network service comprises an instant messaging service.
  - 5. The method as in claim 1 wherein the request to register the identify of the first user includes application data identifying applications installed on the first user'"'"'s mobile device, the application data being stored in the entry for the first user within the registration database,wherein the request from the second user includes application data identifying applications installed on the second user'"'"'s mobile device, and wherein the response to the second user identifies applications common to both the first user'"'"'s mobile device and the second user'"'"'s mobile device.
  - 6. The method as in claim 5 wherein at least one of the applications comprises a video chat application.
  - 7. The method as in claim 1 wherein the one or more authenticated ID codes are received from the first user in a non-canonicalized format, the method further comprising:
    - canonicalizing the one or more authenticated ID codes to generate canonicalized ID codes prior to storing the canonicalized ID codes within the registration database; and
      
      transmitting one or more of the canonicalized ID codes to the second user with the first query signature and first user'"'"'s token.
  - 8. The method as in claim 7 wherein one of the authenticated ID codes comprises a telephone number associated with the first user.
  - 9. The method as in claim 1 wherein one of the authenticated ID codes comprises an email address associated with the first user.
  - 10. The method as in claim 1 further comprising:
    - generating a first certificate for the first user comprising a signature over the token of the first user;
      
      generating a second certificate for the first user comprising a signature over at least one of the authenticated ID codes of the first user and a password associated with the first user; and
      
      generating a third certificate for the first user using data extracted from the first certificate and the second certificate, and a timestamp, the third certificate usable by the application-specific network services to authenticate the first user on the network.

11. A method comprising:
- receiving, by an identity service executing on a processor in a server on a network, a first query from a mobile device of a first user to communicate with a mobile device of a second user;
  
  responsively providing, by the identity service, the mobile device of the first user with one or more authenticated identities of the second user, a token for a mobile device of the second user, and a fingerprint generated with one or more authenticated identities of the first user, the token, and a timestamp, the token containing a notification service account identifier for the mobile device of the second user that uniquely identifies each mobile device of the second user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, the mobile device of the first user subsequently sending a message to push notification service for delivery to the second user upon verification by a first application-specific network service using authentication identifiers and tokens for the first and second users sent to the first application-specific network service by the push notification service;
  
  subsequently checking, by the identity service, the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more authenticated identities of the second user and the token of the second user provided in response to the first query.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method as in claim 11 wherein the fingerprint comprises a hash over the one or more authenticated identities and the token of the second user.
  - 13. The method as in claim 12 wherein the hash comprises an secure hash algorithm 1 (“
    - SHA-1”
      
      ) hash.
  - 14. The method as in claim 11 wherein subsequently checking the fingerprint comprises re-generating the fingerprint using the one or more authenticated identities and token of the second user and a current timestamp and comparing the re-generated fingerprint with the original fingerprint.
  - 15. The method as in claim 12 further comprising:
    - storing the one or more authenticated identities, the token of the second user, and the fingerprint in a network cache;
      
      receiving a subsequent query at the network cache for the one or more authenticated identities and token of the second user;
      
      transmitting the fingerprint from the network cache to the identity service;
      
      receiving a response from the identity service indicating whether the fingerprint is still valid, wherein if the fingerprint is still valid, transmitting the one or more authenticated identities and the token stored in the network cache to the mobile device from which the subsequent query was received.
  - 16. The method as in claim 15 wherein, if the fingerprint is no longer valid, then transmitting one or more authenticated identities and the token of the second user and a new fingerprint from the identity service to the network cache, the new fingerprint generated using the one or more authenticated identities and the token of the second user and a current timestamp.

17. A non-transitory machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
- receiving, by an identity service executing on a processor in a server on a network, a request from a mobile device of a second user at a first application-specific network service to establish a communication channel with a mobile device of a first user;
  
  generating, by the identity service, a second query signature at the first application-specific network service using authenticated ID codes and tokens of the first and second users, and a current timestamp, the tokens containing a notification service account identifier for each of the mobile devices of the first and second users that uniquely identifies each of the mobile devices to a push notification service, the push notification service executing on a processor in the network to transmit data to mobile devices identified by tokens;
  
  if a first query signature and the second query signatures match, then allowing communication between the mobile devices of the first user and the second user using the first application-specific network service, the first query signature sent from the push notification service to the first application-specific network service to verify a message sent from the mobile device of the second user to the push notification service for delivery to the first user.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The non-transitory machine-readable medium as in claim 17 wherein if the first query signature does not match the second query signature, then rejecting the request from the mobile device of the second user at the first application-specific network service to establish a communication channel with the mobile device of the first user.
  - 19. The non-transitory machine-readable medium as in claim 18 wherein the first application-specific network service comprises an instant messaging service.
  - 20. The non-transitory machine-readable medium as in claim 17 wherein the identity service receives a request to register an identity of the first user that includes application data identifying applications installed on the mobile device of the first user, the application data being stored in an entry for the first user within a registration database,wherein the request from the second user includes application data identifying applications installed on the mobile device of the second user, and wherein the identity service identifies applications common to the mobile device of the first user and the mobile device of the second user.
  - 21. The non-transitory machine-readable medium as in claim 20 wherein at least one of the applications comprises a video chat application.
  - 22. The non-transitory machine-readable medium as in claim 17 wherein the one or more authenticated ID codes are received from the first user in a non-canonicalized format, the machine-readable medium further comprising:
    - canonicalizing one or more authenticated ID codes to generate canonicalized ID codes prior to storing the canonicalized ID codes within a registration database; and
      
      transmitting one or more of the canonicalized ID codes to the mobile device of the second user with the first query signature and first user'"'"'s token.
  - 23. The non-transitory machine-readable medium as in claim 22 wherein one of the authenticated ID codes comprises a telephone number associated with the first user.
  - 24. The non-transitory machine-readable medium as in claim 17 wherein one of the authenticated ID codes comprises an email address associated with the first user.
  - 25. The non-transitory machine-readable medium as in claim 17 comprising additional program code to cause the machines to perform the additional operations of:
    - generating a first certificate for the first user comprising a signature over the token of the first user;
      
      generating a second certificate for the first user comprising a signature over at least one of the authenticated ID codes of the first user and a password associated with the first user; and
      
      generating a third certificate for the first user using data extracted from the first certificate and the second certificate, and a timestamp, the third certificate usable by application-specific network services to authenticate the first user on the network.

26. A non-transitory machine-readable medium having program code stored thereon which, when executed by one or more machines, causes the machines to perform the operations of:
- receiving, by an identity service executing on a processor in a server on a network, a first query from a mobile device of a first user to communicate with a mobile device of a second user;
  
  responsively providing, by the identity service, the mobile device of the first user with one or more authenticated identities of the second user, a token containing a notification service account identifier for a mobile device of the second user, the token uniquely identifying the mobile device of the second user to a push notification service, the push notification service executing on a processor in a server on the network to transmit data to mobile devices identified by tokens, and a fingerprint generated with one or more authenticated identities of the first user, the token, and a timestamp, the mobile device of the first user subsequently sending a message to push notification service for delivery to the second user upon verification by a first application-specific network service using authentication identifiers and tokens for the first and second users sent to the first application-specific network service by the push notification service;
  
  subsequently checking, by the identity service, the fingerprint on the mobile device of the first user to determine if the fingerprint is still valid in response to a second query generated from the first user to communicate with the second user, wherein if the fingerprint is still valid then re-using the one or more authenticated identities of the second user and the token of the second user provided in response to the first query.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The non-transitory machine-readable medium as in claim 26 wherein the fingerprint comprises a hash over the one or more authenticated identities and the token of the second user.
  - 28. The non-transitory machine-readable medium as in claim 27 wherein the hash comprises an secure hash algorithm 1 (“
    - SHA-1”
      
      ) hash.
  - 29. The non-transitory machine-readable medium as in claim 26 wherein subsequently checking the fingerprint comprises re-generating the fingerprint using the one or more authenticated identities and token of the second user and a current timestamp and comparing the re-generated fingerprint with the original fingerprint.
  - 30. The non-transitory machine-readable medium as in claim 26 comprising additional program code to cause the machines to perform the additional operations of:
    - storing the one or more authenticated identities, the token of the second user, and the fingerprint in a network cache;
      
      receiving a subsequent query at the network cache for the one or more authenticated identities and token of the second user;
      
      transmitting the fingerprint from the network cache to the identity service;
      
      receiving a response from the identity service indicating whether the fingerprint is still valid, wherein if the fingerprint is still valid, transmitting the one or more authenticated identities and the token stored in the network cache to the mobile device from which the subsequent query was received.
  - 31. The non-transitory machine-readable medium as in claim 30 wherein, if the fingerprint is no longer valid, then transmitting one or more authenticated identities and the token of the second user and a new fingerprint from the identity service to the network cache, the new fingerprint generated using the one or more authenticated identities and the token of the second user and a current timestamp.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Medina, Alexander A., Vyrros, Andrew H., Bleau, Darryl N., Davey, Jeffrey T., Santamaria, Justin E., Wood, Justin N., Devanneaux, Thomas
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
Doan, Huan V

Application Number

US13/224,626
Publication Number

US 20120311686A1
Time in Patent Office

1,404 Days
Field of Search

1/1, 370/352, 370/357, 370/389, 370/401, 380/273, 380/279, 379/142, 379/221, 709/203, 709/204, 709/227, 709/229, 713/156, 713/175, 726/5, 726/7, 726/10, 726/18
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/33   using certificates

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

System and method for secure identity service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure identity service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links