Control of access to a secondary system

US 9,087,180 B2
Filed: 06/11/2013
Issued: 07/21/2015
Est. Priority Date: 12/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access of a user to a secondary system, said method comprising:

a processor of a primary system sending a random string to a user system, said processor connecting the user system to the secondary system, said user being logged on the user system;

after said sending the random string to the user system, said processor receiving from the user system first authentication information comprising an encryption of the random string by a private key of a public/private key pair of the user, said encryption of the random string being a user-specific key; and

said processor storing, in the primary system, the user-specific key comprised by the received first authentication information;

said processor generating second authentication information from protected secondary authentication data stored in the primary system, said generating the second authentication information comprising applying the user-specific key to the protected secondary authentication data to generate the second authentication information; and

said processor providing the second authentication information to the secondary system to enable access of the user to the secondary system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for controlling access of a user to a secondary system. A primary system sends a random string to a user system that is connected to the secondary system. The user is logged on the user system. The primary system receives from the user system first authentication information including an encryption of the random string by a private key of the user. The primary system generates a user-specific key consisting of the encryption of the random string.

109 Citations

14 Claims

1. A method for controlling access of a user to a secondary system, said method comprising:
- a processor of a primary system sending a random string to a user system, said processor connecting the user system to the secondary system, said user being logged on the user system;
  
  after said sending the random string to the user system, said processor receiving from the user system first authentication information comprising an encryption of the random string by a private key of a public/private key pair of the user, said encryption of the random string being a user-specific key; and
  
  said processor storing, in the primary system, the user-specific key comprised by the received first authentication information;
  
  said processor generating second authentication information from protected secondary authentication data stored in the primary system, said generating the second authentication information comprising applying the user-specific key to the protected secondary authentication data to generate the second authentication information; and
  
  said processor providing the second authentication information to the secondary system to enable access of the user to the secondary system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the method further comprises:
    - after said receiving the first authentication information, said processor determining that a decryption of the first authentication information is equal to protected primary authentication data stored in the primary system, followed by said processor providing access of the user to the primary system.
  - 3. The method of claim 1, wherein the method further comprises:
    - said processor receiving a request from the user to change protected primary authentication data stored in the primary system;
      
      said processor requesting second primary authentication information from the user;
      
      said processor transforming the second primary authentication information into second protected primary authentication data;
      
      said processor replacing the protected primary authentication data by the second protected primary authentication data;
      
      said processor generating second secondary authentication data by two-way encrypting the second authentication information by use of the second primary authentication information; and
      
      said processor replacing the second authentication data by the second secondary authentication data.
  - 4. The method of claim 1, wherein the method further comprises:
    - receiving second secondary authentication information from the user;
      
      generating second protected secondary authentication data by two-way encryption of the second secondary authentication information by use of the user-specific key; and
      
      replacing the protected secondary authentication data by the second protected secondary authentication data.
  - 5. The method of claim 1, wherein said generating the second authentication information comprises performing a decryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 6. The method of claim 1, wherein said generating the second authentication information comprises performing a two way encryption of the protected secondary authentication data by use of the user-specific key applied to the secondary authentication data.
  - 7. The method of claim 1, wherein the primary system comprises an application, said application comprising a portal through which the secondary system may be accessed from the user system after access of the user to the secondary system has been enabled via said providing the second authentication information to the secondary system.

8. A computer program product comprising a computer readable storage device storing computer executable instructions that when executed by a processor of a primary system perform a method for controlling access of a user to a secondary system, said method comprising:
- said processor sending a random string to a user system, said processor connecting the user system to the secondary system, said user being logged on the user system;
  
  after said sending the random string to the user system, said processor receiving from the user system first authentication information comprising an encryption of the random string by a private key of a public/private key pair of the user, said encryption of the random string being a user-specific key;
  
  said processor storing, in the primary system, the user-specific key comprised by the received first authentication information;
  
  said processor generating second authentication information from protected secondary authentication data stored in the primary system, said generating the second authentication information comprising applying the user-specific key to the protected secondary authentication data to generate the second authentication information; and
  
  said processor providing the second authentication information to the secondary system to enable access of the user to the secondary system.
- View Dependent Claims (9, 10, 11)
- - 9. The computer program product of claim 8, wherein the method further comprises:
    - after said receiving the first authentication information, said processor determining that a decryption of the first authentication information is equal to protected primary authentication data stored in the primary system, followed by said processor providing access of the user to the primary system.
  - 10. The computer program product of claim 8, wherein the method further comprises:
    - said processor receiving a request from the user to change protected primary authentication data stored in the primary system;
      
      said processor requesting second primary authentication information from the user;
      
      said processor transforming the second primary authentication information into second protected primary authentication data;
      
      said processor replacing the protected primary authentication data by the second protected primary authentication data;
      
      said processor generating second secondary authentication data by two-way encrypting the second authentication information by use of the second primary authentication information; and
      
      said processor replacing the second authentication data by the second secondary authentication data.
  - 11. The computer program product of claim 8, wherein the method further comprises:
    - receiving second secondary authentication information from the user;
      
      generating second protected secondary authentication data by two-way encryption of the second secondary authentication information by use of the user-specific key; and
      
      replacing the protected secondary authentication data by the second protected secondary authentication data.

12. A primary system comprising a processor and a computer program product, said computer program product comprising computer executable instructions that when executed by the processor perform a method for controlling access of a user to a secondary system, said method comprising:
- said processor sending a random string to a user system, said processor connecting the user system to the secondary system, said user being logged on the user system;
  
  after said sending the random string to the user system, said processor receiving from the user system first authentication information comprising an encryption of the random string by a private key of a public/private key pair of the user, said encryption of the random string being a user-specific key;
  
  said processor storing, in the primary system, the user-specific key comprised by the received first authentication information;
  
  said processor generating second authentication information from protected secondary authentication data stored in the primary system, said generating the second authentication information comprising applying the user-specific key to the protected secondary authentication data to generate the second authentication information; and
  
  said processor providing the second authentication information to the secondary system to enable access of the user to the secondary system.
- View Dependent Claims (13, 14)
- - 13. The primary system of claim 12, wherein the method further comprises:
    - after said receiving the first authentication information, said processor determining that a decryption of the first authentication information is equal to protected primary authentication data stored in the primary system, followed by said processor providing access of the user to the primary system.
  - 14. The primary system of claim 12, wherein the method further comprises:
    - said processor receiving a request from the user to change protected primary authentication data stored in the primary system;
      
      said processor requesting second primary authentication information from the user;
      
      said processor transforming the second primary authentication information into second protected primary authentication data;
      
      said processor replacing the protected primary authentication data by the second protected primary authentication data;
      
      said processor generating second secondary authentication data by two-way encrypting the second authentication information by use of the second primary authentication information; and
      
      said processor replacing the second authentication data by the second secondary authentication data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Feil, Stephan
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US13/914,761
Publication Number

US 20130275764A1
Time in Patent Office

770 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/41   where a single sign-on prov...

H04L 63/0428   wherein the data content is...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0815   providing single-sign-on or...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/3271   using challenge-response

Control of access to a secondary system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Control of access to a secondary system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links